Commit Graph

33295 Commits

Author SHA1 Message Date
Evan Hunt
42a4093423 send the specified hostname in the HTTP URI
dig was not working with a server with offloaded TLS;
this turned out to be because it was sending the URI as
"https://<address>/dns-query", not "https://<name>/dns-query".
using userarg instead of servname fixes the problem. (incidentally
also corrected logged output to use the hostname when available.)
2021-02-11 14:37:26 -08:00
Evan Hunt
d18a4d47f6 prevent dig hang when nghttp2 callback fails
calling recv_done() with ISC_R_CANCELED prevents dig from cleaning
up fully from the query, because when that result code is used
it means some resources are already gone. changing the result
to ISC_R_UNEXPECTED prevents the hang.
2021-02-11 12:17:19 -08:00
Artem Boldariev
f9ec55fd9a fixup! start refactoring isc_nm_httprequest() into read/send 2021-02-11 19:44:19 +02:00
Artem Boldariev
9d1ab27081 isc__nm_tls_settimeout() and isc__nm_http_settimeout() implementations 2021-02-11 18:37:51 +02:00
Artem Boldariev
70b1946896 fixup! HACK: make isc_nm_tlsconnect() work when being invoked from within the context of a network thread 2021-02-11 16:01:34 +02:00
Artem Boldariev
b7e8994ad3 HACK: make isc_nm_tlsconnect() work when being invoked from within the context of a network thread 2021-02-11 15:03:44 +02:00
Artem Boldariev
9b3f3e96ea fix unit tests 2021-02-11 13:20:00 +02:00
Evan Hunt
bdc49a0650 fix handling of tcp connection errors
- a bug that was already fixed in tcpdns.c and tlsdns.c had been
  left unfixed in tcp.c: we needed to check whether the socket() call
  succeeds before attempting any asynchronous connection code.
  this corrects a problem that occurred when uv__socket() failed
  with too many open files.
- also corrected the behavior of nm_connectcb().  previously, it was
  forcing synchronous execution when force_async was false. what we
  want is to force asynchronous execution if force_async is true. if
  force_async is false, we want it to decide based on whether we're in
  the network thread.
2021-02-10 20:16:33 -08:00
Evan Hunt
4a90d76163 rename isc_nm_httprequest()
isc_nm_httprequest() is retained for use by doh_test, but has
been renamed isc__nm_http_request() and is no longer part of
the main API.

eventually doh_test should be changed to use isc_nm_read() and
isc_nm_send(), and this function should be removed.
2021-02-10 15:07:41 -08:00
Evan Hunt
8c3f83dcea add support for dig +http-plain
this allows dig to connect over an unencrypted HTTP/2 channel.
2021-02-10 13:28:11 -08:00
Evan Hunt
de7bbe277e fixup! fixup! fixup! fixup! fixup! call connect_cb from isc_nm_httpconnect() asynchronously 2021-02-10 12:34:10 -08:00
Evan Hunt
c0f369a975 fixup! add preliminary DoH client support to dig 2021-02-10 12:33:45 -08:00
Artem Boldariev
db2b8340e6 Fix keeping track of TLS context 2021-02-10 18:34:12 +02:00
Artem Boldariev
a414d909c4 HTTP/2 session reference counting fixes 2021-02-10 16:38:44 +02:00
Artem Boldariev
27e184b32d fixup! clean up TLS and HTTP data correctly 2021-02-10 13:23:21 +02:00
Evan Hunt
df1fd19182 fixup! fixup! fixup! fixup! call connect_cb from isc_nm_httpconnect() asynchronously 2021-02-09 22:35:50 -08:00
Evan Hunt
180899f186 fixup! reference-count http session objects 2021-02-09 18:39:55 -08:00
Evan Hunt
0828834a5e reference-count http session objects 2021-02-09 18:39:17 -08:00
Evan Hunt
14dad4c9b5 fixup! clean up TLS and HTTP data correctly 2021-02-09 18:36:28 -08:00
Evan Hunt
e6d35ea0e8 clean up TLS and HTTP data correctly
we don't want to call isc__nm_http_cleanup_data() for TLS sockets
or isc__nm_tls_cleanup_data() for HTTP sockets, they can step on
each other and cause a crash or deadlock.
2021-02-09 12:57:26 -08:00
Artem Boldariev
662197d5c2 fixup! add preliminary DoH client support to dig 2021-02-09 20:47:41 +02:00
Artem Boldariev
266d8120f4 fixup! fixup! fixup! call connect_cb from isc_nm_httpconnect() asynchronously 2021-02-09 20:37:09 +02:00
Artem Boldariev
5356b36ebd fixup! fixup! call connect_cb from isc_nm_httpconnect() asynchronously 2021-02-09 18:29:27 +02:00
Artem Boldariev
96620f41dd fixup! update the socket result correctly 2021-02-09 14:37:40 +02:00
Artem Boldariev
e01debbb1d fixup! call connect_cb from isc_nm_httpconnect() asynchronously 2021-02-09 14:37:33 +02:00
Evan Hunt
4fe216e6f7 call connect_cb from isc_nm_httpconnect() asynchronously
this isn't working yet, but it's a step in the right direction:
we need to call the connect callback from isc_nm_httpconnect()
asynchronously, after the connect has already returned. this
will enable dig to unlock the lookup before tcp_connected()
locks it, as it does when using tcpdns or tlsdns sockets.

this commit also removes the http_connect_t structure and stores
the connection data in a newly created http socket instead. (since
the socket structure was going to be needed to call isc__nm_connectcb()
anyway, it seemed like a good idea to make use of it to simplify
the connection code.)
2021-02-09 01:13:25 -08:00
Evan Hunt
8ea2cd7864 update the socket result correctly
in tls_call_connect_cb(), we want to update the result for
the TLS socket.  however, in some error conditions on connect,
the handle we're passing is for the TCP socket instead. this
was causing the wrong socket's result code to be updated, and
the thread that was waiting for the result to be updated never
woke up.

(note: while the fix in this commit causes doh_test to stop
deadlocking, I'm not sure whether I've actually fixed the bug.
in other places, we create a new 'tlshandle' to pass into
tls_call_connect_cb(). perhaps we should be doing that in
all cases?)

incidentally, I also renamed tls_connect_cb() to tcp_connected(),
because the handle passed in is for the TCP socket, and I kept
being confused by the name having "tls" in it.
2021-02-08 15:27:38 -08:00
Evan Hunt
bf9796140e fixup! start refactoring isc_nm_httprequest() into read/send 2021-02-08 12:43:22 -08:00
Artem Boldariev
01fce69199 fixup! start refactoring isc_nm_httprequest() into read/send 2021-02-08 20:59:44 +02:00
Artem Boldariev
697192d5cd TLS (WIP): fix double free(), other fixes 2021-02-08 20:26:23 +02:00
Evan Hunt
b690117276 still-broken checkpoint 2021-02-07 23:14:15 -08:00
Evan Hunt
6a3153950a start refactoring isc_nm_httprequest() into read/send
the goal here is to have the interface to http sockets be
the same as other types of netmgr socket, so that (for
example) dig can open an http connection and then just work
with no further code change, the same as it does with tcpdns
or tlsdns.

but the supporting code for https seems to be written with
the assumption that there will be a tight connection between
a request and a response, so the send and read functions have been
compressed into a single 'httprequest' function call. in an effort
to make the normal send and read semantics work correctly, we're
trying to set it up so that read sets us up to listen for a
response, send sets up the query we're sending, and whichever one
comes second triggers the transaction.

currently this is working in doh_test, but dig is failing due to a
deadlock; isc_http_connect() needs to return so launch_next_query()
can unlock the lookup before tcp_connected() runs.
2021-02-07 22:43:29 -08:00
Evan Hunt
d7090060be more cleanup 2021-02-07 22:43:29 -08:00
Evan Hunt
32de043c7d add setter functions for HTTP/2 ALPN
instead of setting up ALPN in isc_tlsctx_createclient(), we now
have a function isc_tlsctx_enable_http2client_alpn() that can be
run from isc_nm_httpconnect().  isc_tlsctx_enable_http2server_alpn()
can similarly be run from isc_nm_httpconnect().
2021-02-07 10:31:41 -08:00
Evan Hunt
9b133ad447 netmgr http refactoring
- style, cleanup, and removal of unnecessary code
- combine isc_nm_http_add_endpoint() and isc_nm_http_add_doh_endpoint()
  into one function, renamed isc_http_endpoint()
- move isc_nm_http_connect_send_request() into doh_test.c as a helper
  function; remove it from the public API
- renamed isc_http2 and isc_nm_http2 entities to just isc_http and
  isc_nm_http, for consistency with other existing names
- shortened a number of long names
- the caller is now responsible for determining the peer address
  in isc_nm_httpconnect(); this eliminates the need to parse the URI
  and the dependency on an external resolver. the caller is also now
  responsible for creating the SSL client context, for consistency with
  isc_nm_tlsdnsconnect().
2021-02-07 10:31:41 -08:00
Ondřej Surý
505d8d6ca4 add preliminary DoH client support to dig 2021-02-07 10:30:24 -08:00
Michal Nowak
64d5dad92a Merge branch 'mnowak/check-arm-pdf-validity' into 'main'
Check PDF file structure with QPDF

See merge request isc-projects/bind9!4620
2021-02-03 16:41:06 +00:00
Michal Nowak
359708b9d6 Check PDF file structure with QPDF
"qpdf --check" checks file structure of generated ARM PDF.
2021-02-03 17:39:58 +01:00
Matthijs Mekking
3648eb2936 Merge branch '2377-allow-a-records-below-an-_spf-label-as-a-check-names-exception' into 'main'
Resolve "Allow A records below an '_spf' label as a check-names exception"

Closes #2377

See merge request isc-projects/bind9!4529
2021-02-03 16:38:48 +00:00
Mark Andrews
1294918702 Add release note entry 2021-02-03 16:24:44 +01:00
Mark Andrews
2b5091ac17 Add CHANGES 2021-02-03 16:24:43 +01:00
Mark Andrews
a3b2b86e7f Check that A record is accepted with _spf label present 2021-02-03 16:23:20 +01:00
Mark Andrews
63c16c8506 Allow A records below '_spf' labels as recommend by RFC7208 2021-02-03 16:23:20 +01:00
Matthijs Mekking
5b8c86606e Merge branch '2375-dnssec-policy-three-is-a-crowd-rollover-bug' into 'main'
Resolve "three is a crowd" dnssec-policy key rollover bug

Closes #2375

See merge request isc-projects/bind9!4541
2021-02-03 15:22:47 +00:00
Matthijs Mekking
189f5a3f28 Add kasp test todo for [#2375]
This bugfix has been manually verified but is missing a unit test.
Created GL #2471 to track this.
2021-02-03 15:35:06 +01:00
Matthijs Mekking
98ace6d97d Use NUM_KEYSTATES constant where appropriate
We use the number 4 a lot when working on key states. Better to use
the NUM_KEYSTATES constant instead.
2021-02-03 15:35:06 +01:00
Matthijs Mekking
7947f7f9c6 Add change and release note for [#2375]
News worthy.
2021-02-03 15:35:06 +01:00
Matthijs Mekking
189d9a2d21 Cleanup keymgr.c
Three small cleanups:

1. Remove an unused keystr/dst_key_format.
2. Initialize a dst_key_state_t state with NA.
3. Update false comment about local policy (local policy only adds
   barrier on transitions to the RUMOURED state, not the UNRETENTIVE
   state).
2021-02-03 15:35:06 +01:00
Matthijs Mekking
291bcc3721 Fix DS/DNSKEY hidden or chained functions
There was a bug in function 'keymgr_ds_hidden_or_chained()'.

The funcion 'keymgr_ds_hidden_or_chained()' implements (3e) of rule2
as defined in the "Flexible and Robust Key Rollover" paper. The rules
says: All DS records need to be in the HIDDEN state, or if it is not
there must be a key with its DNSKEY and KRRSIG in OMNIPRESENT, and
its DS in the same state as the key in question. In human langauge,
if all keys have their DS in HIDDEN state you can do what you want,
but if a DS record is available to some validators, there must be
a chain of trust for it.

Note that the barriers on transitions first check if the current
state is valid, and then if the next state is valid too. But
here we falsely updated the 'dnskey_omnipresent' (now 'dnskey_chained')
with the next state. The next state applies to 'key' not to the state
to be checked. Updating the state here leads to (true) always, because
the key that will move its state will match the falsely updated
expected state. This could lead to the assumption that Key 2 would be
a valid chain of trust for Key 1, while clearly the presence of any
DS is uncertain.

The fix here is to check if the DNSKEY and KRRSIG are in OMNIPRESENT
state for the key that does not have its DS in the HIDDEN state, and
only if that is not the case, ensure that there is a key with the same
algorithm, that provides a valid chain of trust, that is, has its
DNSKEY, KRRSIG, and DS in OMNIPRESENT state.

The changes in 'keymgr_dnskey_hidden_or_chained()' are only cosmetical,
renaming 'rrsig_omnipresent' to 'rrsig_chained' and removing the
redundant initialization of the DST_KEY_DNSKEY expected state to NA.
2021-02-03 15:34:36 +01:00
Matthijs Mekking
600915d1b2 Update keymgr_key_is_successor() calls
The previous commit changed the function definition of
'keymgr_key_is_successor()', this commit updates the code where
this function is called.

In 'keymgr_key_exists_with_state()' the logic is also updated slightly
to become more readable. First handle the easy cases:
- If the key does not match the state, continue with the next key.
- If we found a key with matching state, and there is no need to
  check the successor relationship, return (true).
- Otherwise check the successor relationship.

In 'keymgr_key_has_successor()' it is enough to check if a key has
a direct successor, so instead of calling 'keymgr_key_is_successor()',
we can just check 'keymgr_direct_dep()'.

In 'dns_keymgr_run()', we want to make sure that there is no
dependency on the keys before retiring excess keys, so replace
'keymgr_key_is_successor()' with 'keymgr_dep()'.
2021-02-03 15:34:36 +01:00