Merge pull request #240 from saradickinson/bugfix/key_pinning

Bugfix/key pinning
2016-12-12 11:58:23 +01:00 · 2016-12-12 11:58:23 +01:00 · 8f833c7000
parent 1264099be7 83a0b944b5
commit 8f833c7000
7 changed files with 198 additions and 81 deletions
--- a/src/context.c
+++ b/src/context.c
@ -699,15 +699,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 	GETDNS_FREE(upstreams->mf, upstreams);
 }

-#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
-static char*
-getdns_auth_str_array[] = {
-	GETDNS_STR_AUTH_NONE,
-	GETDNS_STR_AUTH_FAILED,
-	GETDNS_STR_AUTH_OK
-};
-#endif
-
 void
 _getdns_upstream_shutdown(getdns_upstream *upstream)
 {
@ -726,12 +717,12 @@ _getdns_upstream_shutdown(getdns_upstream *upstream)
 	             STUB_DEBUG_DAEMON, upstream->addr_str,
 	             (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"),
 	             (int)upstream->responses_received, (int)upstream->responses_timeouts,
-	             getdns_auth_str_array[upstream->tls_auth_state], (int)upstream->keepalive_timeout);
+	             _getdns_auth_str(upstream->tls_auth_state), (int)upstream->keepalive_timeout);
 	DEBUG_DAEMON("%s %s : Upstream stats: Transport=%s - Resp=%d,Timeouts=%d,Best_auth=%s\n",
 	             STUB_DEBUG_DAEMON, upstream->addr_str,
 	             (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"),
 	             (int)upstream->total_responses, (int)upstream->total_timeouts,
-	             getdns_auth_str_array[upstream->best_tls_auth_state]);
+	             _getdns_auth_str(upstream->best_tls_auth_state));
 	DEBUG_DAEMON("%s %s : Upstream stats: Transport=%s - Conns=%d,Conn_fails=%d,Conn_shutdowns=%d,Backoffs=%d\n",
 	             STUB_DEBUG_DAEMON, upstream->addr_str,
 	             (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"),
--- a/src/pubkey-pinning.c
+++ b/src/pubkey-pinning.c
@ -422,14 +422,14 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 			int verified;
 			if (!pkey) {
 				DEBUG_STUB("%s %-35s: Could not get pubkey from cert %d (%p)\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, x);
+					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, (void*)x);
 				return GETDNS_RETURN_GENERIC_ERROR;
 			}
 			verified = X509_verify(prev, pkey);
 			EVP_PKEY_free(pkey);
 			if (!verified) {
 				DEBUG_STUB("%s %-35s: cert %d (%p) was not signed by cert %d\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i-1, prev, i);
+					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i-1, (void*)prev, i);
 				return GETDNS_RETURN_GENERIC_ERROR;
 			}
 		}
@ -454,11 +454,11 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 		for (p = pinset; p; p = p->next)
 			if (0 == memcmp(buf, p->pin, sizeof(p->pin))) {
 				DEBUG_STUB("%s %-35s: Pubkey %d matched pin %p ("PRIsz")\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, p, sizeof(p->pin));
+					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, (void*)p, sizeof(p->pin));
 				return GETDNS_RETURN_GOOD;
 			} else
 				DEBUG_STUB("%s %-35s: Pubkey %d did not match pin %p\n",
-					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, p);
+					   STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, (void*)p);
 	}

 	return ret;
--- a/src/stub.c
+++ b/src/stub.c
@ -385,7 +385,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 {
 	int fd = -1;
 	DEBUG_STUB("%s %-35s: Creating TCP connection:      %p\n", STUB_DEBUG_SETUP, 
-	           __FUNCTION__, upstream);
+	           __FUNCTION__, (void*)upstream);
 	if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
 		return -1;

@ -481,7 +481,7 @@ static void
 stub_cleanup(getdns_network_req *netreq)
 {
 	DEBUG_STUB("%s %-35s: MSG: %p\n",
-	           STUB_DEBUG_CLEANUP, __FUNCTION__, netreq);
+	           STUB_DEBUG_CLEANUP, __FUNCTION__, (void*)netreq);
 	getdns_dns_req *dnsreq = netreq->owner;
 	getdns_network_req *r, *prev_r;
 	getdns_upstream *upstream;
@ -562,7 +562,7 @@ void
 _getdns_cancel_stub_request(getdns_network_req *netreq)
 {
 	DEBUG_STUB("%s %-35s: MSG:  %p\n",
-	           STUB_DEBUG_CLEANUP, __FUNCTION__, netreq);
+	           STUB_DEBUG_CLEANUP, __FUNCTION__, (void*)netreq);
 	stub_cleanup(netreq);
 	if (netreq->fd >= 0) {
 #ifdef USE_WINSOCK
@ -578,7 +578,7 @@ stub_timeout_cb(void *userarg)
 {
 	getdns_network_req *netreq = (getdns_network_req *)userarg;
 	DEBUG_STUB("%s %-35s: MSG:  %p\n",
-	           STUB_DEBUG_CLEANUP, __FUNCTION__, netreq);
+	           STUB_DEBUG_CLEANUP, __FUNCTION__, (void*)netreq);
 	stub_cleanup(netreq);
 	netreq->state = NET_REQ_TIMED_OUT;
 	/* Handle upstream*/
@ -862,29 +862,30 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	if (!upstream)
 		return 0;

-#if defined(STUB_DEBUG) && STUB_DEBUG || defined(X509_V_ERR_HOSTNAME_MISMATCH)
-	int     err = X509_STORE_CTX_get_error(ctx);
-
+	int err = X509_STORE_CTX_get_error(ctx);
+#if defined(STUB_DEBUG) && STUB_DEBUG
 	DEBUG_STUB("%s %-35s: FD:  %d Verify result: (%d) \"%s\"\n",
 	            STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, err,
 	            X509_verify_cert_error_string(err));
 #endif

+	/* First deal with the hostname authentication done by OpenSSL. */
 #ifdef X509_V_ERR_HOSTNAME_MISMATCH
 	/*Report if error is hostname mismatch*/
-	if (err == X509_V_ERR_HOSTNAME_MISMATCH) {
-		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-		if (upstream->tls_fallback_ok) 
-			DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
-			           STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd);
-	}
+	if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
+		DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
+		           STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd);
 #else
 	/* if we weren't built against OpenSSL with hostname matching we
 	 * could not have matched the hostname, so this would be an automatic
 	 * tls_auth_fail if there is a hostname provided*/
-	if (upstream->tls_auth_name[0])
+	if (upstream->tls_auth_name[0]) {
 		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
+		preverify_ok = 0;
+	}
 #endif
+
+	/* Now deal with the pinset validation*/
 	if (upstream->tls_pubkey_pinset)
 		pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx);

@ -896,10 +897,23 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 		if (upstream->tls_fallback_ok)
 			DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Proceeding even though pinset validation failed!\n",
 			            STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd);
+	} else {
+		/* If we _only_ had a pinset and it is good then force succesful
+		   authentication when the cert self-signed */
+		if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') &&
+		     (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+		      err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
+			preverify_ok = 1;
+			DEBUG_STUB("%s %-35s: FD:  %d, Allowing self-signed (%d) cert since pins match\n",
+		           STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, err);
+		}
 	}
+
 	/* If nothing has failed yet and we had credentials, we have succesfully authenticated*/
-	if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
-	   (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
+	if (preverify_ok == 0)
+		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
+	else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
+	         (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
 		upstream->tls_auth_state = GETDNS_AUTH_OK;
 	/* If fallback is allowed, proceed regardless of what the auth error is
 	   (might not be hostname or pinset related) */
@ -1044,8 +1058,9 @@ tls_do_handshake(getdns_upstream *upstream)
 	/* A re-used session is not verified so need to fix up state in that case */
 	if (SSL_session_reused(upstream->tls_obj))
 		upstream->tls_auth_state = upstream->last_tls_auth_state;
-	DEBUG_STUB("%s %-35s: FD:  %d Handshake succeeded with auth state %d. Session is %s.\n", 
-		         STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, upstream->tls_auth_state,
+	DEBUG_STUB("%s %-35s: FD:  %d Handshake succeeded with auth state %s. Session is %s.\n", 
+		         STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, 
+		         _getdns_auth_str(upstream->tls_auth_state),
 		         SSL_session_reused(upstream->tls_obj) ?"re-used":"new");
 	if (upstream->tls_session != NULL)
 	    SSL_SESSION_free(upstream->tls_session);
@ -1282,7 +1297,7 @@ stub_udp_read_cb(void *userarg)
 	getdns_upstream *upstream = netreq->upstream;
 	ssize_t       read;
 	DEBUG_STUB("%s %-35s: MSG: %p \n", STUB_DEBUG_READ, 
-	             __FUNCTION__, netreq);
+	             __FUNCTION__, (void*)netreq);

 	GETDNS_CLEAR_EVENT(dnsreq->loop, &netreq->event);

@ -1315,7 +1330,7 @@ stub_udp_read_cb(void *userarg)
 #endif
 	while (GLDNS_TC_WIRE(netreq->response)) {
 		DEBUG_STUB("%s %-35s: MSG: %p TC bit set in response \n", STUB_DEBUG_READ, 
-		             __FUNCTION__, netreq);
+		             __FUNCTION__, (void*)netreq);
 		if (!(netreq->transport_current < netreq->transport_count))
 			break;
 		getdns_transport_list_t next_transport = 
@ -1357,7 +1372,7 @@ stub_udp_write_cb(void *userarg)
 	getdns_dns_req     *dnsreq = netreq->owner;
 	size_t             pkt_len;
 	DEBUG_STUB("%s %-35s: MSG: %p \n", STUB_DEBUG_WRITE, 
-	             __FUNCTION__, netreq);
+	             __FUNCTION__, (void*)netreq);

 	GETDNS_CLEAR_EVENT(dnsreq->loop, &netreq->event);

@ -1464,7 +1479,7 @@ upstream_read_cb(void *userarg)
 		}

 		DEBUG_STUB("%s %-35s: MSG: %p (read)\n",
-		    STUB_DEBUG_READ, __FUNCTION__, netreq);
+		    STUB_DEBUG_READ, __FUNCTION__, (void*)netreq);
 		netreq->state = NET_REQ_FINISHED;
 		netreq->response = upstream->tcp.read_buf;
 		netreq->response_len =
@ -1545,7 +1560,7 @@ upstream_write_cb(void *userarg)

 	netreq->debug_start_time = _getdns_get_time_as_uintt64();
 	DEBUG_STUB("%s %-35s: MSG: %p (writing)\n", STUB_DEBUG_WRITE,
-	            __FUNCTION__, netreq);
+	            __FUNCTION__, (void*)netreq);

 	/* Health checks on current connection */
 	if (upstream->conn_state == GETDNS_CONN_TEARDOWN)
@ -1570,7 +1585,7 @@ upstream_write_cb(void *userarg)
 	case STUB_SETUP_ERROR:
 		/* Could not complete the set up. Need to fallback.*/
 		DEBUG_STUB("%s %-35s: Upstream: %p ERROR = %d\n", STUB_DEBUG_WRITE,
-		             __FUNCTION__, ((getdns_network_req *)userarg), q);
+		             __FUNCTION__, (void*)userarg, q);
 		upstream_failed(upstream, (q == STUB_TCP_ERROR ? 0:1));
 		/* Fall through */
 	case STUB_CONN_GONE:
@ -1785,7 +1800,7 @@ upstream_connect(getdns_upstream *upstream, getdns_transport_list_t transport,
                    getdns_dns_req *dnsreq) 
 {
 	DEBUG_STUB("%s %-35s: Getting upstream connection:  %p\n", STUB_DEBUG_SETUP, 
-	           __FUNCTION__, upstream);
+	           __FUNCTION__, (void*)upstream);
 	int fd = -1;
 	switch(transport) {
 	case GETDNS_TRANSPORT_UDP:
@ -1859,7 +1874,7 @@ upstream_find_for_transport(getdns_network_req *netreq,
 			*fd = upstream_connect(upstream, transport, netreq->owner);
 		} while (*fd == -1);
 		DEBUG_STUB("%s %-35s: FD:  %d Connecting to upstream: %p   No: %d\n", 
-	           STUB_DEBUG_SETUP, __FUNCTION__, *fd, upstream,
+	           STUB_DEBUG_SETUP, __FUNCTION__, *fd, (void*)upstream,
 	           (int)(upstream - netreq->owner->context->upstreams->upstreams));
 	}
 	return upstream;
@ -1883,7 +1898,7 @@ upstream_find_for_netreq(getdns_network_req *netreq)
 		return fd;
 	}
 	/* Handle better, will give generic error*/
-	DEBUG_STUB("%s %-35s: MSG: %p No valid upstream! \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, netreq);
+	DEBUG_STUB("%s %-35s: MSG: %p No valid upstream! \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, (void*)netreq);
 #if defined(DAEMON_DEBUG) && DAEMON_DEBUG
 	DEBUG_DAEMON("%s *FAILURE* no valid transports or upstreams available!\n",
 	              STUB_DEBUG_DAEMON);
@ -1900,7 +1915,7 @@ fallback_on_write(getdns_network_req *netreq)
 {

 	/* Deal with UDP one day*/
-	DEBUG_STUB("%s %-35s: MSG: %p FALLING BACK \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, netreq);
+	DEBUG_STUB("%s %-35s: MSG: %p FALLING BACK \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, (void*)netreq);

 	/* Try to find a fallback transport*/
 	getdns_return_t result = _getdns_submit_stub_request(netreq);
@ -1948,7 +1963,7 @@ upstream_reschedule_events(getdns_upstream *upstream, uint64_t idle_timeout) {
 static void
 upstream_schedule_netreq(getdns_upstream *upstream, getdns_network_req *netreq)
 {
-	DEBUG_STUB("%s %-35s: MSG: %p (schedule event)\n", STUB_DEBUG_SCHEDULE, __FUNCTION__, netreq);
+	DEBUG_STUB("%s %-35s: MSG: %p (schedule event)\n", STUB_DEBUG_SCHEDULE, __FUNCTION__, (void*)netreq);
 	/* We have a connected socket and a global event loop */
 	assert(upstream->fd >= 0);
 	assert(upstream->loop);
@ -2000,7 +2015,7 @@ getdns_return_t
 _getdns_submit_stub_request(getdns_network_req *netreq)
 {
 	DEBUG_STUB("%s %-35s: MSG: %p TYPE: %d\n", STUB_DEBUG_ENTRY, __FUNCTION__,
-	           netreq, netreq->request_type);
+	           (void*)netreq, netreq->request_type);
 	int fd = -1;
 	getdns_dns_req *dnsreq = netreq->owner;

--- a/src/test/tests_transports.sh
+++ b/src/test/tests_transports.sh
@ -5,25 +5,72 @@ SERVER_IP="8.8.8.8"
 SERVER_IPv6="2001:4860:4860::8888"
 TLS_SERVER_IP="185.49.141.38~getdnsapi.net"
 TLS_SERVER_IPv6="2a04:b900:0:100::38~getdnsapi.net"
+TLS_SERVER_SS_IP="184.105.193.78~tls-dns-u.odvr.dns-oarc.net"  #Self signed cert
 TLS_SERVER_KEY="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S="
+TLS_SERVER_SS_KEY="pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI="
 TLS_SERVER_WRONG_KEY="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc1S="
 GOOD_RESULT_SYNC="Status was: At least one response was returned"
 GOOD_RESULT_ASYNC="successfull"
 BAD_RESULT_SYNC="1 'Generic error'"
 BAD_RESULT_ASYNC="callback_type of 703"
+NUM_ARGS=3
 GOOD_COUNT=0
 FAIL_COUNT=0

+
+check_auth () {
+	local my_auth_ok=0;
+	auth_result=`echo $1 | sed 's/.*tls_auth_status\": <bindata of "//' | sed 's/\">.*//'`
+	if [[ $2 == "-" ]] ; then
+		my_auth_ok=1;
+	fi
+	if [[ $2 == "N" ]] && [[ $auth_result == "None" ]]; then
+		my_auth_ok=1;
+	fi
+	if [[ $2 == "F" ]] && [[ $auth_result == "Failed" ]]; then
+		my_auth_ok=1;
+	fi
+	if [[ $2 == "S" ]] && [[ $auth_result == "Success" ]]; then
+		my_auth_ok=1;
+	fi
+	echo $my_auth_ok;
+}
+
+check_trans () {
+	local my_trans_ok=0;
+	trans_result=`echo $1 | sed "s/.*\"transport\": GETDNS_TRANSPORT_//" | sed 's/ }.*//' | sed 's/,.*//'`
+	if [[ $2 == "U" ]] && [[ $trans_result == "UDP" ]]; then
+		my_trans_ok=1;
+	fi
+	if [[ $2 == "T" ]] && [[ $trans_result == "TCP" ]]; then
+		my_trans_ok=1;
+	fi
+	if [[ $2 == "L" ]] && [[ $trans_result == "TLS" ]]; then
+		my_trans_ok=1;
+	fi
+	echo $my_trans_ok;
+}
+
 check_good () {
-	result=`echo $1 | grep "Response code was: GOOD." | tail -1 | sed 's/ All done.'// | sed 's/Response code was: GOOD. '//`
+	auth_ok=0;
+	result_ok=0;
+	trans_ok=0;
+	result=`echo $1 | sed 's/ All done.'// | sed 's/.*Response code was: GOOD. '//`
 	async_success=`echo $result | grep -c "$GOOD_RESULT_ASYNC"`
 	if [[ $result =~ $GOOD_RESULT_SYNC ]] || [[ $async_success =~ 1 ]]; then
-			(( GOOD_COUNT++ ))
-			echo -n "PASS: "
-		else
-			(( FAIL_COUNT++ ))
-			echo "FAIL (RESULT): " $1
-			echo -n "FAIL: "
+		result_ok=1;
+	fi
+	if [[ $result_ok == 1 ]] ; then
+		trans_ok=$(check_trans "$1" "$2")
+		auth_ok=$(check_auth "$1" "$3")
+	fi
+	if [[ $result_ok == 1 ]] && [[ $auth_ok == 1 ]] && [[ $trans_ok == 1 ]]; then
+		(( GOOD_COUNT++ ))
+		echo -n "PASS: "
+	else
+		(( FAIL_COUNT++ ))
+		echo "FAIL (RESULT): Result: $result  Auth: $auth_ok  Trans: $trans_ok"
+		echo -n "FAIL: "
 	fi
 }

@ -80,30 +127,38 @@ while getopts ":p:s:t:k:idh" opt; do
 done

 TLS_SERVER_IP_NO_NAME=`echo ${TLS_SERVER_IP%~*}`
+TLS_SERVER_SS_IP_NO_NAME=`echo ${TLS_SERVER_SS_IP%~*}`
 TLS_SERVER_IP_WRONG_NAME=`echo ${TLS_SERVER_IP::${#TLS_SERVER_IP}-1}`

+NUM_GOOD_QUERIES=7
 GOOD_QUERIES=(
-"-s -A -q getdnsapi.net -l U      @${SERVER_IP}    "
-"-s -A -q getdnsapi.net -l T      @${SERVER_IP}    "
-"-s -A -q getdnsapi.net -l L      @${TLS_SERVER_IP_NO_NAME}"
-"-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP}"
-"-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\""
-"-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\""
-"-s -G -q DNSKEY getdnsapi.net -l U   @${SERVER_IP} -b 512 -D")
+"-s -A  getdnsapi.net -l U        @${SERVER_IP}"              "U" "-"
+"-s -A  getdnsapi.net -l T        @${SERVER_IP}"              "T" "-"
+"-s -A  getdnsapi.net -l L        @${TLS_SERVER_IP_NO_NAME}"  "L" "N"
+"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP}"          "L" "S"
+"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S"
+"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S"
+"-s -A  getdnsapi.net -l L -m     @${TLS_SERVER_SS_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_SS_KEY}\"" "L" "S"
+"-s -G DNSKEY getdnsapi.net -l U  @${SERVER_IP} -b 512 -D" "U" "-")

+NUM_GOOD_FB_QUERIES=6
 GOOD_FALLBACK_QUERIES=(
-"-s -A -q getdnsapi.net -l LT     @${SERVER_IP}"
-"-s -A -q getdnsapi.net -l LT     @${SERVER_IP}"
-"-s -A -q getdnsapi.net -l LT     @${TLS_SERVER_IP_NO_NAME}"
-"-s -A -q getdnsapi.net -l LT -m  @${TLS_SERVER_IP_NO_NAME}"
-"-s -A -q getdnsapi.net -l L      @${SERVER_IP} @${TLS_SERVER_IP_NO_NAME}"
-"-s -G -q DNSKEY getdnsapi.net -l UT  @${SERVER_IP} -b 512 -D")
+"-s -A getdnsapi.net -l LU     @${SERVER_IP}" "U" "-"
+"-s -A getdnsapi.net -l LT     @${SERVER_IP}" "T" "-" 
+"-s -A getdnsapi.net -l LT     @${TLS_SERVER_IP_NO_NAME}" "L" "N"
+"-s -A getdnsapi.net -l LT -m  @${TLS_SERVER_IP_NO_NAME}" "L" "N"
+"-s -A getdnsapi.net -l L      @${SERVER_IP} @${TLS_SERVER_IP_NO_NAME}" "L" "-"
+"-s -G DNSKEY getdnsapi.net -l UT  @${SERVER_IP} -b 512 -D" "T" "-")

 NOT_AVAILABLE_QUERIES=(
-"-s -A -q getdnsapi.net -l L      @${SERVER_IP}"
-"-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP_WRONG_NAME}"
-"-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP_NO_NAME}"
-"-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\"")
+"-s -A getdnsapi.net -l L      @${SERVER_IP}"
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_IP_WRONG_NAME}"
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_IP_NO_NAME}"
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_IP_NO_NAME}    -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\""
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_IP}            -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\""
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_IP_WRONG_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\""
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_IP_WRONG_NAME} -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\""
+"-s -A getdnsapi.net -l L -m   @${TLS_SERVER_SS_IP}         -K pin-sha256=\"${TLS_SERVER_SS_KEY}\"")


 echo "Starting transport test"
@ -118,19 +173,19 @@ for (( i = 0; i < 2; i+=1 )); do
 	fi

 	echo "*Success cases:"
-	for (( j = 0; j < ${#GOOD_QUERIES[@]}; j+=1 )); do
-		check_good "`$DIR/getdns_query $SYNC_MODE ${GOOD_QUERIES[${j}]} 2>/dev/null`"
-		echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[${j}]}"
-		(( COUNT++ ))
+	for (( j = 0; j < $NUM_GOOD_QUERIES; j+=1 )); do
+	  check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]}
+	  echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]}"
+	  (( COUNT++ ))
 	done
 	
 	echo "*Success fallback cases:"
-	for (( j = 0; j < ${#GOOD_FALLBACK_QUERIES[@]}; j+=1 )); do
-		check_good "`$DIR/getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[${j}]} 2>/dev/null`"
-		echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[${j}]}"
-		(( COUNT++ ))
+	for (( j = 0; j < $NUM_GOOD_FB_QUERIES; j+=1 )); do
+	    check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}
+	    echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]}  TESTS: ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}"
+	    (( COUNT++ ))
 	done
-
+	
 	echo "*Transport not available cases:"
 	for (( j = 0; j < ${#NOT_AVAILABLE_QUERIES[@]}; j+=1 )); do
 		check_bad "`$DIR/getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`"
--- a/src/tools/stubby.conf
+++ b/src/tools/stubby.conf
@ -42,6 +42,18 @@
      [ { digest: "sha256"
        , value: 0x7e8c59467221f606695a797ecc488a6b4109dab7421aba0c5a6d3681ac5273d4
      } ]
+    },
+    { address_data: 184.105.193.78
+    , tls_pubkey_pinset:
+      [ { digest: "sha256"
+        , value: 0xA4E5EBA54B7D9203E06D6C411457014DB447DA17A8DB01F05E9D5F7780045572
+      } ]
+    },
+    { address_data: 2620:ff:c000:0:1::64:25
+    , tls_pubkey_pinset:
+      [ { digest: "sha256"
+        , value: 0xA4E5EBA54B7D9203E06D6C411457014DB447DA17A8DB01F05E9D5F7780045572
+      } ]
    }
  ]
 , tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
--- a/src/types-internal.h
+++ b/src/types-internal.h
@ -423,5 +423,7 @@ void _getdns_network_validate_tsig(getdns_network_req *req);

 void _getdns_netreq_reinit(getdns_network_req *netreq);

+const char * _getdns_auth_str(getdns_auth_state_t auth);
+
 #endif
 /* types-internal.h */
--- a/src/util-internal.c
+++ b/src/util-internal.c
@ -838,6 +838,16 @@ _getdns_create_call_reporting_dict(
 	   was actually used for the last successful query.*/
 	if (transport == GETDNS_TRANSPORT_TCP && netreq->debug_udp == 1) {
 		transport = GETDNS_TRANSPORT_UDP;
+		if (getdns_dict_set_int( netreq_debug, "udp_responses_for_this_upstream",
+		                         netreq->upstream->udp_responses)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
+		if (getdns_dict_set_int( netreq_debug, "udp_timeouts_for_this_upstream",
+		                         netreq->upstream->udp_timeouts)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
 	}
 	if (getdns_dict_set_int( netreq_debug, "transport", transport)) {
 		getdns_dict_destroy(netreq_debug);
@ -858,16 +868,38 @@ _getdns_create_call_reporting_dict(
 				return NULL;
 			}
 		}
+		/* The running totals are only updated when a connection is closed.
+		   Since it is open as we have just used it, calcualte the value on the fly */
+		if (getdns_dict_set_int( netreq_debug, "responses_on_this_connection",
+		                         netreq->upstream->responses_received)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
+		if (getdns_dict_set_int( netreq_debug, "timeouts_on_this_connection",
+		                         netreq->upstream->responses_timeouts)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
+		if (getdns_dict_set_int( netreq_debug, "responses_for_this_upstream",
+		                         netreq->upstream->responses_received + 
+		                         netreq->upstream->total_responses)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
+		if (getdns_dict_set_int( netreq_debug, "timeouts_for_this_upstream",
+		                         netreq->upstream->responses_timeouts +
+		                         netreq->upstream->total_timeouts)) {
+			getdns_dict_destroy(netreq_debug);
+			return NULL;
+		}
 	}

 	if (netreq->upstream->transport != GETDNS_TRANSPORT_TLS)
 		return netreq_debug;
 	
 	/* Only include the auth status if TLS was used */
-	/* TODO: output all 3 options */
 	if (getdns_dict_util_set_string(netreq_debug, "tls_auth_status",
-	    netreq->debug_tls_auth_status == GETDNS_AUTH_OK ?
-	    "OK: Server authenticated":"FAILED or NOT TRIED: Server not authenticated")){
+	    _getdns_auth_str(netreq->debug_tls_auth_status))){

 		getdns_dict_destroy(netreq_debug);
 		return NULL;
@ -1530,4 +1562,14 @@ void _getdns_wire2list(uint8_t *pkt, size_t pkt_len, getdns_list *l)
 	}
 }

+const char * _getdns_auth_str(getdns_auth_state_t auth) {
+	static const char*
+	getdns_auth_str_array[] = {
+		GETDNS_STR_AUTH_NONE,
+		GETDNS_STR_AUTH_FAILED,
+		GETDNS_STR_AUTH_OK
+	};
+	return getdns_auth_str_array[auth];
+}
+
 /* util-internal.c */