Initial steps towards buildable 9.14

This commit is contained in:
Petr Menšík 2019-07-23 15:18:02 +02:00
parent 7726ce77a6
commit 0b18b1b517
9 changed files with 160 additions and 2820 deletions

View File

@ -1,4 +1,4 @@
From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001 From f37b26cb7c8f7351d22dfea79df33edb74d42e23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200 Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes Subject: [PATCH] FIPS tests changes
@ -76,35 +76,22 @@ Date: Wed Mar 7 10:44:23 2018 +0100
bin/tests/system/catz/ns2/named.conf.in | 2 +- bin/tests/system/catz/ns2/named.conf.in | 2 +-
bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/bad-tsig.conf | 2 +-
bin/tests/system/checkconf/good.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +-
bin/tests/system/digdelv/ns2/example.db | 15 +++-- bin/tests/system/dlv/ns3/sign.sh | 1 +
bin/tests/system/digdelv/tests.sh | 20 +++--- bin/tests/system/feature-test.c | 13 ++++
bin/tests/system/dlv/ns1/sign.sh | 4 +-
bin/tests/system/dlv/ns2/sign.sh | 4 +-
bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
bin/tests/system/dnssec/ns2/sign.sh | 8 +--
bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
bin/tests/system/dnssec/tests.sh | 4 +-
bin/tests/system/feature-test.c | 14 ++++
bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
bin/tests/system/notify/ns5/named.conf.in | 6 +- bin/tests/system/notify/ns5/named.conf.in | 6 +-
bin/tests/system/notify/tests.sh | 6 +- bin/tests/system/notify/tests.sh | 6 +-
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
bin/tests/system/nsupdate/setup.sh | 7 +- bin/tests/system/nsupdate/setup.sh | 6 +-
bin/tests/system/nsupdate/tests.sh | 11 ++- bin/tests/system/nsupdate/tests.sh | 11 ++-
bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 23 ++++--- bin/tests/system/rndc/tests.sh | 23 ++++---
bin/tests/system/tsig/clean.sh | 1 +
bin/tests/system/tsig/ns1/named.conf.in | 10 +-- bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/setup.sh | 5 ++ bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
bin/tests/system/tsiggss/setup.sh | 2 +-
bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +- bin/tests/system/upforwd/tests.sh | 2 +-
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ 33 files changed, 151 insertions(+), 107 deletions(-)
45 files changed, 232 insertions(+), 171 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 0ea6502..026db3f 100644 index 0ea6502..026db3f 100644
@ -208,7 +195,7 @@ index 4b4e050..0e679a8 100644
}; };
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index 09f31f2..f88f0d4 100644 index fe49a86..d7819f1 100644
--- a/bin/tests/system/acl/tests.sh --- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
@ -334,11 +321,11 @@ index 09f31f2..f88f0d4 100644
echo_i "testing allow-query-on ACL processing" echo_i "testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
index 1569913..e9c5c2d 100644 index c5f38c9..00db0da 100644
--- a/bin/tests/system/allow-query/ns2/named10.conf.in --- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -12,7 +12,7 @@ @@ -10,7 +10,7 @@
controls { /* empty */ }; */
key one { key one {
- algorithm hmac-md5; - algorithm hmac-md5;
@ -347,11 +334,11 @@ index 1569913..e9c5c2d 100644
}; };
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
index 18ac91c..2b1c873 100644 index 56e5cc4..2c32b71 100644
--- a/bin/tests/system/allow-query/ns2/named11.conf.in --- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -12,12 +12,12 @@ @@ -10,12 +10,12 @@
controls { /* empty */ }; */
key one { key one {
- algorithm hmac-md5; - algorithm hmac-md5;
@ -366,11 +353,11 @@ index 18ac91c..2b1c873 100644
}; };
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
index b824844..dd48945 100644 index 8381950..21a6366 100644
--- a/bin/tests/system/allow-query/ns2/named12.conf.in --- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -12,7 +12,7 @@ @@ -10,7 +10,7 @@
controls { /* empty */ }; */
key one { key one {
- algorithm hmac-md5; - algorithm hmac-md5;
@ -379,11 +366,11 @@ index b824844..dd48945 100644
}; };
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
index aeb1540..bfce58b 100644 index 0e5ff55..a90ed6a 100644
--- a/bin/tests/system/allow-query/ns2/named30.conf.in --- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -12,7 +12,7 @@ @@ -10,7 +10,7 @@
controls { /* empty */ }; */
key one { key one {
- algorithm hmac-md5; - algorithm hmac-md5;
@ -392,11 +379,11 @@ index aeb1540..bfce58b 100644
}; };
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
index d4b7432..e0f5252 100644 index faadb3f..b99f337 100644
--- a/bin/tests/system/allow-query/ns2/named31.conf.in --- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -12,12 +12,12 @@ @@ -10,12 +10,12 @@
controls { /* empty */ }; */
key one { key one {
- algorithm hmac-md5; - algorithm hmac-md5;
@ -411,11 +398,11 @@ index d4b7432..e0f5252 100644
}; };
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
index c025938..87afb3f 100644 index 9e78dd0..ea7a413 100644
--- a/bin/tests/system/allow-query/ns2/named32.conf.in --- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -12,7 +12,7 @@ @@ -10,7 +10,7 @@
controls { /* empty */ }; */
key one { key one {
- algorithm hmac-md5; - algorithm hmac-md5;
@ -424,10 +411,10 @@ index c025938..87afb3f 100644
}; };
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
index d83b376..d726b94 100644 index f4bc399..e01f312 100644
--- a/bin/tests/system/allow-query/ns2/named40.conf.in --- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; @@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
acl badaccept { 10.53.0.1; }; acl badaccept { 10.53.0.1; };
key one { key one {
@ -443,10 +430,10 @@ index d83b376..d726b94 100644
}; };
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
index fb6059d..f960156 100644 index 479910c..53b9e5c 100644
--- a/bin/tests/system/allow-query/tests.sh --- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh
@@ -190,7 +190,7 @@ rndc_reload @@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key allowed - query allowed" echo_i "test $n: key allowed - query allowed"
ret=0 ret=0
@ -455,7 +442,7 @@ index fb6059d..f960156 100644
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -203,7 +203,7 @@ rndc_reload @@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key not allowed - query refused" echo_i "test $n: key not allowed - query refused"
ret=0 ret=0
@ -464,7 +451,7 @@ index fb6059d..f960156 100644
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -216,7 +216,7 @@ rndc_reload @@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key disallowed - query refused" echo_i "test $n: key disallowed - query refused"
ret=0 ret=0
@ -473,7 +460,7 @@ index fb6059d..f960156 100644
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -349,7 +349,7 @@ rndc_reload @@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key allowed - query allowed" echo_i "test $n: views key allowed - query allowed"
ret=0 ret=0
@ -482,7 +469,7 @@ index fb6059d..f960156 100644
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -362,7 +362,7 @@ rndc_reload @@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key not allowed - query refused" echo_i "test $n: views key not allowed - query refused"
ret=0 ret=0
@ -491,7 +478,7 @@ index fb6059d..f960156 100644
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -375,7 +375,7 @@ rndc_reload @@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key disallowed - query refused" echo_i "test $n: views key disallowed - query refused"
ret=0 ret=0
@ -500,7 +487,7 @@ index fb6059d..f960156 100644
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -508,7 +508,7 @@ status=`expr $status + $ret` @@ -500,7 +500,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "test $n: zone key allowed - query allowed" echo_i "test $n: zone key allowed - query allowed"
ret=0 ret=0
@ -509,7 +496,7 @@ index fb6059d..f960156 100644
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -518,7 +518,7 @@ status=`expr $status + $ret` @@ -510,7 +510,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "test $n: zone key not allowed - query refused" echo_i "test $n: zone key not allowed - query refused"
ret=0 ret=0
@ -518,7 +505,7 @@ index fb6059d..f960156 100644
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -528,7 +528,7 @@ status=`expr $status + $ret` @@ -520,7 +520,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "test $n: zone key disallowed - query refused" echo_i "test $n: zone key disallowed - query refused"
ret=0 ret=0
@ -563,10 +550,10 @@ index 21be03e..e57c308 100644
}; };
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 9ab35b3..486551a 100644 index d627d2a..9d0322a 100644
--- a/bin/tests/system/checkconf/good.conf --- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf
@@ -153,6 +153,6 @@ dyndb "name" "library.so" { @@ -157,6 +157,6 @@ dyndb "name" "library.so" {
system; system;
}; };
key "mykey" { key "mykey" {
@ -574,473 +561,51 @@ index 9ab35b3..486551a 100644
+ algorithm "hmac-sha256"; + algorithm "hmac-sha256";
secret "qwertyuiopasdfgh"; secret "qwertyuiopasdfgh";
}; };
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index f4e30f5..9f53e31 100644 index fa51ae1..bc46942 100755
--- a/bin/tests/system/digdelv/ns2/example.db --- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/digdelv/ns2/example.db +++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 @@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh"
;; dlvzone=dlv.utld.
;; we are not testing DNSSEC behavior, so we don't care about the semantics dlvsets=
;; of the following records. dssets=
-dnskey 300 DNSKEY 256 3 1 (
- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
- b9VIE5x7KNHAYTvTO5d4S8M=
- )
+dnskey 300 DNSKEY 256 3 8 (
+ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
+ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
+ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
+ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
+ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
+ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
+ /idCeeQlaLU=
+ )
; TTL of 3 weeks
weeks 1814400 A 10.53.0.2
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index ade45ce..d3aff24 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +rrcomments works for DNSKEY($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +nosplit works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +rrcomments works for DNSKEY($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 14 || ret=1
@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 4 || ret=1
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
index 606e7cc..a3a0d60 100755
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -23,8 +23,8 @@ infile=root.db.in
zonefile=root.db
outfile=root.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
index 9825c57..202c978 100755
--- a/bin/tests/system/dlv/ns2/sign.sh
+++ b/bin/tests/system/dlv/ns2/sign.sh
@@ -24,8 +24,8 @@ zonefile=druz.db
outfile=druz.pre
dlvzone=utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
index 1e39862..4ed19ac 100755
--- a/bin/tests/system/dlv/ns6/sign.sh
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
echo_i "dlv/ns6/sign.sh"
+bits=1024 +bits=1024
+
zone=grand.child1.utld. zone=child1.utld.
infile=child.db.in infile=child.db.in
zonefile=grand.child1.utld.db
outfile=grand.child1.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db
outfile=grand.child3.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db
outfile=grand.child4.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db
outfile=grand.child5.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db
outfile=grand.child7.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db
outfile=grand.child8.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db
outfile=grand.child9.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db
outfile=grand.child10.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -138,8 +140,8 @@ infile=child.db.in
zonefile=grand.child1.druz.db
outfile=grand.child1.druz.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db
outfile=grand.child3.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db
outfile=grand.child4.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db
outfile=grand.child5.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db
outfile=grand.child7.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db
outfile=grand.child8.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db
outfile=grand.child9.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db
outfile=grand.child10.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 13fb924..1ffa279 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
infile=in-addr.arpa.db.in
zonefile=in-addr.arpa.db
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
@@ -138,7 +138,7 @@ privzone=private.secure.example
privinfile=private.secure.example.db.in
privzonefile=private.secure.example.db
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone`
cat $privinfile $privkeyname.key >$privzonefile
@@ -152,7 +152,7 @@ dlvinfile=dlv.db.in
dlvzonefile=dlv.db
dlvsetfile=dlvset-${privzone}${TP}
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone`
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
index ed30460..e6b1126 100644
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
@@ -10,5 +10,5 @@
*/
trusted-keys {
- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk=";
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
};
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index b31c1b4..a5e237b 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3235,8 +3235,8 @@ do
alg=`expr $alg + 1`
continue;;
3) size="-b 512";;
- 5) size="-b 512";;
- 6) size="-b 512";;
+ 5) size="-b 1024";;
+ 6) size="-b 1024";;
7) size="-b 512";;
8) size="-b 512";;
10) size="-b 1024";;
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index c1249ed..20a3139 100644 index 8b9deb6..ceb4fe8 100644
--- a/bin/tests/system/feature-test.c --- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c
@@ -19,6 +19,7 @@ @@ -19,6 +19,7 @@
#include <isc/print.h> #include <isc/print.h>
#include <isc/util.h> #include <isc/util.h>
#include <isc/net.h> #include <isc/net.h>
+#include <isc/md5.h> +#include <isc/md.h>
#include <dns/edns.h> #include <dns/edns.h>
#ifdef WIN32 #ifdef WIN32
@@ -47,6 +48,7 @@ usage() { @@ -159,6 +160,18 @@ main(int argc, char **argv) {
fprintf(stderr, " --have-geoip2\n");
fprintf(stderr, " --have-libxml2\n");
fprintf(stderr, " --ipv6only=no\n");
+ fprintf(stderr, " --md5\n");
fprintf(stderr, " --rpz-nsdname\n");
fprintf(stderr, " --rpz-nsip\n");
fprintf(stderr, " --with-idn\n");
@@ -155,6 +157,18 @@ main(int argc, char **argv) {
#endif #endif
} }
+ if (strcmp(argv[1], "--md5") == 0) { + if (strcmp(argv[1], "--md5") == 0) {
+#ifdef PK11_MD5_DISABLE + unsigned char digest[ISC_MAX_MD_SIZE];
+ return (1); + const char test[] = test;
+#else +
+ if (isc_md5_available()) { + if (isc_md(ISC_MD_MD5, test, sizeof(test),
+ digest, sizeof(digest)) == ISC_R_SUCCESS) {
+ return (0); + return (0);
+ } else { + } else {
+ return (1); + return (1);
+ } + }
+#endif
+ } + }
+ +
if (strcmp(argv[1], "--rpz-nsip") == 0) { if (strcmp(argv[1], "--ipv6only=no") == 0) {
#ifdef ENABLE_RPZ_NSIP #ifdef WIN32
return (0); return (0);
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
index f755581..4a7d890 100755
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
index f755581..4a7d890 100755
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
index cfcfe8f..0a1614d 100644 index 2976bfc..256d846 100644
--- a/bin/tests/system/notify/ns5/named.conf.in --- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -10,17 +10,17 @@ @@ -10,17 +10,17 @@
@ -1065,7 +630,7 @@ index cfcfe8f..0a1614d 100644
}; };
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index 1f6e6d0..c08bd25 100644 index fb2eb74..0e45424 100644
--- a/bin/tests/system/notify/tests.sh --- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh
@@ -212,16 +212,16 @@ ret=0 @@ -212,16 +212,16 @@ ret=0
@ -1089,22 +654,9 @@ index 1f6e6d0..c08bd25 100644
grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.b.ns5.test$n > /dev/null &&
grep "test string" dig.out.c.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null &&
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 1d999ad..26b6b7c 100644 index e7b6adb..4ad5cc1 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in --- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -32,7 +32,7 @@ controls {
};
key altkey {
- algorithm hmac-md5;
+ algorithm hmac-sha512;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
index 4549184..cb7dccd 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -33,7 +33,7 @@ controls { @@ -33,7 +33,7 @@ controls {
}; };
@ -1114,29 +666,41 @@ index 4549184..cb7dccd 100644
secret "1234abcd8765"; secret "1234abcd8765";
}; };
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
index b703843..8bfe2b0 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -32,7 +32,7 @@ controls {
};
key altkey {
- algorithm hmac-md5;
+ algorithm hmac-sha512;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 21805c5..0d3d85c 100644 index 5d70114..6c4b55a 100644
--- a/bin/tests/system/nsupdate/setup.sh --- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh
@@ -58,7 +58,12 @@ EOF @@ -56,7 +56,11 @@ EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key $DDNSCONFGEN -q -z example.nil > ns1/ddns.key
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+if $FEATURETEST --md5; then +if $FEATURETEST --md5; then
+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key + $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+else +else
+ echo -n > ns1/md5.key + echo -n > ns1/md5.key
+fi +fi
+ $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 4da4849..b3bc807 100755 index dd0286f..906135c 100755
--- a/bin/tests/system/nsupdate/tests.sh --- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh
@@ -708,7 +708,14 @@ fi @@ -700,7 +700,14 @@ fi
n=`expr $n + 1` n=`expr $n + 1`
ret=0 ret=0
echo_i "check TSIG key algorithms ($n)" echo_i "check TSIG key algorithms ($n)"
@ -1152,7 +716,7 @@ index 4da4849..b3bc807 100755
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT} server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3 update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -716,7 +723,7 @@ send @@ -708,7 +715,7 @@ send
END END
done done
sleep 2 sleep 2
@ -1162,10 +726,10 @@ index 4da4849..b3bc807 100755
done done
if [ $ret -ne 0 ]; then if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index 343869e..c30efb0 100644 index cb64dd9..c9b2447 100644
--- a/bin/tests/system/rndc/setup.sh --- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh
@@ -37,7 +37,7 @@ make_key () { @@ -35,7 +35,7 @@ make_key () {
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
} }
@ -1175,10 +739,10 @@ index 343869e..c30efb0 100644
make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256 make_key 4 ${EXTRAPORT4} hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 57e066d..186a723 100644 index 7cbe2c7..b8cc6a0 100644
--- a/bin/tests/system/rndc/tests.sh --- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
@ -1208,15 +772,6 @@ index 57e066d..186a723 100644
n=`expr $n + 1` n=`expr $n + 1`
echo_i "testing rndc with hmac-sha1 ($n)" echo_i "testing rndc with hmac-sha1 ($n)"
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
index 576ec70..cb7a852 100644
--- a/bin/tests/system/tsig/clean.sh
+++ b/bin/tests/system/tsig/clean.sh
@@ -20,3 +20,4 @@ rm -f */named.run
rm -f ns*/named.lock
rm -f Kexample.net.+163+*
rm -f keygen.out?
+rm -f ns1/named.conf
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
index fbf30c6..f61657d 100644 index fbf30c6..f61657d 100644
--- a/bin/tests/system/tsig/ns1/named.conf.in --- a/bin/tests/system/tsig/ns1/named.conf.in
@ -1246,20 +801,20 @@ index fbf30c6..f61657d 100644
key "sha1-trunc" { key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index 4dd4a25..aa0f966 100644 index b3e0450..90a6ce4 100644
--- a/bin/tests/system/tsig/setup.sh --- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh
@@ -17,3 +17,8 @@ $SHELL clean.sh @@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
copy_setports ns1/named.conf.in ns1/named.conf $SHELL clean.sh
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE copy_setports ns1/named.conf.in ns1/named.conf
+ +
+if $FEATURETEST --md5 +if $FEATURETEST --md5
+then +then
+ cat ns1/rndc5.conf.in >> ns1/named.conf + cat ns1/rndc5.conf.in >> ns1/named.conf
+fi +fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index f731fa6..cade35b 100644 index 3a720de..e20e7f9 100644
--- a/bin/tests/system/tsig/tests.sh --- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
@ -1350,19 +905,8 @@ index f731fa6..cade35b 100644
fi fi
echo_i "fetching using hmac-sha1-80 (BADTRUNC)" echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
index 0d21c7b..dbcb7b4 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index e0a30cd..6a77b1c 100644 index ea42b4d..08676da 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in --- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -10,7 +10,7 @@ @@ -10,7 +10,7 @@
@ -1387,22 +931,6 @@ index b0694bb..9adae82 100644
server 10.53.0.3 ${PORT} server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo update add updated.example. 600 TXT Foo
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
-- --
2.20.1 2.20.1

View File

@ -1,92 +0,0 @@
From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
Manual page of host contained instructions to disable IDN processing
when it was built with libidn2. When refactoring IDN support however,
support for disabling IDN in host and nslookup was lost. Use also
environment variable and document it for nslookup, host and dig.
Support variable CHARSET=ASCII to disable IDN, supported in downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
bin/dig/dighost.c | 5 +++++
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 5d19301..933af79 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
- <parameter>+noidnout</parameter>.
+ <parameter>+noidnout</parameter> or define
+ the <envar>IDN_DISABLE</envar> environment variable.
+
</para>
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 5eabc1f..73aaab8 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -826,6 +826,11 @@ make_empty_lookup(void) {
looknew->badcookie = true;
#ifdef WITH_IDN_SUPPORT
looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+ looknew->idnin = false;
+ }
#else
looknew->idnin = false;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index da0f8fb..9689b5a 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -379,7 +379,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
+ If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index d46fc2d..6d7d181 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
+ <refsection><info><title>IDN SUPPORT</title></info>
+
+ <para>
+ If <command>nslookup</command> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <command>nslookup</command> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>IDN_DISABLE</envar> environment variable.
+ The IDN support is disabled if the variable is set when
+ <command>nslookup</command> runs.
+ </para>
+ </refsection>
+
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
--
2.20.1

View File

@ -1,288 +0,0 @@
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +-
lib/dns/spnego.c | 4 +-
lib/isc/Makefile.in | 8 +---
lib/isc/include/isc/safe.h | 18 ++------
lib/isc/safe.c | 83 ------------------------------------
lib/isc/tests/safe_test.c | 18 --------
7 files changed, 11 insertions(+), 126 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6ddaebe..d921870 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
- return (isc_safe_memcompare(a, b, hash_length + 1));
+ return (memcmp(a, b, hash_length + 1));
}
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 6ae7ca8..01426d6 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
/*
* Prepare to compute all the hashes.
@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
- order = isc_safe_memcompare(hash, owner, length);
+ order = memcmp(hash, owner, length);
if (first && order == 0) {
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index ad77f24..670982a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
-static int
+static isc_boolean_t
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
}
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 0fd0837..8ad54bb 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
rwlock.@O@ \
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@BIND9_MAKE_RULES@
-safe.@O@: safe.c
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
- -c ${srcdir}/safe.c
-
version.@O@: version.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index 66ed08b..88b8f47 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -15,29 +15,19 @@
/*! \file isc/safe.h */
-#include <stdbool.h>
-
-#include <isc/types.h>
-#include <stdlib.h>
+#include <isc/lang.h>
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
/*%<
* Returns true iff. two blocks of memory are equal, otherwise
* false.
*
*/
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
-/*%<
- * Clone of libc memcmp() which is safe to differential timing attacks.
- */
-
-void
-isc_safe_memwipe(void *ptr, size_t len);
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
/*%<
* Clear the memory of length `len` pointed to by `ptr`.
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
index 7a464b6..0000000
--- a/lib/isc/safe.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdbool.h>
-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#ifdef WIN32
-#include <windows.h>
-#endif
-
-#ifdef _MSC_VER
-#pragma optimize("", off)
-#endif
-
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
- uint8_t acc = 0;
-
- if (n != 0U) {
- const uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
- return (acc == 0);
-}
-
-
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
- const unsigned char *p1 = b1, *p2 = b2;
- size_t i;
- int res = 0, done = 0;
-
- for (i = 0; i < len; i++) {
- /* lt is -1 if p1[i] < p2[i]; else 0. */
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
-
- /* gt is -1 if p1[i] > p2[i]; else 0. */
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
-
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
- int cmp = lt - gt;
-
- /* set res = cmp if !done. */
- res |= cmp & ~done;
-
- /* set done if p1[i] != p2[i]. */
- done |= lt | gt;
- }
-
- return (res);
-}
-
-void
-isc_safe_memwipe(void *ptr, size_t len) {
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
- return;
-
-#ifdef WIN32
- SecureZeroMemory(ptr, len);
-#elif HAVE_EXPLICIT_BZERO
- explicit_bzero(ptr, len);
-#else
- memset(ptr, 0, len);
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
index 266ac75..60e9181 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
"\x00\x00\x00\x00", 4));
}
-/* test isc_safe_memcompare() */
-static void
-isc_safe_memcompare_test(void **state) {
- UNUSED(state);
-
- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4), 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
-}
-
/* test isc_safe_memwipe() */
static void
isc_safe_memwipe_test(void **state) {
@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
- isc_safe_memwipe(NULL, 42);
/*
* isc_safe_memwipe(ptr, size) should function same as
@@ -108,7 +91,6 @@ main(void) {
const struct CMUnitTest tests[] = {
cmocka_unit_test(isc_safe_memequal_test),
cmocka_unit_test(isc_safe_memwipe_test),
- cmocka_unit_test(isc_safe_memcompare_test),
};
return (cmocka_run_group_tests(tests, NULL, NULL));
--
2.20.1

View File

@ -1,48 +0,0 @@
From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 23 Jan 2019 21:11:07 +0100
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 7a233dd..941eb17 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
+#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
+#endif
return (ISC_R_SUCCESS);
--
2.20.1

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001 From 605d1575414c67f5e7eefeaae9dd2d0820c082dc Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com> From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 22:42:27 +0100 Date: Thu, 21 Feb 2019 22:42:27 +0100
Subject: [PATCH] Disable random_test Subject: [PATCH] Disable random_test
@ -9,19 +9,18 @@ subtests can occasionally fail, stop it.
It can be used again by defining 'unstable' variable in Kyuafile. It can be used again by defining 'unstable' variable in Kyuafile.
--- ---
lib/isc/tests/Kyuafile | 2 +- lib/isc/tests/Kyuafile | 1 +
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+)
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
index 4cd2574..9df2340 100644 index e2b2498..df2741e 100644
--- a/lib/isc/tests/Kyuafile --- a/lib/isc/tests/Kyuafile
+++ b/lib/isc/tests/Kyuafile +++ b/lib/isc/tests/Kyuafile
@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'} @@ -18,6 +18,7 @@ tap_test_program{name='parse_test'}
tap_test_program{name='print_test'} tap_test_program{name='pool_test'}
tap_test_program{name='queue_test'} tap_test_program{name='queue_test'}
tap_test_program{name='radix_test'} tap_test_program{name='radix_test'}
-tap_test_program{name='random_test'} +-- tap_test_program{name='random_test', required_configs='unstable'}
+tap_test_program{name='random_test', required_configs='unstable'}
tap_test_program{name='regex_test'} tap_test_program{name='regex_test'}
tap_test_program{name='result_test'} tap_test_program{name='result_test'}
tap_test_program{name='safe_test'} tap_test_program{name='safe_test'}

View File

@ -133,23 +133,25 @@ Patch150:bind-9.11-engine-pkcs11.patch
Patch153:bind-9.11-export-suffix.patch Patch153:bind-9.11-export-suffix.patch
Patch154:bind-9.11-oot-manual.patch Patch154:bind-9.11-oot-manual.patch
Patch155:bind-9.11-pk11.patch Patch155:bind-9.11-pk11.patch
Patch156:bind-9.11-fips-code.patch # FIXME: needs review. Should not be required
#Patch156:bind-9.11-fips-code.patch
Patch157:bind-9.11-fips-tests.patch Patch157:bind-9.11-fips-tests.patch
# [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af # [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af
Patch158:bind-9.11-rt31459.patch #Patch158:bind-9.11-rt31459.patch
# [RT #46047] commit 24172bd2eeba91441ab1c65d2717b0692309244a ISC 4724 # [RT #46047] commit 24172bd2eeba91441ab1c65d2717b0692309244a ISC 4724
Patch159:bind-9.11-rt46047.patch #Patch159:bind-9.11-rt46047.patch
# commit 66ba2fdad583d962a1f4971c85d58381f0849e4d # commit 66ba2fdad583d962a1f4971c85d58381f0849e4d
# commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c # commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c
# commit 083461d3329ff6f2410745848a926090586a9846 # commit 083461d3329ff6f2410745848a926090586a9846
Patch160:bind-9.11-rh1624100.patch #Patch160:bind-9.11-rh1624100.patch
# https://gitlab.isc.org/isc-projects/bind9/issues/555 # https://gitlab.isc.org/isc-projects/bind9/issues/555
Patch161:bind-9.11-host-idn-disable.patch #Patch161:bind-9.11-host-idn-disable.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e # https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
Patch163:bind-9.11-rh1663318.patch #Patch163:bind-9.11-rh1663318.patch
# https://gitlab.isc.org/isc-projects/bind9/issues/819 # https://gitlab.isc.org/isc-projects/bind9/issues/819
Patch164:bind-9.11-rh1666814.patch Patch164:bind-9.11-rh1666814.patch
# random_test fails too often by random, disable it # random_test fails too often by random, disable it
# not present on 9.14.0
Patch168:bind-9.11-unit-disable-random.patch Patch168:bind-9.11-unit-disable-random.patch
Patch170:bind-9.11-feature-test-named.patch Patch170:bind-9.11-feature-test-named.patch
Patch171:bind-9.11-tests-variants.patch Patch171:bind-9.11-tests-variants.patch
@ -545,13 +547,13 @@ are used for building ISC DHCP.
%patch153 -p1 -b .export_suffix %patch153 -p1 -b .export_suffix
%patch154 -p1 -b .oot-man %patch154 -p1 -b .oot-man
%patch155 -p1 -b .pk11-internal %patch155 -p1 -b .pk11-internal
%patch156 -p1 -b .fips-code #%patch156 -p1 -b .fips-code
%patch157 -p1 -b .fips-tests %patch157 -p1 -b .fips-tests
%patch158 -p1 -b .rt31459 #%patch158 -p1 -b .rt31459
%patch159 -p1 -b .rt46047 #%patch159 -p1 -b .rt46047
%patch160 -p1 -b .rh1624100 #%patch160 -p1 -b .rh1624100
%patch161 -p1 -b .host-idn-disable #%patch161 -p1 -b .host-idn-disable
%patch163 -p1 -b .rh1663318 #%patch163 -p1 -b .rh1663318
%patch164 -p1 -b .rh1666814 %patch164 -p1 -b .rh1666814
%patch168 -p1 -b .random_test-disable %patch168 -p1 -b .random_test-disable
%patch170 -p1 -b .featuretest-named %patch170 -p1 -b .featuretest-named

View File

@ -1,14 +0,0 @@
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
break;
}
+ /* Ignore options with no parameters */
+ if (stopchar == '\n')
+ continue;
+
if (strlen(word) == 0U)
rval = LWRES_R_SUCCESS;
else if (strcmp(word, "nameserver") == 0)

Binary file not shown.