From: Tomasz Ziolkowski <tomasz.ziolkowski@allegro.pl>
Date: Tue, 27 Jul 2021 10:03:51 +0000 (+0200)
Subject: Docker environment for run tests + enhancement for ssl_handshake
X-Git-Tag: release-1.14.0rc1~79^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e310a17becddf87483643ae21a8d66943ca53a6;p=thirdparty%2Funbound.git

Docker environment for run tests + enhancement for ssl_handshake
---

diff --git a/.gitignore b/.gitignore
index d0c69f81d..ddd734967 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,3 +56,4 @@
 /testdata/.perfstats.txt
 /doc/html
 /doc/xml
+.idea
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000..417daccb2
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,11 @@
+FROM gcc:latest
+WORKDIR /usr/src/unbound
+RUN apt-get update
+# install semantic parser & lexical analyzer
+RUN apt-get install -y bison flex
+# install packages used in tests
+RUN apt-get install -y ldnsutils dnsutils xxd splint doxygen netcat
+# accept short rsa keys, which are used in tests
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
+
+CMD ["/bin/bash"]
diff --git a/Makefile.in b/Makefile.in
index 476545ea9..3f2e9312b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -85,6 +85,8 @@ LINTFLAGS+=@NETBSD_LINTFLAGS@
 LINTFLAGS+="-Dsigset_t=long"
 # FreeBSD
 LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t" "-D_Alignof(x)=x" "-D__aligned(x)=" "-D__requires_exclusive(x)=" "-D__requires_unlocked(x)=" "-D__locks_exclusive(x)=" "-D__trylocks_exclusive(x)="  "-D__unlocks(x)=" "-D__locks_shared(x)=" "-D__trylocks_shared(x)="
+# GCC Docker
+LINTFLAGS+=@GCC_DOCKER_LINTFLAGS@
 
 INSTALL=$(SHELL) $(srcdir)/install-sh
 
diff --git a/configure b/configure
index 7e722b59e..57f8094a3 100755
--- a/configure
+++ b/configure
@@ -683,6 +683,7 @@ HAVE_SSL
 PC_CRYPTO_DEPENDENCY
 CONFIG_DATE
 NETBSD_LINTFLAGS
+GCC_DOCKER_LINTFLAGS
 PYUNBOUND_UNINSTALL
 PYUNBOUND_INSTALL
 PYUNBOUND_TARGET
@@ -17888,6 +17889,11 @@ if test "`uname`" = "NetBSD"; then
 	NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
 
 fi
+
+if test "`uname -o`" = "GNU/Linux"; then
+	# splint cannot parse modern c99 header files
+	GCC_DOCKER_LINTFLAGS='-syntax'
+fi
 CONFIG_DATE=`date +%Y%m%d`
 
 
diff --git a/doc/README.tests b/doc/README.tests
index 5385e2b22..122bf02f3 100644
--- a/doc/README.tests
+++ b/doc/README.tests
@@ -15,6 +15,14 @@ You need to have the following programs installed and in your PATH.
 * xxd and nc (optional) - for (malformed) packet transmission.
 The optional programs are detected and can be omitted.
 
+You can also use prepared Dockerfile to run tests inside docker based on latest gcc image:
+* build container: docker build -t unbound-tester .
+* run container: docker run -it --mount type=bind,source="$(pwd)",target=/usr/src/unbound --rm unbound-tester
+* configure environment: ./configure
+* run test: make test
+* run long tests: make longtest
+It is worth to mention that you need to enable [ipv6 in your docker daemon configuration](https://docs.docker.com/config/daemon/ipv6/) because some tests need ipv6 network stack.
+
 testdata/ contains the data for tests. 
 testcode/ contains scripts and c code for the tests.
 
diff --git a/testcode/petal.c b/testcode/petal.c
index 123684aab..78f1ca2f5 100644
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -220,8 +220,11 @@ read_http_headers(SSL* ssl, char* file, size_t flen, char* host, size_t hlen,
 	host[0] = 0;
 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
 		if(verb>=2) printf("read: %s\n", buf);
-		if(buf[0] == 0)
+		if(buf[0] == 0) {
+			int e = ERR_peek_error();
+			printf("error string: %s\n", ERR_reason_error_string(e));
 			return 1;
+		}
 		if(!process_one_header(buf, file, flen, host, hlen, vs))
 			return 0;
 	}
@@ -238,8 +241,11 @@ setup_ctx(char* key, char* cert)
 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
 #endif
 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
-	if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
+	if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
+		int e = ERR_peek_error();
+		printf("error string: %s\n", ERR_reason_error_string(e));
 		print_exit("cannot read cert");
+	}
 	if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
 		print_exit("cannot read key");
 	if(!SSL_CTX_check_private_key(ctx))
diff --git a/testdata/fwd_zero.tdir/fwd_zero.test b/testdata/fwd_zero.tdir/fwd_zero.test
index 87a2dec9c..2e0806d6f 100644
--- a/testdata/fwd_zero.tdir/fwd_zero.test
+++ b/testdata/fwd_zero.tdir/fwd_zero.test
@@ -7,7 +7,7 @@
 PRE="../.."
 
 OPT="-i"
-if nc -h 2>&1 | grep -- "-w secs" >/dev/null; then
+if nc -h 2>&1 | grep -E -- "-w (timeout|secs)" >/dev/null; then
         OPT="-w"
 fi
 
diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index f928d0669..b93af015d 100644
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -4244,6 +4244,7 @@
 5504,
 5505,
 5506,
+5540,
 5553,
 5554,
 5555,
diff --git a/util/netevent.c b/util/netevent.c
index 01e44c9b6..b1cc995c0 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -1232,6 +1232,13 @@ ssl_handshake(struct comm_point* c)
 		if(want == SSL_ERROR_WANT_READ) {
 			if(c->ssl_shake_state == comm_ssl_shake_read)
 				return 1;
+			/* According to https://www.openssl.org/docs/man1.1.1/man3/SSL_do_handshake.html
+			 * we should repeat handshake - for non blocking BIO
+			 */
+			if(c->ssl_shake_state == comm_ssl_shake_write) {
+			    comm_point_listen_for_rw(c, 0, 1);
+			    return 1;
+			}
 			c->ssl_shake_state = comm_ssl_shake_read;
 			comm_point_listen_for_rw(c, 1, 0);
 			return 1;