From: W.C.A. Wijngaards Date: Tue, 18 Feb 2020 13:18:03 +0000 (+0100) Subject: dnstap io, test that failed name or auth certificate fails to connect tls. X-Git-Tag: 1.11.0rc1~120^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9556d595368ae0c63823775c4feb96d57c5c34f0;p=thirdparty%2Funbound.git dnstap io, test that failed name or auth certificate fails to connect tls. --- diff --git a/testdata/dnstap.tdir/dnstap.test b/testdata/dnstap.tdir/dnstap.test index 4ee4daf4c..04db17b27 100644 --- a/testdata/dnstap.tdir/dnstap.test +++ b/testdata/dnstap.tdir/dnstap.test @@ -30,6 +30,8 @@ echo "> check tap.log for dnstap info" if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi if grep "www.example.com" tap.log; then echo "yes it is in tap.log"; else @@ -56,6 +58,8 @@ dig @127.0.0.1 -p $UNBOUND_PORT q8.example.net. dig @127.0.0.1 -p $UNBOUND_PORT q9.example.net. dig @127.0.0.1 -p $UNBOUND_PORT q10.example.net. for x in q1 q2 q3 q4 5 q6 q7 q8 q9 q10; do + if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi + if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi diff --git a/testdata/dnstap_tcp.tdir/dnstap_tcp.test b/testdata/dnstap_tcp.tdir/dnstap_tcp.test index bf79b6d72..d57eecfdb 100644 --- a/testdata/dnstap_tcp.tdir/dnstap_tcp.test +++ b/testdata/dnstap_tcp.tdir/dnstap_tcp.test @@ -30,6 +30,8 @@ echo "> check tap.log for dnstap info" if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi if grep "www.example.com" tap.log; then echo "yes it is in tap.log"; else @@ -66,6 +68,8 @@ sleep 2 dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net. for x in down up up2; do + if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi + if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi diff --git a/testdata/dnstap_tls.tdir/dnstap_tls.test b/testdata/dnstap_tls.tdir/dnstap_tls.test index 64260eac8..f9a2bf00d 100644 --- a/testdata/dnstap_tls.tdir/dnstap_tls.test +++ b/testdata/dnstap_tls.tdir/dnstap_tls.test @@ -30,6 +30,8 @@ echo "> check tap.log for dnstap info" if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi if grep "www.example.com" tap.log; then echo "yes it is in tap.log"; else @@ -66,6 +68,8 @@ sleep 2 dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net. for x in down up up2; do + if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi + if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.conf b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.conf new file mode 100644 index 000000000..32698b621 --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.conf @@ -0,0 +1,48 @@ +server: + verbosity: 4 + num-threads: 1 + outgoing-range: 16 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + local-zone: "example.net." redirect + local-data: "example.net. IN A 10.20.30.41" +remote-control: + control-enable: yes + control-interface: 127.0.0.1 + # control-interface: ::1 + control-port: @CONTROL_PORT@ + server-key-file: "unbound_server.key" + server-cert-file: "unbound_server.pem" + control-key-file: "unbound_control.key" + control-cert-file: "unbound_control.pem" +forward-zone: + name: "." + forward-addr: "127.0.0.1@@TOPORT@" +dnstap: + dnstap-enable: yes + dnstap-socket-path: "dnstap.socket" + dnstap-ip: "127.0.0.1@@TAPPORT@" + dnstap-tls: yes + dnstap-tls-server-name: "unbound" + # the actual tls cert bundle that authenticates the server + # is the unbound_server.pem bundle. + # we pass the wrong bundle. (of another key we also use in the client + # authentication test) + dnstap-tls-cert-bundle: "unbound_control.pem" + dnstap-send-identity: yes + dnstap-send-version: yes + #dnstap-identity + #dnstap-version + dnstap-log-resolver-query-messages: yes + dnstap-log-resolver-response-messages: yes + dnstap-log-client-query-messages: yes + dnstap-log-client-response-messages: yes + dnstap-log-forwarder-query-messages: yes + dnstap-log-forwarder-response-messages: yes + diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc new file mode 100644 index 000000000..e495e6c99 --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.dsc @@ -0,0 +1,16 @@ +BaseName: dnstap_tls_badcert +Version: 1.0 +Description: test dnstap tls with bad cert for authentication +CreationDate: Tue Feb 14 14:00:38 CET 2020 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: dnstap_tls_badcert.pre +Post: dnstap_tls_badcert.post +Test: dnstap_tls_badcert.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.post b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.post new file mode 100644 index 000000000..d71eb28ae --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.post @@ -0,0 +1,20 @@ +# #-- dnstap_tls_badcert.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +kill_pid $DNSTAP_SOCKET_PID +kill_pid $FWD_PID +kill $UNBOUND_PID +kill $UNBOUND_PID >/dev/null 2>&1 +cat unbound.log +echo "> tap logfiles" +cat tap.log +cat tap.errlog +cat fwd.log +exit 0 diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.pre b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.pre new file mode 100644 index 000000000..eff7074d0 --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.pre @@ -0,0 +1,54 @@ +# #-- dnstap_tls_badcert.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh + +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi + +get_random_port 4 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +CONTROL_PORT=$(($RND_PORT + 2)) +TAP_PORT=$(($RND_PORT + 3)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test +echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test +echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT dnstap_tls_badcert.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# start the dnstap log server +# the -vvvv flag prints protocol and connection information from the +# unbound-dnstap-socket server. +# the -l flag prints the DNS info in the DNSTAP packet in multiline output. +# stderr is the '-vvvv' server logs and errors. +# stdout is the one-line packet logs (or with -l, multiline). +$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log & +if test $? -ne 0; then + echo "could not start unbound-dnstap-socket server" + exit 1 +fi +DNSTAP_SOCKET_PID=$! +echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test +# wait for the server to go up +wait_server_up "tap.errlog" "start of service" + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_badcert.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log + diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.test b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.test new file mode 100644 index 000000000..0b85f64ac --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.test @@ -0,0 +1,51 @@ +# #-- dnstap_tls_badcert.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi + +# test if the server is up. +echo "> dig www.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +echo "> check answer" +if grep "10.20.30.40" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat tap.log + cat tap.errlog + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> check tap.log for dnstap info" +# see if it logged the information in tap.log +# wait for a moment for filesystem to catch up. +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log; then + echo "it is in tap.log"; + echo "but there should not be a connection" + echo "failed" + echo "> cat logfiles" + cat tap.log + cat tap.errlog + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +else + echo "information not in tap.log" +fi + +echo "> OK" +exit 0 diff --git a/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.testns b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.testns new file mode 100644 index 000000000..0c911ca5b --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.testns @@ -0,0 +1,22 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA SERVFAIL +ADJUST copy_id +SECTION QUESTION +www.example.net. IN A +ENTRY_END + diff --git a/testdata/dnstap_tls_badcert.tdir/unbound_control.key b/testdata/dnstap_tls_badcert.tdir/unbound_control.key new file mode 100644 index 000000000..d7c43a06b --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/unbound_control.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa +rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH +ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB +AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z +WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG +DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr +4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m +Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr +p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg +P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+ +aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe +YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9 +DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE= +-----END RSA PRIVATE KEY----- diff --git a/testdata/dnstap_tls_badcert.tdir/unbound_control.pem b/testdata/dnstap_tls_badcert.tdir/unbound_control.pem new file mode 100644 index 000000000..8f1ba87f1 --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/unbound_control.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1 +bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE +AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD +6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3 +qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US +J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB +BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B +9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC +iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq +-----END CERTIFICATE----- diff --git a/testdata/dnstap_tls_badcert.tdir/unbound_server.key b/testdata/dnstap_tls_badcert.tdir/unbound_server.key new file mode 100644 index 000000000..4256c421d --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/unbound_server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA +3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s +RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB +AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS +6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds +sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi +XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3 +fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL +CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP +0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2 +oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l +In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S +LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg== +-----END RSA PRIVATE KEY----- diff --git a/testdata/dnstap_tls_badcert.tdir/unbound_server.pem b/testdata/dnstap_tls_badcert.tdir/unbound_server.pem new file mode 100644 index 000000000..aeda3ff11 --- /dev/null +++ b/testdata/dnstap_tls_badcert.tdir/unbound_server.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1 +bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE +AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS +y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/ +/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu +g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ +9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG +l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH +Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg== +-----END CERTIFICATE----- diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.conf b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.conf new file mode 100644 index 000000000..75e98a71d --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.conf @@ -0,0 +1,46 @@ +server: + verbosity: 4 + num-threads: 1 + outgoing-range: 16 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + local-zone: "example.net." redirect + local-data: "example.net. IN A 10.20.30.41" +remote-control: + control-enable: yes + control-interface: 127.0.0.1 + # control-interface: ::1 + control-port: @CONTROL_PORT@ + server-key-file: "unbound_server.key" + server-cert-file: "unbound_server.pem" + control-key-file: "unbound_control.key" + control-cert-file: "unbound_control.pem" +forward-zone: + name: "." + forward-addr: "127.0.0.1@@TOPORT@" +dnstap: + dnstap-enable: yes + dnstap-socket-path: "dnstap.socket" + dnstap-ip: "127.0.0.1@@TAPPORT@" + dnstap-tls: yes + # actual certificate name: "unbound" + # we enter another name here. + dnstap-tls-server-name: "anothername" + dnstap-tls-cert-bundle: "unbound_server.pem" + dnstap-send-identity: yes + dnstap-send-version: yes + #dnstap-identity + #dnstap-version + dnstap-log-resolver-query-messages: yes + dnstap-log-resolver-response-messages: yes + dnstap-log-client-query-messages: yes + dnstap-log-client-response-messages: yes + dnstap-log-forwarder-query-messages: yes + dnstap-log-forwarder-response-messages: yes + diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc new file mode 100644 index 000000000..33cc38a6c --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.dsc @@ -0,0 +1,16 @@ +BaseName: dnstap_tls_badname +Version: 1.0 +Description: test dnstap tls test bad peer name for authentication +CreationDate: Tue Feb 14 14:00:38 CET 2020 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: dnstap_tls_badname.pre +Post: dnstap_tls_badname.post +Test: dnstap_tls_badname.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.post b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.post new file mode 100644 index 000000000..59f05b81d --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.post @@ -0,0 +1,20 @@ +# #-- dnstap_tls_badname.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +kill_pid $DNSTAP_SOCKET_PID +kill_pid $FWD_PID +kill $UNBOUND_PID +kill $UNBOUND_PID >/dev/null 2>&1 +cat unbound.log +echo "> tap logfiles" +cat tap.log +cat tap.errlog +cat fwd.log +exit 0 diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.pre b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.pre new file mode 100644 index 000000000..0ffee6081 --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.pre @@ -0,0 +1,54 @@ +# #-- dnstap_tls_badname.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh + +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi + +get_random_port 4 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +CONTROL_PORT=$(($RND_PORT + 2)) +TAP_PORT=$(($RND_PORT + 3)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test +echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test +echo "TAP_PORT=$TAP_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT dnstap_tls_badname.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# start the dnstap log server +# the -vvvv flag prints protocol and connection information from the +# unbound-dnstap-socket server. +# the -l flag prints the DNS info in the DNSTAP packet in multiline output. +# stderr is the '-vvvv' server logs and errors. +# stdout is the one-line packet logs (or with -l, multiline). +$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap.errlog >tap.log & +if test $? -ne 0; then + echo "could not start unbound-dnstap-socket server" + exit 1 +fi +DNSTAP_SOCKET_PID=$! +echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test +# wait for the server to go up +wait_server_up "tap.errlog" "start of service" + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' -e 's/@TAPPORT\@/'$TAP_PORT'/' < dnstap_tls_badname.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log + diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.test b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.test new file mode 100644 index 000000000..248d8f222 --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.test @@ -0,0 +1,51 @@ +# #-- dnstap_tls_badname.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh +PRE="../.." +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi + +# test if the server is up. +echo "> dig www.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +echo "> check answer" +if grep "10.20.30.40" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat tap.log + cat tap.errlog + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> check tap.log for dnstap info" +# see if it logged the information in tap.log +# wait for a moment for filesystem to catch up. +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log; then + echo "it is in tap.log"; + echo "but there should not be a connection" + echo "failed" + echo "> cat logfiles" + cat tap.log + cat tap.errlog + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +else + echo "information not in tap.log" +fi + +echo "> OK" +exit 0 diff --git a/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.testns b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.testns new file mode 100644 index 000000000..0c911ca5b --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.testns @@ -0,0 +1,22 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA SERVFAIL +ADJUST copy_id +SECTION QUESTION +www.example.net. IN A +ENTRY_END + diff --git a/testdata/dnstap_tls_badname.tdir/unbound_control.key b/testdata/dnstap_tls_badname.tdir/unbound_control.key new file mode 100644 index 000000000..d7c43a06b --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/unbound_control.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa +rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH +ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB +AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z +WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG +DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr +4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m +Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr +p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg +P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+ +aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe +YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9 +DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE= +-----END RSA PRIVATE KEY----- diff --git a/testdata/dnstap_tls_badname.tdir/unbound_control.pem b/testdata/dnstap_tls_badname.tdir/unbound_control.pem new file mode 100644 index 000000000..8f1ba87f1 --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/unbound_control.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1 +bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE +AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD +6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3 +qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US +J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB +BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B +9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC +iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq +-----END CERTIFICATE----- diff --git a/testdata/dnstap_tls_badname.tdir/unbound_server.key b/testdata/dnstap_tls_badname.tdir/unbound_server.key new file mode 100644 index 000000000..4256c421d --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/unbound_server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA +3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s +RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB +AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS +6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds +sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi +XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3 +fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL +CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP +0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2 +oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l +In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S +LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg== +-----END RSA PRIVATE KEY----- diff --git a/testdata/dnstap_tls_badname.tdir/unbound_server.pem b/testdata/dnstap_tls_badname.tdir/unbound_server.pem new file mode 100644 index 000000000..aeda3ff11 --- /dev/null +++ b/testdata/dnstap_tls_badname.tdir/unbound_server.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1 +bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE +AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS +y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/ +/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu +g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ +9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG +l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH +Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg== +-----END CERTIFICATE----- diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc index d011d5ece..bce84f55c 100644 --- a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc +++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.dsc @@ -1,6 +1,6 @@ BaseName: dnstap_tls_peername Version: 1.0 -Description: test dnstap tls and reconnect +Description: test dnstap tls with auth name and tls authentication CreationDate: Tue Feb 14 14:00:38 CET 2020 Maintainer: dr. W.C.A. Wijngaards Category: diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post index b2c29d0da..3ca63ada4 100644 --- a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post +++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post @@ -16,8 +16,5 @@ cat unbound.log echo "> tap logfiles" cat tap.log cat tap.errlog -echo "> tap2 logfiles" -if test -f tap2.log; then cat tap2.log; fi -if test -f tap2.errlog; then cat tap2.errlog; fi cat fwd.log exit 0 diff --git a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test index 6082c3a89..03bcbadfd 100644 --- a/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test +++ b/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test @@ -30,6 +30,8 @@ echo "> check tap.log for dnstap info" if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi +if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi if grep "www.example.com" tap.log; then echo "yes it is in tap.log"; else @@ -44,48 +46,5 @@ else exit 1 fi -echo "" -echo "> test disconnect from the upstream server" - -kill_pid $DNSTAP_SOCKET_PID -dig @127.0.0.1 -p $UNBOUND_PORT down.example.net. - -# bring log socket back up -$PRE/unbound-dnstap-socket -t "127.0.0.1@$TAP_PORT" -x unbound_server.key -y unbound_server.pem -l -vvvv 2>tap2.errlog >tap2.log & -if test $? -ne 0; then - echo "could not start (again) unbound-dnstap-socket server" - exit 1 -fi -DNSTAP_SOCKET_PID=$! -echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test -# wait for the server to go up -wait_server_up "tap2.errlog" "start of service" - -dig @127.0.0.1 -p $UNBOUND_PORT up.example.net. -sleep 2 -dig @127.0.0.1 -p $UNBOUND_PORT up2.example.net. - -for x in down up up2; do - if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi - if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi - if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 1; fi - if grep "$x.example.net" tap2.log >/dev/null; then :; else sleep 10; fi - if grep "$x.example.net" tap2.log; then echo "yes it is in tap2.log"; - else - echo "$x.example.net. information not in tap2.log" - echo "failed" - echo "> cat logfiles" - cat tap.log - cat tap.errlog - echo "> tap2 logfiles" - cat tap2.log - cat tap2.errlog - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 - fi -done - echo "> OK" exit 0