Ondřej Surý [Thu, 30 Mar 2023 15:35:00 +0000 (17:35 +0200)]
Cleanup the last Windows / MSC ifdefs and comments
Cleanup the remnants of MS Compiler bits from <isc/refcount.h>, printing
the information in named/main.c, and cleanup some comments about Windows
that no longer apply.
The bits in picohttpparser.{h,c} were left out, because it's not our
code.
Tom Krizek [Mon, 13 Mar 2023 12:36:24 +0000 (13:36 +0100)]
Find errors in dig output in system tests
Facilitate faster system test failure identification and debugging by
checking any dig outputs for errors, which are typically indicative of
CI runner network / load issues.
Mark Andrews [Tue, 21 Mar 2023 03:29:46 +0000 (14:29 +1100)]
Don't check for OPENSSL_cleanup failures by default
OPENSSL_cleanup is supposed to free all remaining memory in use
provided the application has cleaned up properly. This is not the
case on some operating systems. Silently ignore memory that is
freed after OPENSSL_cleanup has been called.
Mark Andrews [Fri, 27 Jan 2023 05:52:59 +0000 (16:52 +1100)]
Handle fatal and FIPS provider interactions
When fatal is called we may be holding memory allocated by OpenSSL.
This may result in the reference count for the FIPS provider not
going to zero and the shared library not being unloaded during
OPENSSL_cleanup. When the shared library is ultimately unloaded,
when all remaining dynamically loaded libraries are freed, we have
already destroyed the memory context we where using to track memory
leaks / late frees resulting in INSIST being called.
Disable triggering the INSIST when fatal has being called.
Mark Andrews [Tue, 21 Dec 2021 22:01:54 +0000 (09:01 +1100)]
wildcard: Require hypothesis 4.41.2 or greater for FIPS compliance
hypothesis prior to 4.41.2 uses hashlib.md5 which is not FIPS
compliant causing the wildcard system test to fail. Check if
we are running if FIPS mode and if so make the minimum version
of hypothesis we will accept to be 4.41.2.
Mark Andrews [Wed, 17 Aug 2022 01:13:41 +0000 (11:13 +1000)]
tsiggss: regenerate kerberos credentials
The existing set of kerberos credential used deprecated algorithms
which are not supported by some implementations in FIPS mode.
Regenerate the saved credentials using more modern algorithms.
Added tsiggss/krb/setup.sh which sets up a test KDC with the required
principals for the system test to work. The tsiggss system test
needs to be run once with this active and KRB5_CONFIG appropriately.
set. See tsiggss/tests.sh for an example of how to do this.
Mark Andrews [Thu, 10 Feb 2022 22:11:08 +0000 (09:11 +1100)]
Only pass OPENSSL_CONF in the environment if it set
OPENSSL_CONF="" is treated differently to no OPENSSL_CONF in
the environment by OpenSSL. OPENSSL_CONF="" lead to crypto
failure being reported in FIPS mode.
Mark Andrews [Thu, 25 Aug 2022 06:47:34 +0000 (16:47 +1000)]
Allow named-checkconf to selectively check dnssec-policy algorithms
There are times where you want named-checkconf to check whether the
dnssec-policies should be constrained by the cryptographic algorithms
supported by the operation system or to just accept all possible
algorithms. This provides a mechanism to make that selection.
Mark Andrews [Thu, 23 Dec 2021 03:55:50 +0000 (14:55 +1100)]
Add --have-fips-dh to feature-test
Diffie-Hellman key echange doesn't appear to work in FIPS mode for
OpenSSL 1.x.x. Add feature test (--have-fips-dh) to identify builds
where DH key exchanges work (non FIPS builds and OpenSSL 3.0.0+) and
exclude test that would otherwise fail.
Mark Andrews [Sun, 7 Aug 2022 11:41:18 +0000 (21:41 +1000)]
Report file and line when converting OpenSSL errors
This provides more detail about which instance of specific OpenSSL
calls that have failed by reporting the file name and line numbers
involved when dst__openssl_toresult2 and dst__openssl_toresult3 are
called.
Michal Nowak [Tue, 20 Oct 2020 10:15:23 +0000 (12:15 +0200)]
Disable failing MD5 unit tests in FIPS mode
With FIPS mode enabled 'isc_hmac_init_test' and 'isc_hmac_md5_test'
tests of hmac_test and 'isc_md_init_test' and 'isc_md_md5_test' test
of md_test fail.
This is due to leveraging MD5, which is disabled in FIPS mode.
Mark Andrews [Tue, 24 Jan 2023 07:09:06 +0000 (18:09 +1100)]
Kill unit tests that run more than 1200 seconds
The CI doesn't provide useful forensics when a system test locks
up. Fork the process and kill it with ABRT if it is still running
after 20 minutes. Pass the exit status to the caller.
Tony Finch [Mon, 2 Jan 2023 19:56:27 +0000 (19:56 +0000)]
Simplify thread spawning
The `isc_trampoline` module had a lot of machinery to support stable
thread IDs for use by hazard pointers. But the hazard pointer code
is gone, and the `isc_loop` module now has its own per-loop thread
IDs.
The trampoline machinery seems over-complicated for its remaining
tasks, so move the per-thread initialization into `isc/thread.c`,
and delete the rest.
Ondřej Surý [Thu, 30 Mar 2023 22:12:33 +0000 (00:12 +0200)]
Refactor isc_time_now() to return time, and not result
The isc_time_now() and isc_time_now_hires() were used inconsistently
through the code - either with status check, or without status check,
or via TIME_NOW() macro with RUNTIME_CHECK() on failure.
Refactor the isc_time_now() and isc_time_now_hires() to always fail when
getting current time has failed, and return the isc_time_t value as
return value instead of passing the pointer to result in the argument.
Ondřej Surý [Thu, 30 Mar 2023 16:00:17 +0000 (18:00 +0200)]
Replace isc_fsaccess API with more secure file creation
The isc_fsaccess API was created to hide the implementation details
between POSIX and Windows APIs. As we are not supporting the Windows
APIs anymore, it's better to drop this API used in the DST part.
Moreover, the isc_fsaccess was setting the permissions in an insecure
manner - it operated on the filename, and not on the file descriptor
which can lead to all kind of attacks if unpriviledged user has read (or
even worse write) access to key directory.
Replace the code that operates on the private keys with code that uses
mkstemp(), fchmod() and atomic rename() at the end, so at no time the
private key files have insecure permissions.
Ondřej Surý [Fri, 31 Mar 2023 08:06:03 +0000 (10:06 +0200)]
Add isc_os_umask() function to get current umask
As it's impossible to get the current umask without modifying it at the
same time, initialize the current umask at the program start and keep
the loaded value internally. Add isc_os_umask() function to access the
starttime umask.
Ondřej Surý [Thu, 30 Mar 2023 19:37:12 +0000 (21:37 +0200)]
Squash dns_name_fullhash() and dns_name_hash()
The only place where dns_name_hash() was being used is the old hash
table in the dns_badcache unit. Squash the dns_name_fullhash() and
dns_name_hash() into single dns_name_hash() function that's always
case-insensitive as it doesn't make to do case-sensitive hashing of the
domain names and we were not using this anywhere.
Ondřej Surý [Thu, 30 Mar 2023 19:13:41 +0000 (21:13 +0200)]
Apply the semantic patch to remove isc_stdtime_get()
This is a simple replacement using the semantic patch from the previous
commit and as added bonus, one removal of previously undetected unused
variable in named/server.c.
Tony Finch [Thu, 30 Mar 2023 16:56:08 +0000 (17:56 +0100)]
Fix a crash when dig or host receive a signal
When the loopmanager is shutting down following a signal,
`dig` and `host` should stop cleanly. Before this commit
they were oblivious to ISC_R_SHUTTINGDOWN.
The `isc_signal` callbacks now report this kind of mistake
with a stack backtrace.
Ondřej Surý [Tue, 10 Jan 2023 09:20:44 +0000 (10:20 +0100)]
Replace __attribute__((unused)) with ISC_ATTR_UNUSED attribute macro
Instead of marking the unused entities with UNUSED(x) macro in the
function body, use a `ISC_ATTR_UNUSED` attribute macro that expans to
C23 [[maybe_unused]] or __attribute__((__unused__)) as fallback.
Artem Boldariev [Thu, 30 Mar 2023 15:17:11 +0000 (18:17 +0300)]
TLS Stream: remove incorrect/obsolete INSIST()s from tls_do_bio()
With the changes to tls_try_handshake() made in 2846888c573fcc610cdf71bcdd5bb6f92ffaf499 there are some incorrect
INSISTS() related to handshake handling which better to be removed.
Ondřej Surý [Fri, 24 Mar 2023 14:32:02 +0000 (15:32 +0100)]
Attach the accept "client" socket to .listener member of the socket
When accepting a TCP connection in the higher layers (tlsstream,
streamdns, and http) attach to the socket the connection was accepted
on, and use this socket instead of the parent listening socket.
This has an advantage - accessing the sock->listener now doesn't break
the thread boundaries, so we can properly check whether the socket is
being closed without requiring .closing member to be atomic_bool.
Ondřej Surý [Tue, 28 Mar 2023 15:03:56 +0000 (17:03 +0200)]
Convert sock->active to non-atomic variable, cleanup rchildren
The last atomic_bool variable sock->active was converted to non-atomic
bool by properly handling the listening socket case where we were
checking parent socket instead of children sockets.
This is no longer necessary as we properly set the .active to false on
the children sockets.
Additionally, cleanup the .rchildren - the atomic variable was used for
mutex+condition to block until all children were listening, but that's
now being handled by a barrier.
Finally, just remove dead .self and .active_child_connections members of
the netmgr socket.
Ondřej Surý [Fri, 24 Mar 2023 12:37:19 +0000 (13:37 +0100)]
Refactor the use of atomics in netmgr
Now that everything runs on their own loop and we don't cross the thread
boundaries (with few exceptions), most of the atomic_bool variables used
to track the socket state have been unatomicized because they are always
accessed from the matching thread.
The remaining few have been relaxed: a) the sock->active is now using
acquire/release memory ordering; b) the various global limits are now
using relaxed memory ordering - we don't really care about the
synchronization for those.
Ondřej Surý [Wed, 29 Mar 2023 07:02:22 +0000 (09:02 +0200)]
Add isc_async_current() macro to run job on current loop
Previously, isc_job_run() could have been used to run the job on the
current loop and the isc_job_run() would take care of allocating and
deallocating the job. After the change in this MR, the isc_job_run()
is more complicated to use, so we introduce the isc_async_current()
macro to suplement isc_async_run() when we need to run the job on the
current loop.
Ondřej Surý [Mon, 27 Mar 2023 20:40:57 +0000 (22:40 +0200)]
Refactor isc_job_run to not-make any allocations
Change the isc_job_run() to not-make any allocations. The caller must
make sure that it allocates isc_job_t - usually as part of the argument
passed to the callback.
For simple jobs, using isc_async_run() is advised as it allocates its
own separate isc_job_t.
Ondřej Surý [Fri, 24 Mar 2023 11:11:44 +0000 (12:11 +0100)]
Refactor the isc__nm_uvreq_t to have idle callback
Change the isc__nm_uvreq_t to have the idle callback as a separate
member as we always need to use it to properly close the uvreq.
Slightly refactor uvreq_put and uvreq_get to remove the unneeded
arguments - in uvreq_get(), we always use sock->worker, and in
uvreq_put, we always use req->sock, so there's not reason to pass those
extra arguments.
Ondřej Surý [Fri, 24 Mar 2023 09:36:58 +0000 (10:36 +0100)]
Use uv_idle API for calling asynchronous connect/read/send callback
Instead of using isc_job_run() that's quite heavy as it allocates memory
for every new job, add uv_idle_t to uvreq union, and use uv_idle API
directly to execute the connect/read/send callback without any
additional allocations.
Ondřej Surý [Fri, 24 Mar 2023 11:20:07 +0000 (12:20 +0100)]
Re-add the comment to streamdns_readmore()
Put the comment back, so it's more obvious that we are only restarting
timer when there's a last handle attached to the socket; there has to be
always at least one.