From: W.C.A. Wijngaards Date: Tue, 18 Feb 2020 15:30:13 +0000 (+0100) Subject: dnstap io, test for client authentication, unbound can send client X-Git-Tag: release-1.11.0~120^2~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3753d01253e4f60bcd306480b6d3f50c3c79670b;p=thirdparty%2Funbound.git dnstap io, test for client authentication, unbound can send client authentication credentials, when configured, and unbound-dnstap-socket can verify the client credentials, and refuses the connection if missing. --- diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc index e495e6c99..7d392ff56 100644 --- a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc @@ -1,7 +1,7 @@ BaseName: dnstap_tls_badcert Version: 1.0 Description: test dnstap tls with bad cert for authentication -CreationDate: Tue Feb 14 14:00:38 CET 2020 +CreationDate: Tue Feb 18 13:00:38 CET 2020 Maintainer: dr. W.C.A. Wijngaards Category: Component: diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc index 33cc38a6c..9f878b91c 100644 --- a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc @@ -1,7 +1,7 @@ BaseName: dnstap_tls_badname Version: 1.0 Description: test dnstap tls test bad peer name for authentication -CreationDate: Tue Feb 14 14:00:38 CET 2020 +CreationDate: Tue Feb 18 13:00:38 CET 2020 Maintainer: dr. W.C.A. Wijngaards Category: Component: diff --git a/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.conf b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.conf new file mode 100644 index 000000000..6182526ac --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.conf @@ -0,0 +1,46 @@ +server: + verbosity: 4 + num-threads: 1 + outgoing-range: 16 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + local-zone: "example.net." redirect + local-data: "example.net. IN A 10.20.30.41" +remote-control: + control-enable: yes + control-interface: 127.0.0.1 + # control-interface: ::1 + control-port: @CONTROL_PORT@ + server-key-file: "unbound_server.key" + server-cert-file: "unbound_server.pem" + control-key-file: "unbound_control.key" + control-cert-file: "unbound_control.pem" +forward-zone: + name: "." + forward-addr: "127.0.0.1@@TOPORT@" +dnstap: + dnstap-enable: yes + dnstap-socket-path: "dnstap.socket" + dnstap-ip: "127.0.0.1@@TAPPORT@" + dnstap-tls: yes + dnstap-tls-server-name: "unbound" + dnstap-tls-cert-bundle: "unbound_server.pem" + dnstap-tls-client-key-file: "unbound_control.key" + dnstap-tls-client-cert-file: "unbound_control.pem" + dnstap-send-identity: yes + dnstap-send-version: yes + #dnstap-identity + #dnstap-version + dnstap-log-resolver-query-messages: yes + dnstap-log-resolver-response-messages: yes + dnstap-log-client-query-messages: yes + dnstap-log-client-response-messages: yes + dnstap-log-forwarder-query-messages: yes + dnstap-log-forwarder-response-messages: yes + diff --git a/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.dsc b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.dsc new file mode 100644 index 000000000..37aacbbd9 --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.dsc @@ -0,0 +1,16 @@ +BaseName: dnstap_tls_clientauth +Version: 1.0 +Description: test dnstap tls with client authentication +CreationDate: Tue Feb 18 14:00:38 CET 2020 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: dnstap_tls_clientauth.pre +Post: dnstap_tls_clientauth.post +Test: dnstap_tls_clientauth.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.post b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.post new file mode 100644 index 000000000..83df2a72e --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.post @@ -0,0 +1,20 @@ +# #-- dnstap_tls_clientauth.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +kill_pid $DNSTAP_SOCKET_PID +kill_pid $FWD_PID +kill $UNBOUND_PID +kill $UNBOUND_PID >/dev/null 2>&1 +cat unbound.log +echo "> tap logfiles" +cat tap.log +cat tap.errlog +cat fwd.log +exit 0 diff --git a/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.pre b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.pre new file mode 100644 index 000000000..a035181ce --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.pre @@ -0,0 +1,54 @@ +# #-- dnstap_tls_clientauth.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh + +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi + +get_random_port 4 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +CONTROL_PORT=$(($RND_PORT + 2)) +TAP_PORT=$(($RND_PORT + 3)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test +echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test +echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT dnstap_tls_clientauth.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# start the dnstap log server +# the -vvvv flag prints protocol and connection information from the +# unbound-dnstap-socket server. +# the -l flag prints the DNS info in the DNSTAP packet in multiline output. +# stderr is the '-vvvv' server logs and errors. +# stdout is the one-line packet logs (or with -l, multiline). +$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -z unbound_server.pem -l -vvvv 2>tap.errlog >tap.log & +if test $? -ne 0; then + echo "could not start unbound-dnstap-socket server" + exit 1 +fi +DNSTAP_SOCKET_PID=$! +echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test +# wait for the server to go up +wait_server_up "tap.errlog" "start of service" + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_clientauth.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log + diff --git a/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.test b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.test new file mode 100644 index 000000000..5b9cce0a4 --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.test @@ -0,0 +1,50 @@ +# #-- dnstap_tls_clientauth.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi + +# test if the server is up. +echo "> dig www.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +echo "> check answer" +if grep "10.20.30.40" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat tap.log + cat tap.errlog + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> check tap.log for dnstap info" +# see if it logged the information in tap.log +# wait for a moment for filesystem to catch up. +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi +if grep "www.example.com" tap.log; then echo "yes it is in tap.log"; +else + echo "information not in tap.log" + echo "failed" + echo "> cat logfiles" + cat tap.log + cat tap.errlog + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> OK" +exit 0 diff --git a/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.testns b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.testns new file mode 100644 index 000000000..0c911ca5b --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.testns @@ -0,0 +1,22 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA SERVFAIL +ADJUST copy_id +SECTION QUESTION +www.example.net. IN A +ENTRY_END + diff --git a/testdata/dnstap_tls_clientauth.tdir/unbound_control.key b/testdata/dnstap_tls_clientauth.tdir/unbound_control.key new file mode 100644 index 000000000..d7c43a06b --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/unbound_control.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa +rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH +ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB +AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z +WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG +DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr +4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m +Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr +p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg +P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+ +aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe +YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9 +DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE= +-----END RSA PRIVATE KEY----- diff --git a/testdata/dnstap_tls_clientauth.tdir/unbound_control.pem b/testdata/dnstap_tls_clientauth.tdir/unbound_control.pem new file mode 100644 index 000000000..8f1ba87f1 --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/unbound_control.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1 +bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE +AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD +6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3 +qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US +J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB +BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B +9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC +iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq +-----END CERTIFICATE----- diff --git a/testdata/dnstap_tls_clientauth.tdir/unbound_server.key b/testdata/dnstap_tls_clientauth.tdir/unbound_server.key new file mode 100644 index 000000000..4256c421d --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/unbound_server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA +3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s +RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB +AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS +6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds +sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi +XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3 +fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL +CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP +0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2 +oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l +In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S +LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg== +-----END RSA PRIVATE KEY----- diff --git a/testdata/dnstap_tls_clientauth.tdir/unbound_server.pem b/testdata/dnstap_tls_clientauth.tdir/unbound_server.pem new file mode 100644 index 000000000..aeda3ff11 --- /dev/null +++ b/testdata/dnstap_tls_clientauth.tdir/unbound_server.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1 +bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE +AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS +y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/ +/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu +g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ +9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG +l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH +Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg== +-----END CERTIFICATE-----