Initial steps towards buildable 9.14
This commit is contained in:
parent
7726ce77a6
commit
0b18b1b517
@ -1,4 +1,4 @@
|
||||
From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001
|
||||
From f37b26cb7c8f7351d22dfea79df33edb74d42e23 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
@ -76,35 +76,22 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
||||
bin/tests/system/catz/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
|
||||
bin/tests/system/checkconf/good.conf | 2 +-
|
||||
bin/tests/system/digdelv/ns2/example.db | 15 +++--
|
||||
bin/tests/system/digdelv/tests.sh | 20 +++---
|
||||
bin/tests/system/dlv/ns1/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns2/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
|
||||
bin/tests/system/dnssec/ns2/sign.sh | 8 +--
|
||||
bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
|
||||
bin/tests/system/dnssec/tests.sh | 4 +-
|
||||
bin/tests/system/feature-test.c | 14 ++++
|
||||
bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
|
||||
bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns3/sign.sh | 1 +
|
||||
bin/tests/system/feature-test.c | 13 ++++
|
||||
bin/tests/system/notify/ns5/named.conf.in | 6 +-
|
||||
bin/tests/system/notify/tests.sh | 6 +-
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/setup.sh | 7 +-
|
||||
bin/tests/system/nsupdate/setup.sh | 6 +-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 ++-
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 23 ++++---
|
||||
bin/tests/system/tsig/clean.sh | 1 +
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
|
||||
bin/tests/system/tsiggss/setup.sh | 2 +-
|
||||
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||
45 files changed, 232 insertions(+), 171 deletions(-)
|
||||
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
33 files changed, 151 insertions(+), 107 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
index 0ea6502..026db3f 100644
|
||||
@ -208,7 +195,7 @@ index 4b4e050..0e679a8 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index 09f31f2..f88f0d4 100644
|
||||
index fe49a86..d7819f1 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
||||
@ -334,11 +321,11 @@ index 09f31f2..f88f0d4 100644
|
||||
|
||||
echo_i "testing allow-query-on ACL processing"
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
index 1569913..e9c5c2d 100644
|
||||
index c5f38c9..00db0da 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
controls { /* empty */ };
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
@ -347,11 +334,11 @@ index 1569913..e9c5c2d 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
index 18ac91c..2b1c873 100644
|
||||
index 56e5cc4..2c32b71 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
controls { /* empty */ };
|
||||
@@ -10,12 +10,12 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
@ -366,11 +353,11 @@ index 18ac91c..2b1c873 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
index b824844..dd48945 100644
|
||||
index 8381950..21a6366 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
controls { /* empty */ };
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
@ -379,11 +366,11 @@ index b824844..dd48945 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
index aeb1540..bfce58b 100644
|
||||
index 0e5ff55..a90ed6a 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
controls { /* empty */ };
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
@ -392,11 +379,11 @@ index aeb1540..bfce58b 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
index d4b7432..e0f5252 100644
|
||||
index faadb3f..b99f337 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
controls { /* empty */ };
|
||||
@@ -10,12 +10,12 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
@ -411,11 +398,11 @@ index d4b7432..e0f5252 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
index c025938..87afb3f 100644
|
||||
index 9e78dd0..ea7a413 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
controls { /* empty */ };
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
@ -424,10 +411,10 @@ index c025938..87afb3f 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
index d83b376..d726b94 100644
|
||||
index f4bc399..e01f312 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
|
||||
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
|
||||
acl badaccept { 10.53.0.1; };
|
||||
|
||||
key one {
|
||||
@ -443,10 +430,10 @@ index d83b376..d726b94 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||
index fb6059d..f960156 100644
|
||||
index 479910c..53b9e5c 100644
|
||||
--- a/bin/tests/system/allow-query/tests.sh
|
||||
+++ b/bin/tests/system/allow-query/tests.sh
|
||||
@@ -190,7 +190,7 @@ rndc_reload
|
||||
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key allowed - query allowed"
|
||||
ret=0
|
||||
@ -455,7 +442,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -203,7 +203,7 @@ rndc_reload
|
||||
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key not allowed - query refused"
|
||||
ret=0
|
||||
@ -464,7 +451,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -216,7 +216,7 @@ rndc_reload
|
||||
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key disallowed - query refused"
|
||||
ret=0
|
||||
@ -473,7 +460,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -349,7 +349,7 @@ rndc_reload
|
||||
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key allowed - query allowed"
|
||||
ret=0
|
||||
@ -482,7 +469,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -362,7 +362,7 @@ rndc_reload
|
||||
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key not allowed - query refused"
|
||||
ret=0
|
||||
@ -491,7 +478,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -375,7 +375,7 @@ rndc_reload
|
||||
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key disallowed - query refused"
|
||||
ret=0
|
||||
@ -500,7 +487,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -508,7 +508,7 @@ status=`expr $status + $ret`
|
||||
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key allowed - query allowed"
|
||||
ret=0
|
||||
@ -509,7 +496,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -518,7 +518,7 @@ status=`expr $status + $ret`
|
||||
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key not allowed - query refused"
|
||||
ret=0
|
||||
@ -518,7 +505,7 @@ index fb6059d..f960156 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -528,7 +528,7 @@ status=`expr $status + $ret`
|
||||
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key disallowed - query refused"
|
||||
ret=0
|
||||
@ -563,10 +550,10 @@ index 21be03e..e57c308 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index 9ab35b3..486551a 100644
|
||||
index d627d2a..9d0322a 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
|
||||
@@ -157,6 +157,6 @@ dyndb "name" "library.so" {
|
||||
system;
|
||||
};
|
||||
key "mykey" {
|
||||
@ -574,473 +561,51 @@ index 9ab35b3..486551a 100644
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "qwertyuiopasdfgh";
|
||||
};
|
||||
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
|
||||
index f4e30f5..9f53e31 100644
|
||||
--- a/bin/tests/system/digdelv/ns2/example.db
|
||||
+++ b/bin/tests/system/digdelv/ns2/example.db
|
||||
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
|
||||
;;
|
||||
;; we are not testing DNSSEC behavior, so we don't care about the semantics
|
||||
;; of the following records.
|
||||
-dnskey 300 DNSKEY 256 3 1 (
|
||||
- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
|
||||
- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
|
||||
- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
|
||||
- b9VIE5x7KNHAYTvTO5d4S8M=
|
||||
- )
|
||||
+dnskey 300 DNSKEY 256 3 8 (
|
||||
+ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
|
||||
+ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
|
||||
+ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
|
||||
+ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
|
||||
+ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
|
||||
+ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
|
||||
+ /idCeeQlaLU=
|
||||
+ )
|
||||
|
||||
; TTL of 3 weeks
|
||||
weeks 1814400 A 10.53.0.2
|
||||
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
|
||||
index ade45ce..d3aff24 100644
|
||||
--- a/bin/tests/system/digdelv/tests.sh
|
||||
+++ b/bin/tests/system/digdelv/tests.sh
|
||||
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
|
||||
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
||||
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
|
||||
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +nosplit works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1
|
||||
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
|
||||
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
|
||||
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
|
||||
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
|
||||
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
|
||||
+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +rrcomments works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1
|
||||
+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +nosplit works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1
|
||||
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1
|
||||
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
||||
f=`awk '{print NF}' < delv.out.test$n`
|
||||
test "${f:-0}" -eq 14 || ret=1
|
||||
@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1
|
||||
+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1
|
||||
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
||||
f=`awk '{print NF}' < delv.out.test$n`
|
||||
test "${f:-0}" -eq 4 || ret=1
|
||||
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
|
||||
index 606e7cc..a3a0d60 100755
|
||||
--- a/bin/tests/system/dlv/ns1/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns1/sign.sh
|
||||
@@ -23,8 +23,8 @@ infile=root.db.in
|
||||
zonefile=root.db
|
||||
outfile=root.signed
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
|
||||
index 9825c57..202c978 100755
|
||||
--- a/bin/tests/system/dlv/ns2/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns2/sign.sh
|
||||
@@ -24,8 +24,8 @@ zonefile=druz.db
|
||||
outfile=druz.pre
|
||||
dlvzone=utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
|
||||
index 1e39862..4ed19ac 100755
|
||||
--- a/bin/tests/system/dlv/ns6/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns6/sign.sh
|
||||
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
|
||||
|
||||
echo_i "dlv/ns6/sign.sh"
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
|
||||
index fa51ae1..bc46942 100755
|
||||
--- a/bin/tests/system/dlv/ns3/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns3/sign.sh
|
||||
@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh"
|
||||
dlvzone=dlv.utld.
|
||||
dlvsets=
|
||||
dssets=
|
||||
+bits=1024
|
||||
+
|
||||
zone=grand.child1.utld.
|
||||
|
||||
zone=child1.utld.
|
||||
infile=child.db.in
|
||||
zonefile=grand.child1.utld.db
|
||||
outfile=grand.child1.signed
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db
|
||||
outfile=grand.child3.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db
|
||||
outfile=grand.child4.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db
|
||||
outfile=grand.child5.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db
|
||||
outfile=grand.child7.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db
|
||||
outfile=grand.child8.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db
|
||||
outfile=grand.child9.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db
|
||||
outfile=grand.child10.signed
|
||||
dlvzone=dlv.utld.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -138,8 +140,8 @@ infile=child.db.in
|
||||
zonefile=grand.child1.druz.db
|
||||
outfile=grand.child1.druz.signed
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db
|
||||
outfile=grand.child3.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db
|
||||
outfile=grand.child4.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db
|
||||
outfile=grand.child5.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db
|
||||
outfile=grand.child7.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db
|
||||
outfile=grand.child8.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db
|
||||
outfile=grand.child9.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db
|
||||
outfile=grand.child10.druz.signed
|
||||
dlvzone=dlv.druz.
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
|
||||
index 13fb924..1ffa279 100644
|
||||
--- a/bin/tests/system/dnssec/ns2/sign.sh
|
||||
+++ b/bin/tests/system/dnssec/ns2/sign.sh
|
||||
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
|
||||
infile=in-addr.arpa.db.in
|
||||
zonefile=in-addr.arpa.db
|
||||
|
||||
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
|
||||
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
|
||||
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
|
||||
@@ -138,7 +138,7 @@ privzone=private.secure.example
|
||||
privinfile=private.secure.example.db.in
|
||||
privzonefile=private.secure.example.db
|
||||
|
||||
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
|
||||
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone`
|
||||
|
||||
cat $privinfile $privkeyname.key >$privzonefile
|
||||
|
||||
@@ -152,7 +152,7 @@ dlvinfile=dlv.db.in
|
||||
dlvzonefile=dlv.db
|
||||
dlvsetfile=dlvset-${privzone}${TP}
|
||||
|
||||
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
|
||||
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone`
|
||||
|
||||
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
index ed30460..e6b1126 100644
|
||||
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
@@ -10,5 +10,5 @@
|
||||
*/
|
||||
|
||||
trusted-keys {
|
||||
- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk=";
|
||||
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
|
||||
};
|
||||
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
||||
index b31c1b4..a5e237b 100644
|
||||
--- a/bin/tests/system/dnssec/tests.sh
|
||||
+++ b/bin/tests/system/dnssec/tests.sh
|
||||
@@ -3235,8 +3235,8 @@ do
|
||||
alg=`expr $alg + 1`
|
||||
continue;;
|
||||
3) size="-b 512";;
|
||||
- 5) size="-b 512";;
|
||||
- 6) size="-b 512";;
|
||||
+ 5) size="-b 1024";;
|
||||
+ 6) size="-b 1024";;
|
||||
7) size="-b 512";;
|
||||
8) size="-b 512";;
|
||||
10) size="-b 1024";;
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index c1249ed..20a3139 100644
|
||||
index 8b9deb6..ceb4fe8 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
#include <isc/net.h>
|
||||
+#include <isc/md5.h>
|
||||
+#include <isc/md.h>
|
||||
#include <dns/edns.h>
|
||||
|
||||
#ifdef WIN32
|
||||
@@ -47,6 +48,7 @@ usage() {
|
||||
fprintf(stderr, " --have-geoip2\n");
|
||||
fprintf(stderr, " --have-libxml2\n");
|
||||
fprintf(stderr, " --ipv6only=no\n");
|
||||
+ fprintf(stderr, " --md5\n");
|
||||
fprintf(stderr, " --rpz-nsdname\n");
|
||||
fprintf(stderr, " --rpz-nsip\n");
|
||||
fprintf(stderr, " --with-idn\n");
|
||||
@@ -155,6 +157,18 @@ main(int argc, char **argv) {
|
||||
@@ -159,6 +160,18 @@ main(int argc, char **argv) {
|
||||
#endif
|
||||
}
|
||||
|
||||
+ if (strcmp(argv[1], "--md5") == 0) {
|
||||
+#ifdef PK11_MD5_DISABLE
|
||||
+ return (1);
|
||||
+#else
|
||||
+ if (isc_md5_available()) {
|
||||
+ unsigned char digest[ISC_MAX_MD_SIZE];
|
||||
+ const char test[] = test;
|
||||
+
|
||||
+ if (isc_md(ISC_MD_MD5, test, sizeof(test),
|
||||
+ digest, sizeof(digest)) == ISC_R_SUCCESS) {
|
||||
+ return (0);
|
||||
+ } else {
|
||||
+ return (1);
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
if (strcmp(argv[1], "--rpz-nsip") == 0) {
|
||||
#ifdef ENABLE_RPZ_NSIP
|
||||
if (strcmp(argv[1], "--ipv6only=no") == 0) {
|
||||
#ifdef WIN32
|
||||
return (0);
|
||||
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
index f755581..4a7d890 100755
|
||||
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
@@ -21,8 +21,8 @@ infile=signed.db.in
|
||||
zonefile=signed.db.signed
|
||||
outfile=signed.db.signed
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
index f755581..4a7d890 100755
|
||||
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
@@ -21,8 +21,8 @@ infile=signed.db.in
|
||||
zonefile=signed.db.signed
|
||||
outfile=signed.db.signed
|
||||
|
||||
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
|
||||
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
|
||||
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
||||
index cfcfe8f..0a1614d 100644
|
||||
index 2976bfc..256d846 100644
|
||||
--- a/bin/tests/system/notify/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
||||
@@ -10,17 +10,17 @@
|
||||
@ -1065,7 +630,7 @@ index cfcfe8f..0a1614d 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
||||
index 1f6e6d0..c08bd25 100644
|
||||
index fb2eb74..0e45424 100644
|
||||
--- a/bin/tests/system/notify/tests.sh
|
||||
+++ b/bin/tests/system/notify/tests.sh
|
||||
@@ -212,16 +212,16 @@ ret=0
|
||||
@ -1089,22 +654,9 @@ index 1f6e6d0..c08bd25 100644
|
||||
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
||||
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 1d999ad..26b6b7c 100644
|
||||
index e7b6adb..4ad5cc1 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -32,7 +32,7 @@ controls {
|
||||
};
|
||||
|
||||
key altkey {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha512;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
index 4549184..cb7dccd 100644
|
||||
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
@@ -33,7 +33,7 @@ controls {
|
||||
};
|
||||
|
||||
@ -1114,29 +666,41 @@ index 4549184..cb7dccd 100644
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
index b703843..8bfe2b0 100644
|
||||
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
@@ -32,7 +32,7 @@ controls {
|
||||
};
|
||||
|
||||
key altkey {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha512;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index 21805c5..0d3d85c 100644
|
||||
index 5d70114..6c4b55a 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -58,7 +58,12 @@ EOF
|
||||
@@ -56,7 +56,11 @@ EOF
|
||||
|
||||
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
|
||||
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
|
||||
|
||||
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
+if $FEATURETEST --md5; then
|
||||
+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
+else
|
||||
+ echo -n > ns1/md5.key
|
||||
+fi
|
||||
+
|
||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
||||
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index 4da4849..b3bc807 100755
|
||||
index dd0286f..906135c 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -708,7 +708,14 @@ fi
|
||||
@@ -700,7 +700,14 @@ fi
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms ($n)"
|
||||
@ -1152,7 +716,7 @@ index 4da4849..b3bc807 100755
|
||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
@@ -716,7 +723,7 @@ send
|
||||
@@ -708,7 +715,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
@ -1162,10 +726,10 @@ index 4da4849..b3bc807 100755
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index 343869e..c30efb0 100644
|
||||
index cb64dd9..c9b2447 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -37,7 +37,7 @@ make_key () {
|
||||
@@ -35,7 +35,7 @@ make_key () {
|
||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
@ -1175,10 +739,10 @@ index 343869e..c30efb0 100644
|
||||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index 57e066d..186a723 100644
|
||||
index 7cbe2c7..b8cc6a0 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
@ -1208,15 +772,6 @@ index 57e066d..186a723 100644
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
|
||||
index 576ec70..cb7a852 100644
|
||||
--- a/bin/tests/system/tsig/clean.sh
|
||||
+++ b/bin/tests/system/tsig/clean.sh
|
||||
@@ -20,3 +20,4 @@ rm -f */named.run
|
||||
rm -f ns*/named.lock
|
||||
rm -f Kexample.net.+163+*
|
||||
rm -f keygen.out?
|
||||
+rm -f ns1/named.conf
|
||||
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
index fbf30c6..f61657d 100644
|
||||
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||
@ -1246,20 +801,20 @@ index fbf30c6..f61657d 100644
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index 4dd4a25..aa0f966 100644
|
||||
index b3e0450..90a6ce4 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
+++ b/bin/tests/system/tsig/setup.sh
|
||||
@@ -17,3 +17,8 @@ $SHELL clean.sh
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
|
||||
$SHELL clean.sh
|
||||
|
||||
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
+
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||
+fi
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index f731fa6..cade35b 100644
|
||||
index 3a720de..e20e7f9 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||
@ -1350,19 +905,8 @@ index f731fa6..cade35b 100644
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
|
||||
index 0d21c7b..dbcb7b4 100644
|
||||
--- a/bin/tests/system/tsiggss/setup.sh
|
||||
+++ b/bin/tests/system/tsiggss/setup.sh
|
||||
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
|
||||
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
|
||||
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
|
||||
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
index e0a30cd..6a77b1c 100644
|
||||
index ea42b4d..08676da 100644
|
||||
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
@ -1387,22 +931,6 @@ index b0694bb..9adae82 100644
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..0682194
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
@ -1,92 +0,0 @@
|
||||
From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 25 Sep 2018 18:08:46 +0200
|
||||
Subject: [PATCH] Disable IDN from environment as documented
|
||||
|
||||
Manual page of host contained instructions to disable IDN processing
|
||||
when it was built with libidn2. When refactoring IDN support however,
|
||||
support for disabling IDN in host and nslookup was lost. Use also
|
||||
environment variable and document it for nslookup, host and dig.
|
||||
|
||||
Support variable CHARSET=ASCII to disable IDN, supported in downstream
|
||||
RH patch since RHEL 5.
|
||||
---
|
||||
bin/dig/dig.docbook | 4 +++-
|
||||
bin/dig/dighost.c | 5 +++++
|
||||
bin/dig/host.docbook | 2 +-
|
||||
bin/dig/nslookup.docbook | 15 +++++++++++++++
|
||||
4 files changed, 24 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
|
||||
index 5d19301..933af79 100644
|
||||
--- a/bin/dig/dig.docbook
|
||||
+++ b/bin/dig/dig.docbook
|
||||
@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
|
||||
reply from the server.
|
||||
If you'd like to turn off the IDN support for some reason, use
|
||||
parameters <parameter>+noidnin</parameter> and
|
||||
- <parameter>+noidnout</parameter>.
|
||||
+ <parameter>+noidnout</parameter> or define
|
||||
+ the <envar>IDN_DISABLE</envar> environment variable.
|
||||
+
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
|
||||
index 5eabc1f..73aaab8 100644
|
||||
--- a/bin/dig/dighost.c
|
||||
+++ b/bin/dig/dighost.c
|
||||
@@ -826,6 +826,11 @@ make_empty_lookup(void) {
|
||||
looknew->badcookie = true;
|
||||
#ifdef WITH_IDN_SUPPORT
|
||||
looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
|
||||
+ if (looknew->idnin) {
|
||||
+ const char *charset = getenv("CHARSET");
|
||||
+ if (charset && !strcmp(charset, "ASCII"))
|
||||
+ looknew->idnin = false;
|
||||
+ }
|
||||
#else
|
||||
looknew->idnin = false;
|
||||
#endif
|
||||
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
|
||||
index da0f8fb..9689b5a 100644
|
||||
--- a/bin/dig/host.docbook
|
||||
+++ b/bin/dig/host.docbook
|
||||
@@ -379,7 +379,7 @@
|
||||
<command>host</command> appropriately converts character encoding of
|
||||
domain name before sending a request to DNS server or displaying a
|
||||
reply from the server.
|
||||
- If you'd like to turn off the IDN support for some reason, defines
|
||||
+ If you'd like to turn off the IDN support for some reason, define
|
||||
the <envar>IDN_DISABLE</envar> environment variable.
|
||||
The IDN support is disabled if the variable is set when
|
||||
<command>host</command> runs.
|
||||
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
|
||||
index d46fc2d..6d7d181 100644
|
||||
--- a/bin/dig/nslookup.docbook
|
||||
+++ b/bin/dig/nslookup.docbook
|
||||
@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
+ <refsection><info><title>IDN SUPPORT</title></info>
|
||||
+
|
||||
+ <para>
|
||||
+ If <command>nslookup</command> has been built with IDN (internationalized
|
||||
+ domain name) support, it can accept and display non-ASCII domain names.
|
||||
+ <command>nslookup</command> appropriately converts character encoding of
|
||||
+ domain name before sending a request to DNS server or displaying a
|
||||
+ reply from the server.
|
||||
+ If you'd like to turn off the IDN support for some reason, define
|
||||
+ the <envar>IDN_DISABLE</envar> environment variable.
|
||||
+ The IDN support is disabled if the variable is set when
|
||||
+ <command>nslookup</command> runs.
|
||||
+ </para>
|
||||
+ </refsection>
|
||||
+
|
||||
<refsection><info><title>FILES</title></info>
|
||||
|
||||
<para><filename>/etc/resolv.conf</filename>
|
||||
--
|
||||
2.20.1
|
||||
|
@ -1,288 +0,0 @@
|
||||
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Wed, 25 Apr 2018 14:04:31 +0200
|
||||
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
|
||||
|
||||
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
|
||||
|
||||
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
|
||||
|
||||
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
|
||||
|
||||
Fix the isc_safe_memwipe() usage with (NULL, >0)
|
||||
|
||||
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
|
||||
---
|
||||
bin/dnssec/dnssec-signzone.c | 2 +-
|
||||
lib/dns/nsec3.c | 4 +-
|
||||
lib/dns/spnego.c | 4 +-
|
||||
lib/isc/Makefile.in | 8 +---
|
||||
lib/isc/include/isc/safe.h | 18 ++------
|
||||
lib/isc/safe.c | 83 ------------------------------------
|
||||
lib/isc/tests/safe_test.c | 18 --------
|
||||
7 files changed, 11 insertions(+), 126 deletions(-)
|
||||
delete mode 100644 lib/isc/safe.c
|
||||
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||
index 6ddaebe..d921870 100644
|
||||
--- a/bin/dnssec/dnssec-signzone.c
|
||||
+++ b/bin/dnssec/dnssec-signzone.c
|
||||
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
|
||||
|
||||
static int
|
||||
hashlist_comp(const void *a, const void *b) {
|
||||
- return (isc_safe_memcompare(a, b, hash_length + 1));
|
||||
+ return (memcmp(a, b, hash_length + 1));
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
|
||||
index 6ae7ca8..01426d6 100644
|
||||
--- a/lib/dns/nsec3.c
|
||||
+++ b/lib/dns/nsec3.c
|
||||
@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
|
||||
* Work out what this NSEC3 covers.
|
||||
* Inside (<0) or outside (>=0).
|
||||
*/
|
||||
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
|
||||
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
|
||||
|
||||
/*
|
||||
* Prepare to compute all the hashes.
|
||||
@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
|
||||
return (ISC_R_IGNORE);
|
||||
}
|
||||
|
||||
- order = isc_safe_memcompare(hash, owner, length);
|
||||
+ order = memcmp(hash, owner, length);
|
||||
if (first && order == 0) {
|
||||
/*
|
||||
* The hashes are the same.
|
||||
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
|
||||
index ad77f24..670982a 100644
|
||||
--- a/lib/dns/spnego.c
|
||||
+++ b/lib/dns/spnego.c
|
||||
@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
|
||||
|
||||
/* mod_auth_kerb.c */
|
||||
|
||||
-static int
|
||||
+static isc_boolean_t
|
||||
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
|
||||
{
|
||||
unsigned char *p;
|
||||
@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
|
||||
if (((OM_uint32) *p++) != gssoid->length)
|
||||
return (GSS_S_DEFECTIVE_TOKEN);
|
||||
|
||||
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
|
||||
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
|
||||
}
|
||||
|
||||
/* accept_sec_context.c */
|
||||
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
|
||||
index 0fd0837..8ad54bb 100644
|
||||
--- a/lib/isc/Makefile.in
|
||||
+++ b/lib/isc/Makefile.in
|
||||
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
|
||||
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
|
||||
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
|
||||
rwlock.@O@ \
|
||||
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
|
||||
tm.@O@ timer.@O@ version.@O@ \
|
||||
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
|
||||
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
|
||||
netaddr.c netscope.c pool.c ondestroy.c \
|
||||
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
|
||||
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
|
||||
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
strtoul.c symtab.c task.c taskpool.c timer.c \
|
||||
tm.c version.c
|
||||
|
||||
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
-safe.@O@: safe.c
|
||||
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
|
||||
- -c ${srcdir}/safe.c
|
||||
-
|
||||
version.@O@: version.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-DVERSION=\"${VERSION}\" \
|
||||
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
|
||||
index 66ed08b..88b8f47 100644
|
||||
--- a/lib/isc/include/isc/safe.h
|
||||
+++ b/lib/isc/include/isc/safe.h
|
||||
@@ -15,29 +15,19 @@
|
||||
|
||||
/*! \file isc/safe.h */
|
||||
|
||||
-#include <stdbool.h>
|
||||
-
|
||||
-#include <isc/types.h>
|
||||
-#include <stdlib.h>
|
||||
+#include <isc/lang.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
-bool
|
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
|
||||
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
|
||||
/*%<
|
||||
* Returns true iff. two blocks of memory are equal, otherwise
|
||||
* false.
|
||||
*
|
||||
*/
|
||||
|
||||
-int
|
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
|
||||
-/*%<
|
||||
- * Clone of libc memcmp() which is safe to differential timing attacks.
|
||||
- */
|
||||
-
|
||||
-void
|
||||
-isc_safe_memwipe(void *ptr, size_t len);
|
||||
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
|
||||
/*%<
|
||||
* Clear the memory of length `len` pointed to by `ptr`.
|
||||
*
|
||||
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
|
||||
deleted file mode 100644
|
||||
index 7a464b6..0000000
|
||||
--- a/lib/isc/safe.c
|
||||
+++ /dev/null
|
||||
@@ -1,83 +0,0 @@
|
||||
-/*
|
||||
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
- *
|
||||
- * This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
- *
|
||||
- * See the COPYRIGHT file distributed with this work for additional
|
||||
- * information regarding copyright ownership.
|
||||
- */
|
||||
-
|
||||
-/*! \file */
|
||||
-
|
||||
-#include <config.h>
|
||||
-
|
||||
-#include <stdbool.h>
|
||||
-
|
||||
-#include <isc/safe.h>
|
||||
-#include <isc/string.h>
|
||||
-#include <isc/util.h>
|
||||
-
|
||||
-#ifdef WIN32
|
||||
-#include <windows.h>
|
||||
-#endif
|
||||
-
|
||||
-#ifdef _MSC_VER
|
||||
-#pragma optimize("", off)
|
||||
-#endif
|
||||
-
|
||||
-bool
|
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
|
||||
- uint8_t acc = 0;
|
||||
-
|
||||
- if (n != 0U) {
|
||||
- const uint8_t *p1 = s1, *p2 = s2;
|
||||
-
|
||||
- do {
|
||||
- acc |= *p1++ ^ *p2++;
|
||||
- } while (--n != 0U);
|
||||
- }
|
||||
- return (acc == 0);
|
||||
-}
|
||||
-
|
||||
-
|
||||
-int
|
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
|
||||
- const unsigned char *p1 = b1, *p2 = b2;
|
||||
- size_t i;
|
||||
- int res = 0, done = 0;
|
||||
-
|
||||
- for (i = 0; i < len; i++) {
|
||||
- /* lt is -1 if p1[i] < p2[i]; else 0. */
|
||||
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
|
||||
-
|
||||
- /* gt is -1 if p1[i] > p2[i]; else 0. */
|
||||
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
|
||||
-
|
||||
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
|
||||
- int cmp = lt - gt;
|
||||
-
|
||||
- /* set res = cmp if !done. */
|
||||
- res |= cmp & ~done;
|
||||
-
|
||||
- /* set done if p1[i] != p2[i]. */
|
||||
- done |= lt | gt;
|
||||
- }
|
||||
-
|
||||
- return (res);
|
||||
-}
|
||||
-
|
||||
-void
|
||||
-isc_safe_memwipe(void *ptr, size_t len) {
|
||||
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
|
||||
- return;
|
||||
-
|
||||
-#ifdef WIN32
|
||||
- SecureZeroMemory(ptr, len);
|
||||
-#elif HAVE_EXPLICIT_BZERO
|
||||
- explicit_bzero(ptr, len);
|
||||
-#else
|
||||
- memset(ptr, 0, len);
|
||||
-#endif
|
||||
-}
|
||||
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
|
||||
index 266ac75..60e9181 100644
|
||||
--- a/lib/isc/tests/safe_test.c
|
||||
+++ b/lib/isc/tests/safe_test.c
|
||||
@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
|
||||
"\x00\x00\x00\x00", 4));
|
||||
}
|
||||
|
||||
-/* test isc_safe_memcompare() */
|
||||
-static void
|
||||
-isc_safe_memcompare_test(void **state) {
|
||||
- UNUSED(state);
|
||||
-
|
||||
- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
|
||||
- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
|
||||
- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
|
||||
- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
|
||||
- "\x00\x00\x00\x00", 4), 0);
|
||||
- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
|
||||
- "\x00\x00\x00\x01", 4) < 0);
|
||||
- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
|
||||
- "\x00\x00\x00\x00", 4) > 0);
|
||||
-}
|
||||
-
|
||||
/* test isc_safe_memwipe() */
|
||||
static void
|
||||
isc_safe_memwipe_test(void **state) {
|
||||
@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
|
||||
/* These should pass. */
|
||||
isc_safe_memwipe(NULL, 0);
|
||||
isc_safe_memwipe((void *) -1, 0);
|
||||
- isc_safe_memwipe(NULL, 42);
|
||||
|
||||
/*
|
||||
* isc_safe_memwipe(ptr, size) should function same as
|
||||
@@ -108,7 +91,6 @@ main(void) {
|
||||
const struct CMUnitTest tests[] = {
|
||||
cmocka_unit_test(isc_safe_memequal_test),
|
||||
cmocka_unit_test(isc_safe_memwipe_test),
|
||||
- cmocka_unit_test(isc_safe_memcompare_test),
|
||||
};
|
||||
|
||||
return (cmocka_run_group_tests(tests, NULL, NULL));
|
||||
--
|
||||
2.20.1
|
||||
|
@ -1,48 +0,0 @@
|
||||
From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 23 Jan 2019 21:11:07 +0100
|
||||
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Unlike upstream, skip it also for DHCP.
|
||||
|
||||
Disable RAND_status also in non-threaded builds. DHCP is built without
|
||||
threads and should not check RAND_status on dns library initialization.
|
||||
Lack of entropy is possible state for dhclient, but it must not fail
|
||||
even in this case. Because DHCP itself does not require custom random
|
||||
generator, leave default RAND_OpenSSL configured. It should help TLS
|
||||
connection to LDAP in single DHCP binary, while keeping secure random
|
||||
data if needed.
|
||||
|
||||
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
|
||||
|
||||
Signed-off-by: Petr Menšík <pemensik@redhat.com>
|
||||
---
|
||||
lib/dns/openssl_link.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index 7a233dd..941eb17 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
|
||||
+#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
|
||||
/* Protect ourselves against unseeded PRNG */
|
||||
if (RAND_status() != 1) {
|
||||
FATAL_ERROR(__FILE__, __LINE__,
|
||||
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
|
||||
"cannot be initialized (see the `PRNG not "
|
||||
"seeded' message in the OpenSSL FAQ)");
|
||||
}
|
||||
+#endif
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
|
||||
From 605d1575414c67f5e7eefeaae9dd2d0820c082dc Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 21 Feb 2019 22:42:27 +0100
|
||||
Subject: [PATCH] Disable random_test
|
||||
@ -9,19 +9,18 @@ subtests can occasionally fail, stop it.
|
||||
|
||||
It can be used again by defining 'unstable' variable in Kyuafile.
|
||||
---
|
||||
lib/isc/tests/Kyuafile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
lib/isc/tests/Kyuafile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
|
||||
index 4cd2574..9df2340 100644
|
||||
index e2b2498..df2741e 100644
|
||||
--- a/lib/isc/tests/Kyuafile
|
||||
+++ b/lib/isc/tests/Kyuafile
|
||||
@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
|
||||
tap_test_program{name='print_test'}
|
||||
@@ -18,6 +18,7 @@ tap_test_program{name='parse_test'}
|
||||
tap_test_program{name='pool_test'}
|
||||
tap_test_program{name='queue_test'}
|
||||
tap_test_program{name='radix_test'}
|
||||
-tap_test_program{name='random_test'}
|
||||
+tap_test_program{name='random_test', required_configs='unstable'}
|
||||
+-- tap_test_program{name='random_test', required_configs='unstable'}
|
||||
tap_test_program{name='regex_test'}
|
||||
tap_test_program{name='result_test'}
|
||||
tap_test_program{name='safe_test'}
|
||||
|
26
bind.spec
26
bind.spec
@ -133,23 +133,25 @@ Patch150:bind-9.11-engine-pkcs11.patch
|
||||
Patch153:bind-9.11-export-suffix.patch
|
||||
Patch154:bind-9.11-oot-manual.patch
|
||||
Patch155:bind-9.11-pk11.patch
|
||||
Patch156:bind-9.11-fips-code.patch
|
||||
# FIXME: needs review. Should not be required
|
||||
#Patch156:bind-9.11-fips-code.patch
|
||||
Patch157:bind-9.11-fips-tests.patch
|
||||
# [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af
|
||||
Patch158:bind-9.11-rt31459.patch
|
||||
#Patch158:bind-9.11-rt31459.patch
|
||||
# [RT #46047] commit 24172bd2eeba91441ab1c65d2717b0692309244a ISC 4724
|
||||
Patch159:bind-9.11-rt46047.patch
|
||||
#Patch159:bind-9.11-rt46047.patch
|
||||
# commit 66ba2fdad583d962a1f4971c85d58381f0849e4d
|
||||
# commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c
|
||||
# commit 083461d3329ff6f2410745848a926090586a9846
|
||||
Patch160:bind-9.11-rh1624100.patch
|
||||
#Patch160:bind-9.11-rh1624100.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/issues/555
|
||||
Patch161:bind-9.11-host-idn-disable.patch
|
||||
#Patch161:bind-9.11-host-idn-disable.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
|
||||
Patch163:bind-9.11-rh1663318.patch
|
||||
#Patch163:bind-9.11-rh1663318.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/issues/819
|
||||
Patch164:bind-9.11-rh1666814.patch
|
||||
# random_test fails too often by random, disable it
|
||||
# not present on 9.14.0
|
||||
Patch168:bind-9.11-unit-disable-random.patch
|
||||
Patch170:bind-9.11-feature-test-named.patch
|
||||
Patch171:bind-9.11-tests-variants.patch
|
||||
@ -545,13 +547,13 @@ are used for building ISC DHCP.
|
||||
%patch153 -p1 -b .export_suffix
|
||||
%patch154 -p1 -b .oot-man
|
||||
%patch155 -p1 -b .pk11-internal
|
||||
%patch156 -p1 -b .fips-code
|
||||
#%patch156 -p1 -b .fips-code
|
||||
%patch157 -p1 -b .fips-tests
|
||||
%patch158 -p1 -b .rt31459
|
||||
%patch159 -p1 -b .rt46047
|
||||
%patch160 -p1 -b .rh1624100
|
||||
%patch161 -p1 -b .host-idn-disable
|
||||
%patch163 -p1 -b .rh1663318
|
||||
#%patch158 -p1 -b .rt31459
|
||||
#%patch159 -p1 -b .rt46047
|
||||
#%patch160 -p1 -b .rh1624100
|
||||
#%patch161 -p1 -b .host-idn-disable
|
||||
#%patch163 -p1 -b .rh1663318
|
||||
%patch164 -p1 -b .rh1666814
|
||||
%patch168 -p1 -b .random_test-disable
|
||||
%patch170 -p1 -b .featuretest-named
|
||||
|
@ -1,14 +0,0 @@
|
||||
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
|
||||
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100
|
||||
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100
|
||||
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
|
||||
break;
|
||||
}
|
||||
|
||||
+ /* Ignore options with no parameters */
|
||||
+ if (stopchar == '\n')
|
||||
+ continue;
|
||||
+
|
||||
if (strlen(word) == 0U)
|
||||
rval = LWRES_R_SUCCESS;
|
||||
else if (strcmp(word, "nameserver") == 0)
|
BIN
random.data
BIN
random.data
Binary file not shown.
Loading…
Reference in New Issue
Block a user