Evan Hunt [Mon, 8 Nov 2021 20:44:55 +0000 (12:44 -0800)]
address '--disable-doh' failures
Change 5756 (GL #2854) introduced build errors when using
'configure --disable-doh'. To fix this, isc_nm_is_http_handle() is
now defined in all builds, not just builds that have DoH enabled.
Missing code comments were added both for that function and for
isc_nm_is_tlsdns_handle().
Petr Špaček [Fri, 5 Nov 2021 10:39:07 +0000 (11:39 +0100)]
Automatically cancel CI jobs on outdated branches
Gitlab feature
https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
can automatically cancel jobs which operate on an outdated code, i.e. on
branches which received new commits while jobs with an older set of
commits are still running. For this feature to work jobs have to be
configured with boolean interruptible: true.
I think practically all of our current CI jobs can be cancelled,
so the option is now on by default for all jobs.
Petr Špaček [Mon, 21 Jun 2021 12:51:43 +0000 (14:51 +0200)]
Add new system test for wildcard expansion
This is almost minimal prototype to show how to use python-hypothesis
library in a system test. It does not fully replace existing shell-based
system test for wildcards.
Artem Boldariev [Tue, 12 Oct 2021 13:58:45 +0000 (16:58 +0300)]
DoH: Set the "max-age" "Cache-Control" HTTP header value
This commit makes BIND set the "max-age" value of the "Cache-Control"
HTTP header to the minimal TTL from the Answer section for positive
answers, as RFC 8484 advises in section 5.1.
We calculate the minimal TTL as a side effect of rendering the
response DNS message, so it does not change the code flow much, nor
should it have any measurable negative impact on the performance.
For negative answers, the "max-age" value is set using the TTL and
SOA-minimum values from an SOA record in the Authority section.
Artem Boldariev [Wed, 6 Oct 2021 11:09:53 +0000 (14:09 +0300)]
DoH: Add isc_nm_set_min_answer_ttl()
This commit adds an isc_nm_set_min_answer_ttl() function which is
intended to to be used to give a hint to the underlying transport
regarding the answer TTL.
The interface is intentionally kept generic because over time more
transports might benefit from this functionality, but currently it is
intended for DoH to set "max-age" value within "Cache-Control" HTTP
header (as recommended in the RFC8484, section 5.1 "Cache
Interaction").
It is no-op for other DNS transports for the time being.
Petr Špaček [Wed, 3 Nov 2021 13:50:08 +0000 (14:50 +0100)]
Fix incorrect version bump in statistics channels
The version number for the XML statistics channel was not incremented
correctly after removal of isc_socket code in a55589f881bc4e4c1099e50b6d4ce84ffc7b5ba3, and the JSON version number
was not incremented at all.
Mark Andrews [Tue, 26 Oct 2021 04:28:36 +0000 (15:28 +1100)]
Handle HTTP/1.1 pipelined requests
Check to see whether there are outstanding requests in the
httpd receive buffer after sending the response, and if so,
process them.
Test that pipelined requests are handled by sending multiple
minimal HTTP/1.1 using netcat (nc) and checking that we get
back the same number of responses.
Mark Andrews [Tue, 26 Oct 2021 00:54:31 +0000 (11:54 +1100)]
Consume the HTTP headers after processing a request
Remember the amount of space consumed by the HTTP headers, then
move any trailing data to the start of the httpd->recvbuf once
we have finished processing the request.
if an incoming HTTP request is incomplete, but nothing else is clearly
wrong with it, the stats channel continues reading to see if there's
more coming. the buffer length was not being processed correctly in
this case. also, the server state was not reset correctly when the
request was complete, so that subsequent requests could be appended to
the first buffer instead of being treated as new.
in addition fixing the above problems, this commit also increases the
size of the httpd request buffer from 1024 to 4096, because some
browsers send a lot of headers.
Michal Nowak [Mon, 1 Nov 2021 14:40:08 +0000 (15:40 +0100)]
Fix typo in dns_name_copy-with-result.spatch
A typo introduced in f3f1cab05e05c9bdd5da91f3ab159ec6658ec7f4 prevents
execution of the dns_name_copy-with-result.spatch. The replacement
should end with semicolon not a colon:
Mark Andrews [Mon, 1 Nov 2021 00:40:26 +0000 (11:40 +1100)]
Address bugs in opensslrsa_tofile
1) if 'key->external' is set we just need to call
dst__privstruct_writefile
2) the cleanup of 'bufs' was incorrect as 'i' doesn't reflect the
the current index into 'bufs'. Use a simple for loop.
This review was triggered by Coverity reporting a buffer overrun
on 'bufs'.
Mark Andrews [Mon, 1 Nov 2021 00:13:43 +0000 (11:13 +1100)]
Address potential memory leak in openssldh_parse()
'dh' was being assigned to key->keydata.dh too soon which could
result in a memory leak on error. Moved the assignement of
key->keydata.dh until after dh was correct.
Coverity was reporting dead code on the error path cleaning up 'dh'
which triggered this review.
Michal Nowak [Mon, 1 Nov 2021 13:40:00 +0000 (14:40 +0100)]
Add comparekeys to release tarball
'make dist' omits lib/dns/tests/comparekeys/ (added in 7101afa23cfc7cd005aeeb00802481094a0b9cf5) from release tarball it
creates which makes the unit:gcc:tarball CI job permanently fail in the
dst unit test.
Artem Boldariev [Fri, 29 Oct 2021 15:43:40 +0000 (18:43 +0300)]
Be less strict regarding "tls" statements in the configuration file
In the 9.17.19 release "tls" statements verification code was
added. The code was too strict and assumed that every such a statement
should have both "cert-file" and "key-file" specified. This turned out
to be a regression, as in some cases we plan to use the "tls"
statement to specify TLS connection parameters.
This commit fixes this behaviour; now a "tls" statement should either
have both "cert-file" and "key-file" specified, or both should be
omitted.
Petr Špaček [Thu, 28 Oct 2021 12:26:09 +0000 (14:26 +0200)]
remove last remaining reference to _REENTRANT macro and fix DLZ example
It was used only as guard against unused variable declaration, but the
surrounding code depends on strtok_r being defined unconditionally, so
there is no point in guarding a variable.
Glibc documentation suggests it is obsolete anyway and e.g. Meson build
system decided to ignore it. It seems to be required only by old
Solaris compiler and OpenIndiana uses gcc.
Petr Špaček [Thu, 28 Oct 2021 14:39:20 +0000 (16:39 +0200)]
retain diff output if clang-format changes something
It's major PITA trying to guess what exactly clang-format has changed,
so how CI stores patch file with changes which can be applied locally if
needed.
Michał Kępień [Thu, 28 Oct 2021 12:03:04 +0000 (14:03 +0200)]
Disable PyLint warning C0209
PyLint 2.11 reports a new warning, C0209 (consider-using-f-string).
Since f-strings are only available in Python 3.6+, existing scripts
cannot be updated to use this feature just yet because they would stop
working with older Python versions. Instead, disable PyLint warning
C0209 for the time being. Sort all disabled warnings in .pylintrc.
Michał Kępień [Thu, 28 Oct 2021 10:05:58 +0000 (12:05 +0200)]
Move CHANGES entry for GL #2308
GL #2308 was originally referenced by CHANGES entry 5727. However, the
corresponding code change turned out to be flawed and had to be reverted
in BIND 9.17.19, causing CHANGES entry 5727 to be turned into a
placeholder on the release branch.
Commit 63145fb1d328eb66f9c786d2273bc2e3f6a3ecf5 subsequently addressed
the flaw, so the fix for GL #2308 will be included in BIND 9.17.20.
Move the relevant CHANGES entry to reflect that.
Enable lame response detection even with disabled lame cache
Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection. In this commit, we enable
the lame response detection even when the lame cache is disabled. This
enables stopping answer processing early rather than going through the
whole answer processing flow.
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>. This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.
Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
Aram Sargsyan [Wed, 6 Oct 2021 14:18:49 +0000 (14:18 +0000)]
Use OpenSSL version macro instead of function check
Unless being configured with the `no-deprecated` option, OpenSSL 3.0.0
still has the deprecated APIs present and will throw warnings during
compilation, when using them.
Make sure that the old APIs are being used only with the older versions
of OpenSSL.
Mark Andrews [Wed, 8 Sep 2021 06:31:56 +0000 (16:31 +1000)]
Use EVP_PKEY_eq() instead of deprected EVP_PKEY_cmp()
EVP_PKEY_eq() is the replacement with a smaller result range (0, 1)
instead of (-1, 0, 1). EVP_PKEY_cmp() is mapped to EVP_PKEY_eq() when
building with older versions of OpenSSL.
Use thinner shims for OpenSSL's EVP_MD_CTX_new() and EVP_MD_CTX_free()
The EVP_MD_CTX_new() and EVP_MD_CTX_free() functions are renamed APIs
which were previously available as EVP_MD_CTX_create() and
EVP_MD_CTX_destroy() respectively, which means that we can use them
instead of providing our own shim functions.
Use ERR_get_error_all() instead of deprecated ERR_get_error_line_data()
OpenSSL 3.0.0 deprecates the ERR_get_error_line_data() function.
Use ERR_get_error_all() instead of ERR_get_error_line_data() and create
a shim to use the old variant for the older OpenSSL versions which don't
have the newer ERR_get_error_all().
Use EVP_MD_CTX_get0_md() instead of deprecated EVP_MD_CTX_md()
OpenSSL 3.0.0 deprecates the EVP_MD_CTX_md() function.
Use EVP_MD_CTX_md() instead of EVP_MD_CTX_get0_md() and create a shim
to use the old variant for the older OpenSSL versions which don't have
the newer EVP_MD_CTX_get0_md().
Make the configure.ac script compatible with OpenSSL 3.0.0
OpenSSL 3.0.0 deprecates many low level API functions.
In preparation for the future support of linking BIND with OpenSSL 3.0.0
without the deprecated API functions, change the configure.ac script to
use functions which are available on all supported versions of OpenSSL
and LibreSSL.
Aram Sargsyan [Wed, 27 Oct 2021 19:52:05 +0000 (19:52 +0000)]
Add dst_key_pubcompare and dst_key_compare unit test
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.
dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.
dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
projects / thirdparty / bind9.git / log
