Due to bug in openssl3, the pkcs11-engine is made the default
provider if enabled. This causes key generation and load to
return legacy objects.
Openssl3 has limited glue and does not support the full set
of new style parameter to be inqueried from legacy key objects
Rewrite required functions to use first the new API (if available),
but fallback to the old API (if available). For the methods that
have proper OpenSSL compatiblity glue, ship only one version.
Before calling isc_buffer_putmem(), there is a condition to check
that 'buf_size' is greater than 0. At this point 'buf_size' is
guaranteed to be greater than zero, so either the condition is
redundant, or 'unprocessed_size' should be checked instead, which
seems more logical, because calling isc_buffer_putmem() with
'unprocessed_size' being zero is not useful, although harmless.
The isc_dnsstream_assembler_incoming() inline function expects that
when 'buf_size' is zero, then 'buf' must be NULL. The expectation is
not correct, because those values come from the libuv read callback,
and its documentation notes[1] that 'nread' ('buf_size' here) might
be 0, which does not indicate an error or EOF, but is equivalent to
EAGAIN or EWOULDBLOCK under read(2).
Change the isc_dnsstream_assembler_incoming() inline function to
remove the invalid expectation.
[1] https://docs.libuv.org/en/v1.x/stream.html#c.uv_read_cb
Move i386 and other less common or ancient CPU architectures to
Community-Maintened category. Move armhf and arm64 to the Best-Effort
category as we do test them as part of development work (new MacBooks
are all arm64), we don't really do full set of tests in the CI.
Instead of duplicating the destroy_forwarders() code in the cleanup
sections, just call dns_forwarders_detach() every time - in case of
failure, the forwarders aren't going to be attached, and forwarders
object will be destroyed right away.
There used to be an extra layer of indirection in the memory functions
for certain dynamic linking scenarios. This involved variant spellings
like isc__mem and isc___mem. The isc___mem variants were removed in
commit 7de846977b so the token pasting is no longer needed and
only serves to obfuscate.
The rrl system test has been unstable and producing false positive
results for years (GL #172). Allow the test to be re-run (once) to
reduce the noise it causes.
The reclimit system test has been unstable and producing false positive
results for years (GL #1587). Allow the test to be re-run (once) to
reduce the noise it causes.
The qmin test is inherently unstable. It fails quite often with failure
modes described in GL #904. Allow the pytest runner to re-run the test
up to 3 times to only detect a more persistent and reproducible failures
rather than random noise caused by the nature of the test.
It is better to disable the specific check that causes the test to fail
rather than mark the entire test as xfail, which can mask other issues
which the test is capable of detecting.
The commands in after_script run in a new shell, separate from
before_script and script commands. Since the pytest.log.txt is for out
of tree tests is present in the build directory, switch to it (if set)
before running any postprocessing commands.
The DTrace generated files were missing dependency on the Makefile, so
they didn't get regenerated when ./configure was re-run. This would
create problem especially between ./configure --enable-tracing vs
./configure --disable-tracing invocations.
The DTrace on macOS only needs header file and the dtrace command
doesn't have the -G option. Skip generating the object file on macOS,
so the build doesn't fail.
when synthesizing a new CNAME, we now check whether the target
matches the query already being processed. if so, we do not
restart the query; this prevents a waste of resources.
The dnsrps build assumes that dlopen is available from libc. This
assumption isn't met when attempting to build with address or thread
sanitizer on debian (bullseye, bookworm). Disable dnsrps build to avoid
the issue, since it's not needed anyway for our respdiff tests.
See commit b396f55586 for more info about
the dnsrps build.
Using check_PROGRAMS would postpone compiling the binaries needed by
system tests until `make check` would be called. Since it's preferable
to invoke pytest directly to run the system test suite, compile these
binaries without installing them during `make all` instead by using
noinst_PROGRAMS.
This removes the need to use TESTS= make -e check hack invoked from
pytest to work around this issue.
We already print the formatted zone name via the xfrin_log() function,
generate the text once and store it in xfr->info static buffer. Then we
can reuse the string to pass it to the LIBDNS_XFRIN probes.
Add a trace point that would report when a query gets dropped or slipped
by rate limits. It reports the client IP, the zone, and the RRL result
code.
Co-authored-by: Paul Frieden <pfrieden@yahooinc.com>
Add tracing probes to incoming transfers, so we can accurately measure
the individual events when sending, receiving and parsing the incoming
transfers.
Add tracing probes to isc_job unit:
* libisc:job_cb_before - before the job callback is called
* libisc:job_cb_after - after the job callback is called
Add tracing probes to ISC own isc_rwlock implementation to allow
fine-grained tracing. The pthread rwlock already has probes inside
glibc, and it's difficult to add probes to headers included from the
other libraries.
This adds support for User Statically Defined Tracing (USDT). On
Linux, this uses the header from SystemTap and dtrace utility, but the
support is universal as long as dtrace is available.
Also add the required infrastructure to add probes to libisc, libdns and
libns libraries, where most of the probes will be.
Many problems of the Debian 11 gcovr version were fixed in the Debian 12
one. Replace workarounds we accumulated over the years with two new,
simple ones.
The gcc:sid:amd64 job was used to test PKCS11 via the OpenSSL engine API
but is now designated for future PKCS11 testing via the provider API.
The ability to use PKCS11 via engine API in clang:bookworm:amd64 has
been restored using only deprecated APIs in OpenSSL 3.