diff --git a/src/context.c b/src/context.c index 20dea912..b6b07e66 100644 --- a/src/context.c +++ b/src/context.c @@ -699,15 +699,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams) GETDNS_FREE(upstreams->mf, upstreams); } -#if defined(DAEMON_DEBUG) && DAEMON_DEBUG -static char* -getdns_auth_str_array[] = { - GETDNS_STR_AUTH_NONE, - GETDNS_STR_AUTH_FAILED, - GETDNS_STR_AUTH_OK -}; -#endif - void _getdns_upstream_shutdown(getdns_upstream *upstream) { @@ -726,12 +717,12 @@ _getdns_upstream_shutdown(getdns_upstream *upstream) STUB_DEBUG_DAEMON, upstream->addr_str, (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"), (int)upstream->responses_received, (int)upstream->responses_timeouts, - getdns_auth_str_array[upstream->tls_auth_state], (int)upstream->keepalive_timeout); + _getdns_auth_str(upstream->tls_auth_state), (int)upstream->keepalive_timeout); DEBUG_DAEMON("%s %s : Upstream stats: Transport=%s - Resp=%d,Timeouts=%d,Best_auth=%s\n", STUB_DEBUG_DAEMON, upstream->addr_str, (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"), (int)upstream->total_responses, (int)upstream->total_timeouts, - getdns_auth_str_array[upstream->best_tls_auth_state]); + _getdns_auth_str(upstream->best_tls_auth_state)); DEBUG_DAEMON("%s %s : Upstream stats: Transport=%s - Conns=%d,Conn_fails=%d,Conn_shutdowns=%d,Backoffs=%d\n", STUB_DEBUG_DAEMON, upstream->addr_str, (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"), diff --git a/src/pubkey-pinning.c b/src/pubkey-pinning.c index d9c57fcd..d59a26d4 100644 --- a/src/pubkey-pinning.c +++ b/src/pubkey-pinning.c @@ -422,14 +422,14 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset, int verified; if (!pkey) { DEBUG_STUB("%s %-35s: Could not get pubkey from cert %d (%p)\n", - STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, x); + STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, (void*)x); return GETDNS_RETURN_GENERIC_ERROR; } verified = X509_verify(prev, pkey); EVP_PKEY_free(pkey); if (!verified) { DEBUG_STUB("%s %-35s: cert %d (%p) was not signed by cert %d\n", - STUB_DEBUG_SETUP_TLS, __FUNCTION__, i-1, prev, i); + STUB_DEBUG_SETUP_TLS, __FUNCTION__, i-1, (void*)prev, i); return GETDNS_RETURN_GENERIC_ERROR; } } @@ -454,11 +454,11 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset, for (p = pinset; p; p = p->next) if (0 == memcmp(buf, p->pin, sizeof(p->pin))) { DEBUG_STUB("%s %-35s: Pubkey %d matched pin %p ("PRIsz")\n", - STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, p, sizeof(p->pin)); + STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, (void*)p, sizeof(p->pin)); return GETDNS_RETURN_GOOD; } else DEBUG_STUB("%s %-35s: Pubkey %d did not match pin %p\n", - STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, p); + STUB_DEBUG_SETUP_TLS, __FUNCTION__, i, (void*)p); } return ret; diff --git a/src/stub.c b/src/stub.c index 30915709..b04cb6bb 100644 --- a/src/stub.c +++ b/src/stub.c @@ -385,7 +385,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport) { int fd = -1; DEBUG_STUB("%s %-35s: Creating TCP connection: %p\n", STUB_DEBUG_SETUP, - __FUNCTION__, upstream); + __FUNCTION__, (void*)upstream); if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) return -1; @@ -481,7 +481,7 @@ static void stub_cleanup(getdns_network_req *netreq) { DEBUG_STUB("%s %-35s: MSG: %p\n", - STUB_DEBUG_CLEANUP, __FUNCTION__, netreq); + STUB_DEBUG_CLEANUP, __FUNCTION__, (void*)netreq); getdns_dns_req *dnsreq = netreq->owner; getdns_network_req *r, *prev_r; getdns_upstream *upstream; @@ -562,7 +562,7 @@ void _getdns_cancel_stub_request(getdns_network_req *netreq) { DEBUG_STUB("%s %-35s: MSG: %p\n", - STUB_DEBUG_CLEANUP, __FUNCTION__, netreq); + STUB_DEBUG_CLEANUP, __FUNCTION__, (void*)netreq); stub_cleanup(netreq); if (netreq->fd >= 0) { #ifdef USE_WINSOCK @@ -578,7 +578,7 @@ stub_timeout_cb(void *userarg) { getdns_network_req *netreq = (getdns_network_req *)userarg; DEBUG_STUB("%s %-35s: MSG: %p\n", - STUB_DEBUG_CLEANUP, __FUNCTION__, netreq); + STUB_DEBUG_CLEANUP, __FUNCTION__, (void*)netreq); stub_cleanup(netreq); netreq->state = NET_REQ_TIMED_OUT; /* Handle upstream*/ @@ -862,29 +862,30 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) if (!upstream) return 0; -#if defined(STUB_DEBUG) && STUB_DEBUG || defined(X509_V_ERR_HOSTNAME_MISMATCH) - int err = X509_STORE_CTX_get_error(ctx); - + int err = X509_STORE_CTX_get_error(ctx); +#if defined(STUB_DEBUG) && STUB_DEBUG DEBUG_STUB("%s %-35s: FD: %d Verify result: (%d) \"%s\"\n", STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, err, X509_verify_cert_error_string(err)); #endif + /* First deal with the hostname authentication done by OpenSSL. */ #ifdef X509_V_ERR_HOSTNAME_MISMATCH /*Report if error is hostname mismatch*/ - if (err == X509_V_ERR_HOSTNAME_MISMATCH) { - upstream->tls_auth_state = GETDNS_AUTH_FAILED; - if (upstream->tls_fallback_ok) - DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n", - STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd); - } + if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok) + DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n", + STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd); #else /* if we weren't built against OpenSSL with hostname matching we * could not have matched the hostname, so this would be an automatic * tls_auth_fail if there is a hostname provided*/ - if (upstream->tls_auth_name[0]) + if (upstream->tls_auth_name[0]) { upstream->tls_auth_state = GETDNS_AUTH_FAILED; + preverify_ok = 0; + } #endif + + /* Now deal with the pinset validation*/ if (upstream->tls_pubkey_pinset) pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx); @@ -896,10 +897,23 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) if (upstream->tls_fallback_ok) DEBUG_STUB("%s %-35s: FD: %d, WARNING: Proceeding even though pinset validation failed!\n", STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd); + } else { + /* If we _only_ had a pinset and it is good then force succesful + authentication when the cert self-signed */ + if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') && + (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || + err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { + preverify_ok = 1; + DEBUG_STUB("%s %-35s: FD: %d, Allowing self-signed (%d) cert since pins match\n", + STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, err); + } } + /* If nothing has failed yet and we had credentials, we have succesfully authenticated*/ - if (upstream->tls_auth_state == GETDNS_AUTH_NONE && - (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0])) + if (preverify_ok == 0) + upstream->tls_auth_state = GETDNS_AUTH_FAILED; + else if (upstream->tls_auth_state == GETDNS_AUTH_NONE && + (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0])) upstream->tls_auth_state = GETDNS_AUTH_OK; /* If fallback is allowed, proceed regardless of what the auth error is (might not be hostname or pinset related) */ @@ -1044,8 +1058,9 @@ tls_do_handshake(getdns_upstream *upstream) /* A re-used session is not verified so need to fix up state in that case */ if (SSL_session_reused(upstream->tls_obj)) upstream->tls_auth_state = upstream->last_tls_auth_state; - DEBUG_STUB("%s %-35s: FD: %d Handshake succeeded with auth state %d. Session is %s.\n", - STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, upstream->tls_auth_state, + DEBUG_STUB("%s %-35s: FD: %d Handshake succeeded with auth state %s. Session is %s.\n", + STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd, + _getdns_auth_str(upstream->tls_auth_state), SSL_session_reused(upstream->tls_obj) ?"re-used":"new"); if (upstream->tls_session != NULL) SSL_SESSION_free(upstream->tls_session); @@ -1282,7 +1297,7 @@ stub_udp_read_cb(void *userarg) getdns_upstream *upstream = netreq->upstream; ssize_t read; DEBUG_STUB("%s %-35s: MSG: %p \n", STUB_DEBUG_READ, - __FUNCTION__, netreq); + __FUNCTION__, (void*)netreq); GETDNS_CLEAR_EVENT(dnsreq->loop, &netreq->event); @@ -1315,7 +1330,7 @@ stub_udp_read_cb(void *userarg) #endif while (GLDNS_TC_WIRE(netreq->response)) { DEBUG_STUB("%s %-35s: MSG: %p TC bit set in response \n", STUB_DEBUG_READ, - __FUNCTION__, netreq); + __FUNCTION__, (void*)netreq); if (!(netreq->transport_current < netreq->transport_count)) break; getdns_transport_list_t next_transport = @@ -1357,7 +1372,7 @@ stub_udp_write_cb(void *userarg) getdns_dns_req *dnsreq = netreq->owner; size_t pkt_len; DEBUG_STUB("%s %-35s: MSG: %p \n", STUB_DEBUG_WRITE, - __FUNCTION__, netreq); + __FUNCTION__, (void*)netreq); GETDNS_CLEAR_EVENT(dnsreq->loop, &netreq->event); @@ -1464,7 +1479,7 @@ upstream_read_cb(void *userarg) } DEBUG_STUB("%s %-35s: MSG: %p (read)\n", - STUB_DEBUG_READ, __FUNCTION__, netreq); + STUB_DEBUG_READ, __FUNCTION__, (void*)netreq); netreq->state = NET_REQ_FINISHED; netreq->response = upstream->tcp.read_buf; netreq->response_len = @@ -1545,7 +1560,7 @@ upstream_write_cb(void *userarg) netreq->debug_start_time = _getdns_get_time_as_uintt64(); DEBUG_STUB("%s %-35s: MSG: %p (writing)\n", STUB_DEBUG_WRITE, - __FUNCTION__, netreq); + __FUNCTION__, (void*)netreq); /* Health checks on current connection */ if (upstream->conn_state == GETDNS_CONN_TEARDOWN) @@ -1570,7 +1585,7 @@ upstream_write_cb(void *userarg) case STUB_SETUP_ERROR: /* Could not complete the set up. Need to fallback.*/ DEBUG_STUB("%s %-35s: Upstream: %p ERROR = %d\n", STUB_DEBUG_WRITE, - __FUNCTION__, ((getdns_network_req *)userarg), q); + __FUNCTION__, (void*)userarg, q); upstream_failed(upstream, (q == STUB_TCP_ERROR ? 0:1)); /* Fall through */ case STUB_CONN_GONE: @@ -1785,7 +1800,7 @@ upstream_connect(getdns_upstream *upstream, getdns_transport_list_t transport, getdns_dns_req *dnsreq) { DEBUG_STUB("%s %-35s: Getting upstream connection: %p\n", STUB_DEBUG_SETUP, - __FUNCTION__, upstream); + __FUNCTION__, (void*)upstream); int fd = -1; switch(transport) { case GETDNS_TRANSPORT_UDP: @@ -1859,7 +1874,7 @@ upstream_find_for_transport(getdns_network_req *netreq, *fd = upstream_connect(upstream, transport, netreq->owner); } while (*fd == -1); DEBUG_STUB("%s %-35s: FD: %d Connecting to upstream: %p No: %d\n", - STUB_DEBUG_SETUP, __FUNCTION__, *fd, upstream, + STUB_DEBUG_SETUP, __FUNCTION__, *fd, (void*)upstream, (int)(upstream - netreq->owner->context->upstreams->upstreams)); } return upstream; @@ -1883,7 +1898,7 @@ upstream_find_for_netreq(getdns_network_req *netreq) return fd; } /* Handle better, will give generic error*/ - DEBUG_STUB("%s %-35s: MSG: %p No valid upstream! \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, netreq); + DEBUG_STUB("%s %-35s: MSG: %p No valid upstream! \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, (void*)netreq); #if defined(DAEMON_DEBUG) && DAEMON_DEBUG DEBUG_DAEMON("%s *FAILURE* no valid transports or upstreams available!\n", STUB_DEBUG_DAEMON); @@ -1900,7 +1915,7 @@ fallback_on_write(getdns_network_req *netreq) { /* Deal with UDP one day*/ - DEBUG_STUB("%s %-35s: MSG: %p FALLING BACK \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, netreq); + DEBUG_STUB("%s %-35s: MSG: %p FALLING BACK \n", STUB_DEBUG_SCHEDULE, __FUNCTION__, (void*)netreq); /* Try to find a fallback transport*/ getdns_return_t result = _getdns_submit_stub_request(netreq); @@ -1948,7 +1963,7 @@ upstream_reschedule_events(getdns_upstream *upstream, uint64_t idle_timeout) { static void upstream_schedule_netreq(getdns_upstream *upstream, getdns_network_req *netreq) { - DEBUG_STUB("%s %-35s: MSG: %p (schedule event)\n", STUB_DEBUG_SCHEDULE, __FUNCTION__, netreq); + DEBUG_STUB("%s %-35s: MSG: %p (schedule event)\n", STUB_DEBUG_SCHEDULE, __FUNCTION__, (void*)netreq); /* We have a connected socket and a global event loop */ assert(upstream->fd >= 0); assert(upstream->loop); @@ -2000,7 +2015,7 @@ getdns_return_t _getdns_submit_stub_request(getdns_network_req *netreq) { DEBUG_STUB("%s %-35s: MSG: %p TYPE: %d\n", STUB_DEBUG_ENTRY, __FUNCTION__, - netreq, netreq->request_type); + (void*)netreq, netreq->request_type); int fd = -1; getdns_dns_req *dnsreq = netreq->owner; diff --git a/src/test/tests_transports.sh b/src/test/tests_transports.sh index 13e5b6b6..0cb0947b 100755 --- a/src/test/tests_transports.sh +++ b/src/test/tests_transports.sh @@ -5,25 +5,72 @@ SERVER_IP="8.8.8.8" SERVER_IPv6="2001:4860:4860::8888" TLS_SERVER_IP="185.49.141.38~getdnsapi.net" TLS_SERVER_IPv6="2a04:b900:0:100::38~getdnsapi.net" +TLS_SERVER_SS_IP="184.105.193.78~tls-dns-u.odvr.dns-oarc.net" #Self signed cert TLS_SERVER_KEY="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=" +TLS_SERVER_SS_KEY="pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=" TLS_SERVER_WRONG_KEY="foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc1S=" GOOD_RESULT_SYNC="Status was: At least one response was returned" GOOD_RESULT_ASYNC="successfull" BAD_RESULT_SYNC="1 'Generic error'" BAD_RESULT_ASYNC="callback_type of 703" +NUM_ARGS=3 GOOD_COUNT=0 FAIL_COUNT=0 + +check_auth () { + local my_auth_ok=0; + auth_result=`echo $1 | sed 's/.*tls_auth_status\": .*//'` + if [[ $2 == "-" ]] ; then + my_auth_ok=1; + fi + if [[ $2 == "N" ]] && [[ $auth_result == "None" ]]; then + my_auth_ok=1; + fi + if [[ $2 == "F" ]] && [[ $auth_result == "Failed" ]]; then + my_auth_ok=1; + fi + if [[ $2 == "S" ]] && [[ $auth_result == "Success" ]]; then + my_auth_ok=1; + fi + echo $my_auth_ok; +} + +check_trans () { + local my_trans_ok=0; + trans_result=`echo $1 | sed "s/.*\"transport\": GETDNS_TRANSPORT_//" | sed 's/ }.*//' | sed 's/,.*//'` + if [[ $2 == "U" ]] && [[ $trans_result == "UDP" ]]; then + my_trans_ok=1; + fi + if [[ $2 == "T" ]] && [[ $trans_result == "TCP" ]]; then + my_trans_ok=1; + fi + if [[ $2 == "L" ]] && [[ $trans_result == "TLS" ]]; then + my_trans_ok=1; + fi + echo $my_trans_ok; +} + check_good () { - result=`echo $1 | grep "Response code was: GOOD." | tail -1 | sed 's/ All done.'// | sed 's/Response code was: GOOD. '//` + auth_ok=0; + result_ok=0; + trans_ok=0; + result=`echo $1 | sed 's/ All done.'// | sed 's/.*Response code was: GOOD. '//` async_success=`echo $result | grep -c "$GOOD_RESULT_ASYNC"` if [[ $result =~ $GOOD_RESULT_SYNC ]] || [[ $async_success =~ 1 ]]; then - (( GOOD_COUNT++ )) - echo -n "PASS: " - else - (( FAIL_COUNT++ )) - echo "FAIL (RESULT): " $1 - echo -n "FAIL: " + result_ok=1; + fi + if [[ $result_ok == 1 ]] ; then + trans_ok=$(check_trans "$1" "$2") + auth_ok=$(check_auth "$1" "$3") + fi + if [[ $result_ok == 1 ]] && [[ $auth_ok == 1 ]] && [[ $trans_ok == 1 ]]; then + (( GOOD_COUNT++ )) + echo -n "PASS: " + else + (( FAIL_COUNT++ )) + echo "FAIL (RESULT): Result: $result Auth: $auth_ok Trans: $trans_ok" + echo -n "FAIL: " fi } @@ -80,30 +127,38 @@ while getopts ":p:s:t:k:idh" opt; do done TLS_SERVER_IP_NO_NAME=`echo ${TLS_SERVER_IP%~*}` +TLS_SERVER_SS_IP_NO_NAME=`echo ${TLS_SERVER_SS_IP%~*}` TLS_SERVER_IP_WRONG_NAME=`echo ${TLS_SERVER_IP::${#TLS_SERVER_IP}-1}` +NUM_GOOD_QUERIES=7 GOOD_QUERIES=( -"-s -A -q getdnsapi.net -l U @${SERVER_IP} " -"-s -A -q getdnsapi.net -l T @${SERVER_IP} " -"-s -A -q getdnsapi.net -l L @${TLS_SERVER_IP_NO_NAME}" -"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP}" -"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" -"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" -"-s -G -q DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D") +"-s -A getdnsapi.net -l U @${SERVER_IP}" "U" "-" +"-s -A getdnsapi.net -l T @${SERVER_IP}" "T" "-" +"-s -A getdnsapi.net -l L @${TLS_SERVER_IP_NO_NAME}" "L" "N" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP}" "L" "S" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_SS_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_SS_KEY}\"" "L" "S" +"-s -G DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D" "U" "-") +NUM_GOOD_FB_QUERIES=6 GOOD_FALLBACK_QUERIES=( -"-s -A -q getdnsapi.net -l LT @${SERVER_IP}" -"-s -A -q getdnsapi.net -l LT @${SERVER_IP}" -"-s -A -q getdnsapi.net -l LT @${TLS_SERVER_IP_NO_NAME}" -"-s -A -q getdnsapi.net -l LT -m @${TLS_SERVER_IP_NO_NAME}" -"-s -A -q getdnsapi.net -l L @${SERVER_IP} @${TLS_SERVER_IP_NO_NAME}" -"-s -G -q DNSKEY getdnsapi.net -l UT @${SERVER_IP} -b 512 -D") +"-s -A getdnsapi.net -l LU @${SERVER_IP}" "U" "-" +"-s -A getdnsapi.net -l LT @${SERVER_IP}" "T" "-" +"-s -A getdnsapi.net -l LT @${TLS_SERVER_IP_NO_NAME}" "L" "N" +"-s -A getdnsapi.net -l LT -m @${TLS_SERVER_IP_NO_NAME}" "L" "N" +"-s -A getdnsapi.net -l L @${SERVER_IP} @${TLS_SERVER_IP_NO_NAME}" "L" "-" +"-s -G DNSKEY getdnsapi.net -l UT @${SERVER_IP} -b 512 -D" "T" "-") NOT_AVAILABLE_QUERIES=( -"-s -A -q getdnsapi.net -l L @${SERVER_IP}" -"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP_WRONG_NAME}" -"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME}" -"-s -A -q getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\"") +"-s -A getdnsapi.net -l L @${SERVER_IP}" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_WRONG_NAME}" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME}" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\"" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\"" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_WRONG_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_WRONG_NAME} -K pin-sha256=\"${TLS_SERVER_WRONG_KEY}\"" +"-s -A getdnsapi.net -l L -m @${TLS_SERVER_SS_IP} -K pin-sha256=\"${TLS_SERVER_SS_KEY}\"") echo "Starting transport test" @@ -118,19 +173,19 @@ for (( i = 0; i < 2; i+=1 )); do fi echo "*Success cases:" - for (( j = 0; j < ${#GOOD_QUERIES[@]}; j+=1 )); do - check_good "`$DIR/getdns_query $SYNC_MODE ${GOOD_QUERIES[${j}]} 2>/dev/null`" - echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[${j}]}" - (( COUNT++ )) + for (( j = 0; j < $NUM_GOOD_QUERIES; j+=1 )); do + check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_QUERIES[$((j*NUM_ARGS))+2]} + echo "getdns_query $SYNC_MODE ${GOOD_QUERIES[$j*$NUM_ARGS]}" + (( COUNT++ )) done echo "*Success fallback cases:" - for (( j = 0; j < ${#GOOD_FALLBACK_QUERIES[@]}; j+=1 )); do - check_good "`$DIR/getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[${j}]} 2>/dev/null`" - echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[${j}]}" - (( COUNT++ )) + for (( j = 0; j < $NUM_GOOD_FB_QUERIES; j+=1 )); do + check_good "`$DIR/getdns_query +return_call_reporting $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} 2>/dev/null`" ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]} + echo "getdns_query $SYNC_MODE ${GOOD_FALLBACK_QUERIES[$j*$NUM_ARGS]} TESTS: ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+1]} ${GOOD_FALLBACK_QUERIES[$((j*NUM_ARGS))+2]}" + (( COUNT++ )) done - + echo "*Transport not available cases:" for (( j = 0; j < ${#NOT_AVAILABLE_QUERIES[@]}; j+=1 )); do check_bad "`$DIR/getdns_query $SYNC_MODE ${NOT_AVAILABLE_QUERIES[${j}]} 2>&1`" diff --git a/src/tools/stubby.conf b/src/tools/stubby.conf index 3d3fd30e..5deb03db 100644 --- a/src/tools/stubby.conf +++ b/src/tools/stubby.conf @@ -42,6 +42,18 @@ [ { digest: "sha256" , value: 0x7e8c59467221f606695a797ecc488a6b4109dab7421aba0c5a6d3681ac5273d4 } ] + }, + { address_data: 184.105.193.78 + , tls_pubkey_pinset: + [ { digest: "sha256" + , value: 0xA4E5EBA54B7D9203E06D6C411457014DB447DA17A8DB01F05E9D5F7780045572 + } ] + }, + { address_data: 2620:ff:c000:0:1::64:25 + , tls_pubkey_pinset: + [ { digest: "sha256" + , value: 0xA4E5EBA54B7D9203E06D6C411457014DB447DA17A8DB01F05E9D5F7780045572 + } ] } ] , tls_authentication: GETDNS_AUTHENTICATION_REQUIRED diff --git a/src/types-internal.h b/src/types-internal.h index 06eea0da..2ac85581 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -423,5 +423,7 @@ void _getdns_network_validate_tsig(getdns_network_req *req); void _getdns_netreq_reinit(getdns_network_req *netreq); +const char * _getdns_auth_str(getdns_auth_state_t auth); + #endif /* types-internal.h */ diff --git a/src/util-internal.c b/src/util-internal.c index 1fbd9632..c25cf5ce 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -838,6 +838,16 @@ _getdns_create_call_reporting_dict( was actually used for the last successful query.*/ if (transport == GETDNS_TRANSPORT_TCP && netreq->debug_udp == 1) { transport = GETDNS_TRANSPORT_UDP; + if (getdns_dict_set_int( netreq_debug, "udp_responses_for_this_upstream", + netreq->upstream->udp_responses)) { + getdns_dict_destroy(netreq_debug); + return NULL; + } + if (getdns_dict_set_int( netreq_debug, "udp_timeouts_for_this_upstream", + netreq->upstream->udp_timeouts)) { + getdns_dict_destroy(netreq_debug); + return NULL; + } } if (getdns_dict_set_int( netreq_debug, "transport", transport)) { getdns_dict_destroy(netreq_debug); @@ -858,16 +868,38 @@ _getdns_create_call_reporting_dict( return NULL; } } + /* The running totals are only updated when a connection is closed. + Since it is open as we have just used it, calcualte the value on the fly */ + if (getdns_dict_set_int( netreq_debug, "responses_on_this_connection", + netreq->upstream->responses_received)) { + getdns_dict_destroy(netreq_debug); + return NULL; + } + if (getdns_dict_set_int( netreq_debug, "timeouts_on_this_connection", + netreq->upstream->responses_timeouts)) { + getdns_dict_destroy(netreq_debug); + return NULL; + } + if (getdns_dict_set_int( netreq_debug, "responses_for_this_upstream", + netreq->upstream->responses_received + + netreq->upstream->total_responses)) { + getdns_dict_destroy(netreq_debug); + return NULL; + } + if (getdns_dict_set_int( netreq_debug, "timeouts_for_this_upstream", + netreq->upstream->responses_timeouts + + netreq->upstream->total_timeouts)) { + getdns_dict_destroy(netreq_debug); + return NULL; + } } if (netreq->upstream->transport != GETDNS_TRANSPORT_TLS) return netreq_debug; /* Only include the auth status if TLS was used */ - /* TODO: output all 3 options */ if (getdns_dict_util_set_string(netreq_debug, "tls_auth_status", - netreq->debug_tls_auth_status == GETDNS_AUTH_OK ? - "OK: Server authenticated":"FAILED or NOT TRIED: Server not authenticated")){ + _getdns_auth_str(netreq->debug_tls_auth_status))){ getdns_dict_destroy(netreq_debug); return NULL; @@ -1530,4 +1562,14 @@ void _getdns_wire2list(uint8_t *pkt, size_t pkt_len, getdns_list *l) } } +const char * _getdns_auth_str(getdns_auth_state_t auth) { + static const char* + getdns_auth_str_array[] = { + GETDNS_STR_AUTH_NONE, + GETDNS_STR_AUTH_FAILED, + GETDNS_STR_AUTH_OK + }; + return getdns_auth_str_array[auth]; +} + /* util-internal.c */