import bind-9.11.26-3.el8
This commit is contained in:
parent
cacdacb017
commit
e50e0af00e
@ -1,2 +1,2 @@
|
||||
ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
|
||||
14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz
|
||||
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/bind-9.11.20.tar.gz
|
||||
SOURCES/bind-9.11.26.tar.gz
|
||||
SOURCES/random.data
|
||||
|
@ -1,5 +1,5 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in
|
||||
index f0c504a..ce7a2da 100644
|
||||
index a18b222..26a7e4e 100644
|
||||
--- a/bin/Makefile.in
|
||||
+++ b/bin/Makefile.in
|
||||
@@ -11,8 +11,8 @@ srcdir = @srcdir@
|
||||
@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
|
||||
index 4b8ca13..32f4470 100644
|
||||
index 390aa0c..e59a118 100644
|
||||
--- a/bin/dnssec-pkcs11/Makefile.in
|
||||
+++ b/bin/dnssec-pkcs11/Makefile.in
|
||||
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
|
||||
@ -130,7 +130,7 @@ index 4b8ca13..32f4470 100644
|
||||
|
||||
clean distclean::
|
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
|
||||
index 4b8ca13..4175996 100644
|
||||
index 390aa0c..851a008 100644
|
||||
--- a/bin/dnssec/Makefile.in
|
||||
+++ b/bin/dnssec/Makefile.in
|
||||
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
|
||||
@ -273,10 +273,10 @@ index 3166368..890574f 100644
|
||||
CWARNINGS =
|
||||
|
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
|
||||
index a058c91..d4b689a 100644
|
||||
index 2c19e7e..8223d5e 100644
|
||||
--- a/bin/pkcs11/Makefile.in
|
||||
+++ b/bin/pkcs11/Makefile.in
|
||||
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
|
||||
@@ -13,13 +13,13 @@ top_srcdir = @top_srcdir@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
@ -294,10 +294,10 @@ index a058c91..d4b689a 100644
|
||||
DEPLIBS = ${ISCDEPLIBS}
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 9b7d778..59ba20b 100644
|
||||
index c6715b4..8144268 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
@@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
AC_SUBST(DST_GSSAPI_INC)
|
||||
AC_SUBST(DNS_GSSAPI_LIBS)
|
||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
|
||||
@ -312,24 +312,26 @@ index 9b7d778..59ba20b 100644
|
||||
|
||||
#
|
||||
# was --with-randomdev specified?
|
||||
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
|
||||
@@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash,
|
||||
AC_MSG_CHECKING(for OpenSSL library)
|
||||
OPENSSL_WARNING=
|
||||
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
|
||||
-if test "yes" = "$want_native_pkcs11"
|
||||
-then
|
||||
- use_openssl="native_pkcs11"
|
||||
- want_openssl_hash="no"
|
||||
- AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
-fi
|
||||
+# if test "yes" = "$want_native_pkcs11"
|
||||
+# then
|
||||
+# use_openssl="native_pkcs11"
|
||||
+# AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
+# fi
|
||||
+#if test "yes" = "$want_native_pkcs11"
|
||||
+#then
|
||||
+# use_openssl="native_pkcs11"
|
||||
+# want_openssl_hash="no"
|
||||
+# AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
+#fi
|
||||
|
||||
if test "auto" = "$use_openssl"
|
||||
then
|
||||
@@ -1511,6 +1513,7 @@ then
|
||||
@@ -1572,6 +1574,7 @@ then
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -337,7 +339,7 @@ index 9b7d778..59ba20b 100644
|
||||
OPENSSL_ECDSA=""
|
||||
OPENSSL_GOST=""
|
||||
OPENSSL_ED25519=""
|
||||
@@ -1532,11 +1535,10 @@ case "$with_gost" in
|
||||
@@ -1593,11 +1596,10 @@ case "$with_gost" in
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -352,7 +354,7 @@ index 9b7d778..59ba20b 100644
|
||||
CRYPTOLIB="pkcs11"
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
|
||||
@@ -1607,7 +1609,9 @@ case "$use_openssl" in
|
||||
OPENSSLGOSTLINKSRCS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
OPENSSLLINKSRCS=""
|
||||
@ -363,7 +365,7 @@ index 9b7d778..59ba20b 100644
|
||||
no)
|
||||
AC_MSG_RESULT(no)
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
|
||||
@@ -1639,7 +1643,7 @@ case "$use_openssl" in
|
||||
If you do not want OpenSSL, use --without-openssl])
|
||||
;;
|
||||
*)
|
||||
@ -372,7 +374,7 @@ index 9b7d778..59ba20b 100644
|
||||
then
|
||||
AC_MSG_RESULT()
|
||||
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
|
||||
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
|
||||
@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519)
|
||||
AC_SUBST(OPENSSL_GOST)
|
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
||||
@ -380,7 +382,7 @@ index 9b7d778..59ba20b 100644
|
||||
|
||||
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
|
||||
if test "yes" = "$with_aes"
|
||||
@@ -2291,6 +2296,7 @@ esac
|
||||
@@ -2353,6 +2358,7 @@ esac
|
||||
AC_SUBST(PKCS11LINKOBJS)
|
||||
AC_SUBST(PKCS11LINKSRCS)
|
||||
AC_SUBST(CRYPTO)
|
||||
@ -388,7 +390,7 @@ index 9b7d778..59ba20b 100644
|
||||
AC_SUBST(PKCS11_ECDSA)
|
||||
AC_SUBST(PKCS11_GOST)
|
||||
AC_SUBST(PKCS11_ED25519)
|
||||
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
|
||||
@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([
|
||||
bin/delv/Makefile
|
||||
bin/dig/Makefile
|
||||
bin/dnssec/Makefile
|
||||
@ -400,7 +402,7 @@ index 9b7d778..59ba20b 100644
|
||||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/python/Makefile
|
||||
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
|
||||
@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([
|
||||
lib/dns/include/dns/Makefile
|
||||
lib/dns/include/dst/Makefile
|
||||
lib/dns/tests/Makefile
|
||||
@ -411,7 +413,7 @@ index 9b7d778..59ba20b 100644
|
||||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
|
||||
@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([
|
||||
lib/isc/unix/include/Makefile
|
||||
lib/isc/unix/include/isc/Makefile
|
||||
lib/isc/unix/include/pkcs11/Makefile
|
||||
@ -437,7 +439,7 @@ index 9b7d778..59ba20b 100644
|
||||
lib/isccc/include/Makefile
|
||||
lib/isccc/include/isccc/Makefile
|
||||
diff --git a/lib/Makefile.in b/lib/Makefile.in
|
||||
index 81270a0..bcb5312 100644
|
||||
index f089bea..3ed939b 100644
|
||||
--- a/lib/Makefile.in
|
||||
+++ b/lib/Makefile.in
|
||||
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
|
||||
@ -450,7 +452,7 @@ index 81270a0..bcb5312 100644
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||
index 7f09bd6..c388d9e 100644
|
||||
index 8fc4e94..5eefb14 100644
|
||||
--- a/lib/dns-pkcs11/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/Makefile.in
|
||||
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
|
||||
@ -525,7 +527,7 @@ index 7f09bd6..c388d9e 100644
|
||||
rm -f include/dns/rdatastruct.h
|
||||
rm -f dnstap.pb-c.c dnstap.pb-c.h
|
||||
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
|
||||
index 8ad54bb..a3ecdfb 100644
|
||||
index 7e3e9ce..58d7466 100644
|
||||
--- a/lib/isc-pkcs11/Makefile.in
|
||||
+++ b/lib/isc-pkcs11/Makefile.in
|
||||
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
|
||||
@ -539,7 +541,7 @@ index 8ad54bb..a3ecdfb 100644
|
||||
CWARNINGS =
|
||||
|
||||
# Alphabetically
|
||||
@@ -103,40 +103,40 @@ version.@O@: version.c
|
||||
@@ -107,40 +107,40 @@ version.@O@: version.c
|
||||
-DLIBAGE=${LIBAGE} \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
@ -593,10 +595,10 @@ index 8ad54bb..a3ecdfb 100644
|
||||
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
|
||||
+ libisc-pkcs11-nosymtbl.la timestamp
|
||||
diff --git a/make/includes.in b/make/includes.in
|
||||
index fa86ad1..3cfbe9f 100644
|
||||
index 66efe68..966671f 100644
|
||||
--- a/make/includes.in
|
||||
+++ b/make/includes.in
|
||||
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||
@@ -41,3 +41,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||
|
||||
TEST_INCLUDES = \
|
||||
-I${top_srcdir}/lib/tests/include
|
||||
|
@ -1,57 +0,0 @@
|
||||
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:53:33 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8622
|
||||
|
||||
5476. [security] It was possible to trigger an assertion failure when
|
||||
verifying the response to a TSIG-signed request.
|
||||
(CVE-2020-8622) [GL #2028]
|
||||
---
|
||||
lib/dns/message.c | 24 +++++++++++++-----------
|
||||
1 file changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
||||
index d9e341a..7c813a5 100644
|
||||
--- a/lib/dns/message.c
|
||||
+++ b/lib/dns/message.c
|
||||
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
||||
msg->header_ok = 0;
|
||||
msg->question_ok = 0;
|
||||
|
||||
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
|
||||
+ isc_buffer_usedregion(&origsource, &msg->saved);
|
||||
+ } else {
|
||||
+ msg->saved.length = isc_buffer_usedlength(&origsource);
|
||||
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
||||
+ if (msg->saved.base == NULL) {
|
||||
+ return (ISC_R_NOMEMORY);
|
||||
+ }
|
||||
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
|
||||
+ msg->saved.length);
|
||||
+ msg->free_saved = 1;
|
||||
+ }
|
||||
+
|
||||
isc_buffer_remainingregion(source, &r);
|
||||
if (r.length < DNS_MESSAGE_HEADERLEN)
|
||||
return (ISC_R_UNEXPECTEDEND);
|
||||
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
||||
}
|
||||
|
||||
truncated:
|
||||
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
|
||||
- isc_buffer_usedregion(&origsource, &msg->saved);
|
||||
- else {
|
||||
- msg->saved.length = isc_buffer_usedlength(&origsource);
|
||||
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
||||
- if (msg->saved.base == NULL)
|
||||
- return (ISC_R_NOMEMORY);
|
||||
- memmove(msg->saved.base, isc_buffer_base(&origsource),
|
||||
- msg->saved.length);
|
||||
- msg->free_saved = 1;
|
||||
- }
|
||||
|
||||
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
|
||||
return (DNS_R_RECOVERABLE);
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,400 +0,0 @@
|
||||
From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:54:39 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8623
|
||||
|
||||
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
|
||||
was possible to trigger an assertion failure in code
|
||||
determining the number of bits in the PKCS#11 RSA public
|
||||
key with a specially crafted packet. (CVE-2020-8623)
|
||||
[GL #2037]
|
||||
---
|
||||
lib/dns/pkcs11dh_link.c | 15 ++++++-
|
||||
lib/dns/pkcs11dsa_link.c | 8 +++-
|
||||
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
|
||||
lib/isc/include/pk11/internal.h | 3 +-
|
||||
lib/isc/pk11.c | 61 ++++++++++++++++---------
|
||||
5 files changed, 121 insertions(+), 45 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
|
||||
index e2b60ea..4cd8e32 100644
|
||||
--- a/lib/dns/pkcs11dh_link.c
|
||||
+++ b/lib/dns/pkcs11dh_link.c
|
||||
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
int special = 0;
|
||||
+ unsigned int bits;
|
||||
isc_result_t result;
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
pub = r.base;
|
||||
isc_region_consume(&r, publen);
|
||||
|
||||
- key->key_size = pk11_numbits(prime, plen_);
|
||||
+ result = pk11_numbits(prime, plen_, &bits);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
|
||||
if (dh->repr == NULL)
|
||||
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
+ unsigned int bits;
|
||||
pk11_object_t *dh = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx;
|
||||
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(dh, CKA_PRIME);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
|
||||
index 12d707a..24d4c14 100644
|
||||
--- a/lib/dns/pkcs11dsa_link.c
|
||||
+++ b/lib/dns/pkcs11dsa_link.c
|
||||
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
+ unsigned int bits;
|
||||
pk11_object_t *dsa = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
|
||||
index 6c280bf..86e136a 100644
|
||||
--- a/lib/dns/pkcs11rsa_link.c
|
||||
+++ b/lib/dns/pkcs11rsa_link.c
|
||||
@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
key->key_alg == DST_ALG_RSASHA256 ||
|
||||
key->key_alg == DST_ALG_RSASHA512);
|
||||
#endif
|
||||
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
|
||||
|
||||
/*
|
||||
* Reject incorrect RSA key lengths.
|
||||
@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
for (attr = pk11_attribute_first(rsa);
|
||||
attr != NULL;
|
||||
attr = pk11_attribute_next(rsa, attr))
|
||||
+ {
|
||||
switch (attr->type) {
|
||||
case CKA_MODULUS:
|
||||
INSIST(keyTemplate[5].type == attr->type);
|
||||
@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
memmove(keyTemplate[6].pValue, attr->pValue,
|
||||
attr->ulValueLen);
|
||||
keyTemplate[6].ulValueLen = attr->ulValueLen;
|
||||
- if (pk11_numbits(attr->pValue,
|
||||
- attr->ulValueLen) > maxbits &&
|
||||
- maxbits != 0)
|
||||
+ unsigned int bits;
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
|
||||
+ &bits);
|
||||
+ if (ret != ISC_R_SUCCESS ||
|
||||
+ (bits > maxbits && maxbits != 0)) {
|
||||
DST_RET(DST_R_VERIFYFAILURE);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
+ }
|
||||
pk11_ctx->object = CK_INVALID_HANDLE;
|
||||
pk11_ctx->ontoken = false;
|
||||
PK11_RET(pkcs_C_CreateObject,
|
||||
@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
keyTemplate[5].ulValueLen = attr->ulValueLen;
|
||||
break;
|
||||
case CKA_PUBLIC_EXPONENT:
|
||||
+ unsigned int bits;
|
||||
INSIST(keyTemplate[6].type == attr->type);
|
||||
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
|
||||
attr->ulValueLen);
|
||||
@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
memmove(keyTemplate[6].pValue, attr->pValue,
|
||||
attr->ulValueLen);
|
||||
keyTemplate[6].ulValueLen = attr->ulValueLen;
|
||||
- if (pk11_numbits(attr->pValue,
|
||||
- attr->ulValueLen)
|
||||
- > RSA_MAX_PUBEXP_BITS)
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
|
||||
+ &bits);
|
||||
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
|
||||
+ {
|
||||
DST_RET(DST_R_VERIFYFAILURE);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
pk11_ctx->object = CK_INVALID_HANDLE;
|
||||
@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
CK_BYTE *exponent = NULL, *modulus = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
unsigned int length;
|
||||
+ unsigned int bits;
|
||||
+ isc_result_t ret = ISC_R_SUCCESS;
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
if (r.length == 0)
|
||||
@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
if (e_bytes == 0) {
|
||||
if (r.length < 2) {
|
||||
- isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (DST_R_INVALIDPUBLICKEY);
|
||||
+ DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
e_bytes = (*r.base) << 8;
|
||||
isc_region_consume(&r, 1);
|
||||
@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
}
|
||||
|
||||
if (r.length < e_bytes) {
|
||||
- isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (DST_R_INVALIDPUBLICKEY);
|
||||
+ DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
exponent = r.base;
|
||||
isc_region_consume(&r, e_bytes);
|
||||
modulus = r.base;
|
||||
mod_bytes = r.length;
|
||||
|
||||
- key->key_size = pk11_numbits(modulus, mod_bytes);
|
||||
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
isc_buffer_forward(data, length);
|
||||
|
||||
@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
rsa->repr,
|
||||
rsa->attrcnt * sizeof(*attr));
|
||||
}
|
||||
+ ret = ISC_R_NOMEMORY;
|
||||
+
|
||||
+ err:
|
||||
isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (ISC_R_NOMEMORY);
|
||||
+ return (ret);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
||||
pk11_object_t *pubrsa;
|
||||
pk11_context_t *pk11_ctx = NULL;
|
||||
isc_result_t ret;
|
||||
+ unsigned int bits;
|
||||
|
||||
if (label == NULL)
|
||||
return (DST_R_NOENGINE);
|
||||
@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
const char *engine = NULL, *label = NULL;
|
||||
+ unsigned int bits;
|
||||
|
||||
/* read private key file */
|
||||
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
|
||||
@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
|
||||
INSIST(attr != NULL);
|
||||
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (bits > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
+ }
|
||||
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
isc_safe_memwipe(&priv, sizeof(priv));
|
||||
@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
pk11_context_t *pk11_ctx = NULL;
|
||||
isc_result_t ret;
|
||||
unsigned int i;
|
||||
+ unsigned int bits;
|
||||
|
||||
UNUSED(pin);
|
||||
|
||||
@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
|
||||
INSIST(attr != NULL);
|
||||
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (bits > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
+ }
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
pk11_return_session(pk11_ctx);
|
||||
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
|
||||
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
|
||||
index 603712a..b9680bc 100644
|
||||
--- a/lib/isc/include/pk11/internal.h
|
||||
+++ b/lib/isc/include/pk11/internal.h
|
||||
@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size);
|
||||
|
||||
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
|
||||
|
||||
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
|
||||
+isc_result_t
|
||||
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
|
||||
|
||||
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
|
||||
|
||||
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
|
||||
index 4b85527..9c450da 100644
|
||||
--- a/lib/isc/pk11.c
|
||||
+++ b/lib/isc/pk11.c
|
||||
@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) {
|
||||
return (token->slotid);
|
||||
}
|
||||
|
||||
-unsigned int
|
||||
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
|
||||
+isc_result_t
|
||||
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
|
||||
unsigned int bitcnt, i;
|
||||
CK_BYTE top;
|
||||
|
||||
- if (bytecnt == 0)
|
||||
- return (0);
|
||||
+ if (bytecnt == 0) {
|
||||
+ *bits = 0;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
bitcnt = bytecnt * 8;
|
||||
for (i = 0; i < bytecnt; i++) {
|
||||
top = data[i];
|
||||
@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
|
||||
bitcnt -= 8;
|
||||
continue;
|
||||
}
|
||||
- if (top & 0x80)
|
||||
- return (bitcnt);
|
||||
- if (top & 0x40)
|
||||
- return (bitcnt - 1);
|
||||
- if (top & 0x20)
|
||||
- return (bitcnt - 2);
|
||||
- if (top & 0x10)
|
||||
- return (bitcnt - 3);
|
||||
- if (top & 0x08)
|
||||
- return (bitcnt - 4);
|
||||
- if (top & 0x04)
|
||||
- return (bitcnt - 5);
|
||||
- if (top & 0x02)
|
||||
- return (bitcnt - 6);
|
||||
- if (top & 0x01)
|
||||
- return (bitcnt - 7);
|
||||
+ if (top & 0x80) {
|
||||
+ *bits = bitcnt;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x40) {
|
||||
+ *bits = bitcnt - 1;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x20) {
|
||||
+ *bits = bitcnt - 2;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x10) {
|
||||
+ *bits = bitcnt - 3;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x08) {
|
||||
+ *bits = bitcnt - 4;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x04) {
|
||||
+ *bits = bitcnt - 5;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x02) {
|
||||
+ *bits = bitcnt - 6;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x01) {
|
||||
+ *bits = bitcnt - 7;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
- INSIST(0);
|
||||
- ISC_UNREACHABLE();
|
||||
+ return (ISC_R_RANGE);
|
||||
}
|
||||
|
||||
CK_ATTRIBUTE *
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,152 +0,0 @@
|
||||
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 29 Jul 2020 23:36:03 +1000
|
||||
Subject: [PATCH] Add a test for update-policy 'subdomain'
|
||||
|
||||
The new test checks that 'update-policy subdomain' is properly enforced.
|
||||
|
||||
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
|
||||
|
||||
Add a test for update-policy 'zonesub'
|
||||
|
||||
The new test checks that 'update-policy zonesub' is properly enforced.
|
||||
|
||||
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
|
||||
---
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
|
||||
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
|
||||
2 files changed, 68 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 26b6b7c9ab..540a984842 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -36,6 +36,16 @@ key altkey {
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
+key restricted.example.nil {
|
||||
+ algorithm hmac-md5;
|
||||
+ secret "1234abcd8765";
|
||||
+};
|
||||
+
|
||||
+key zonesub-key.example.nil {
|
||||
+ algorithm hmac-md5;
|
||||
+ secret "1234subk8765";
|
||||
+};
|
||||
+
|
||||
include "ddns.key";
|
||||
|
||||
zone "example.nil" {
|
||||
@@ -44,7 +54,9 @@ zone "example.nil" {
|
||||
check-integrity no;
|
||||
check-mx ignore;
|
||||
update-policy {
|
||||
+ grant zonesub-key.example.nil zonesub TXT;
|
||||
grant ddns-key.example.nil subdomain example.nil ANY;
|
||||
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
|
||||
};
|
||||
allow-transfer { any; };
|
||||
};
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index b08c5220e7..5f09e8c5bf 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -428,7 +428,7 @@ EOF
|
||||
# this also proves that the server is still running.
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
@@ -443,7 +443,7 @@ EOF
|
||||
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
@@ -460,7 +460,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
|
||||
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -485,7 +485,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
|
||||
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -631,6 +631,58 @@ then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+ret=0
|
||||
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
||||
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
|
||||
+# and thus this UPDATE should succeed.
|
||||
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key restricted.example.nil 1234abcd8765
|
||||
+update add restricted.example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
||||
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
|
||||
+# thus this UPDATE should fail.
|
||||
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key restricted.example.nil 1234abcd8765
|
||||
+update add example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
+n=`expr $n + 1`
|
||||
+ret=0
|
||||
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
||||
+# grant zonesub-key.example.nil zonesub TXT;
|
||||
+# the A record update should be rejected as it is not in the type list
|
||||
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key zonesub-key.example.nil 1234subk8765
|
||||
+update add zonesub.example.nil 0 IN A 1.2.3.4
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
|
||||
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
||||
+# the TXT record update should be accepted as it is in the type list
|
||||
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key zonesub-key.example.nil 1234subk8765
|
||||
+update add zonesub.example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
|
||||
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
|
||||
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,32 +0,0 @@
|
||||
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:55:50 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8624
|
||||
|
||||
5481. [security] "update-policy" rules of type "subdomain" were
|
||||
incorrectly treated as "zonesub" rules, which allowed
|
||||
keys used in "subdomain" rules to update names outside
|
||||
of the specified subdomains. The problem was fixed by
|
||||
making sure "subdomain" rules are again processed as
|
||||
described in the ARM. (CVE-2020-8624) [GL #2055]
|
||||
---
|
||||
bin/named/zoneconf.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
||||
index 55f191b..b77a07c 100644
|
||||
--- a/bin/named/zoneconf.c
|
||||
+++ b/bin/named/zoneconf.c
|
||||
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
||||
|
||||
str = cfg_obj_asstring(matchtype);
|
||||
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
||||
- if (mtype == dns_ssumatchtype_subdomain) {
|
||||
+ if (mtype == dns_ssumatchtype_subdomain &&
|
||||
+ strcasecmp(str, "zonesub") == 0) {
|
||||
usezone = true;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001
|
||||
From c928591eb2a3b17c5be0cad56c8e061ebba11a95 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 20 Dec 2018 11:52:12 +0100
|
||||
Subject: [PATCH] Fix implicit declaration warning
|
||||
@ -11,7 +11,7 @@ header providing it in files that use it.
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 36ee6c7..6051cd2 100644
|
||||
index 4b5b901..a3dd450 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -21,6 +21,7 @@
|
||||
@ -23,7 +23,7 @@ index 36ee6c7..6051cd2 100644
|
||||
#include <isc/sockaddr.h>
|
||||
#include <isc/socket.h>
|
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
|
||||
index 70805bb..33870f3 100644
|
||||
index c37b235..7786801 100644
|
||||
--- a/lib/dns/tsig.c
|
||||
+++ b/lib/dns/tsig.c
|
||||
@@ -18,6 +18,7 @@
|
||||
@ -31,9 +31,9 @@ index 70805bb..33870f3 100644
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/mem.h>
|
||||
+#include <isc/md5.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/refcount.h>
|
||||
#include <isc/serial.h>
|
||||
--
|
||||
2.14.5
|
||||
2.26.2
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001
|
||||
From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
@ -80,7 +80,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
||||
bin/tests/system/digdelv/tests.sh | 20 +++---
|
||||
bin/tests/system/dlv/ns1/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns2/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
|
||||
bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++---------
|
||||
bin/tests/system/dnssec/ns2/sign.sh | 8 +--
|
||||
bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
|
||||
bin/tests/system/dnssec/tests.sh | 4 +-
|
||||
@ -92,22 +92,19 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/setup.sh | 7 +-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 ++-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 +++-
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 23 ++++---
|
||||
bin/tests/system/tsig/clean.sh | 1 +
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
|
||||
bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
|
||||
bin/tests/system/tsiggss/setup.sh | 2 +-
|
||||
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||
45 files changed, 232 insertions(+), 171 deletions(-)
|
||||
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
43 files changed, 220 insertions(+), 170 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
index 0ea6502..026db3f 100644
|
||||
index 9999ada..e3f8d0e 100644
|
||||
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
@ -126,7 +123,7 @@ index 0ea6502..026db3f 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
index b877880..d8f50be 100644
|
||||
index f8ec34e..d2d6ad3 100644
|
||||
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
@ -145,7 +142,7 @@ index b877880..d8f50be 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
index 0a95062..aa54088 100644
|
||||
index 2acb813..6a00344 100644
|
||||
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
@@ -33,17 +33,17 @@ options {
|
||||
@ -170,7 +167,7 @@ index 0a95062..aa54088 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
index 7cdcb6e..606a345 100644
|
||||
index bca3ee1..5913420 100644
|
||||
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
@ -189,7 +186,7 @@ index 7cdcb6e..606a345 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
index 4b4e050..0e679a8 100644
|
||||
index 9ef8171..5ae8d38 100644
|
||||
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
@@ -34,12 +34,12 @@ options {
|
||||
@ -208,7 +205,7 @@ index 4b4e050..0e679a8 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index 09f31f2..f88f0d4 100644
|
||||
index 2ee34a0..a73a54e 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
||||
@ -334,7 +331,7 @@ index 09f31f2..f88f0d4 100644
|
||||
|
||||
echo_i "testing allow-query-on ACL processing"
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
index 1569913..e9c5c2d 100644
|
||||
index a579f32..3b8f853 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
@ -347,7 +344,7 @@ index 1569913..e9c5c2d 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
index 18ac91c..2b1c873 100644
|
||||
index 166afa1..997ece9 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
@ -366,7 +363,7 @@ index 18ac91c..2b1c873 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
index b824844..dd48945 100644
|
||||
index 25271a5..a9cb65d 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
@ -379,7 +376,7 @@ index b824844..dd48945 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
index aeb1540..bfce58b 100644
|
||||
index c7c8254..f165e65 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
@ -392,7 +389,7 @@ index aeb1540..bfce58b 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
index d4b7432..e0f5252 100644
|
||||
index 567bbcc..4fd2035 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
@ -411,7 +408,7 @@ index d4b7432..e0f5252 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
index c025938..87afb3f 100644
|
||||
index b75161f..7b254e6 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
@ -424,7 +421,7 @@ index c025938..87afb3f 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
index d83b376..d726b94 100644
|
||||
index 9e17818..22f5001 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
|
||||
@ -443,7 +440,7 @@ index d83b376..d726b94 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||
index fb6059d..f960156 100644
|
||||
index 791a1a4..95cd971 100644
|
||||
--- a/bin/tests/system/allow-query/tests.sh
|
||||
+++ b/bin/tests/system/allow-query/tests.sh
|
||||
@@ -190,7 +190,7 @@ rndc_reload
|
||||
@ -528,7 +525,7 @@ index fb6059d..f960156 100644
|
||||
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
||||
index 74b7d37..c353766 100644
|
||||
index 6856ec7..0ac1fa3 100644
|
||||
--- a/bin/tests/system/catz/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
||||
@@ -61,5 +61,5 @@ zone "catalog4.example" {
|
||||
@ -539,7 +536,7 @@ index 74b7d37..c353766 100644
|
||||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
|
||||
index ee83efb..35ced08 100644
|
||||
index dd3a9dc..77b8d96 100644
|
||||
--- a/bin/tests/system/catz/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns2/named.conf.in
|
||||
@@ -70,5 +70,5 @@ zone "catalog4.example" {
|
||||
@ -550,7 +547,7 @@ index ee83efb..35ced08 100644
|
||||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
index 21be03e..e57c308 100644
|
||||
index 338dddb..90cd424 100644
|
||||
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
||||
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
@@ -11,7 +11,7 @@
|
||||
@ -563,10 +560,10 @@ index 21be03e..e57c308 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index 9ab35b3..486551a 100644
|
||||
index 2282f87..1359cf3 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
|
||||
@@ -159,6 +159,6 @@ dyndb "name" "library.so" {
|
||||
system;
|
||||
};
|
||||
key "mykey" {
|
||||
@ -575,7 +572,7 @@ index 9ab35b3..486551a 100644
|
||||
secret "qwertyuiopasdfgh";
|
||||
};
|
||||
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
|
||||
index f4e30f5..9f53e31 100644
|
||||
index b66207a..359b220 100644
|
||||
--- a/bin/tests/system/digdelv/ns2/example.db
|
||||
+++ b/bin/tests/system/digdelv/ns2/example.db
|
||||
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
|
||||
@ -601,10 +598,10 @@ index f4e30f5..9f53e31 100644
|
||||
; TTL of 3 weeks
|
||||
weeks 1814400 A 10.53.0.2
|
||||
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
|
||||
index ade45ce..d3aff24 100644
|
||||
index 2109001..ded5557 100644
|
||||
--- a/bin/tests/system/digdelv/tests.sh
|
||||
+++ b/bin/tests/system/digdelv/tests.sh
|
||||
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
@ -613,7 +610,7 @@ index ade45ce..d3aff24 100644
|
||||
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
@ -622,7 +619,7 @@ index ade45ce..d3aff24 100644
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +nosplit works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
@ -631,7 +628,7 @@ index ade45ce..d3aff24 100644
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
@ -640,7 +637,7 @@ index ade45ce..d3aff24 100644
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
@ -649,7 +646,7 @@ index ade45ce..d3aff24 100644
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
@ -658,7 +655,7 @@ index ade45ce..d3aff24 100644
|
||||
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
@ -667,7 +664,7 @@ index ade45ce..d3aff24 100644
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +rrcomments works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
@ -676,7 +673,7 @@ index ade45ce..d3aff24 100644
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +nosplit works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
@ -685,7 +682,7 @@ index ade45ce..d3aff24 100644
|
||||
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
||||
f=`awk '{print NF}' < delv.out.test$n`
|
||||
test "${f:-0}" -eq 14 || ret=1
|
||||
@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
@ -695,7 +692,7 @@ index ade45ce..d3aff24 100644
|
||||
f=`awk '{print NF}' < delv.out.test$n`
|
||||
test "${f:-0}" -eq 4 || ret=1
|
||||
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
|
||||
index 606e7cc..a3a0d60 100755
|
||||
index 14ca5db..3f522d0 100755
|
||||
--- a/bin/tests/system/dlv/ns1/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns1/sign.sh
|
||||
@@ -23,8 +23,8 @@ infile=root.db.in
|
||||
@ -710,7 +707,7 @@ index 606e7cc..a3a0d60 100755
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
|
||||
index 9825c57..202c978 100755
|
||||
index d870798..b0ab372 100755
|
||||
--- a/bin/tests/system/dlv/ns2/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns2/sign.sh
|
||||
@@ -24,8 +24,8 @@ zonefile=druz.db
|
||||
@ -725,7 +722,7 @@ index 9825c57..202c978 100755
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
|
||||
index 1e39862..4ed19ac 100755
|
||||
index ba39f90..f20a2dd 100755
|
||||
--- a/bin/tests/system/dlv/ns6/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns6/sign.sh
|
||||
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
|
||||
@ -912,7 +909,7 @@ index 1e39862..4ed19ac 100755
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
|
||||
index 13fb924..1ffa279 100644
|
||||
index e28b3f1..29c169b 100644
|
||||
--- a/bin/tests/system/dnssec/ns2/sign.sh
|
||||
+++ b/bin/tests/system/dnssec/ns2/sign.sh
|
||||
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
|
||||
@ -945,7 +942,7 @@ index 13fb924..1ffa279 100644
|
||||
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
index ed30460..e6b1126 100644
|
||||
index 75cf699..b4d848c 100644
|
||||
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
@@ -10,5 +10,5 @@
|
||||
@ -956,10 +953,10 @@ index ed30460..e6b1126 100644
|
||||
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
|
||||
};
|
||||
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
||||
index b31c1b4..a5e237b 100644
|
||||
index 3e8e4d5..da692f9 100644
|
||||
--- a/bin/tests/system/dnssec/tests.sh
|
||||
+++ b/bin/tests/system/dnssec/tests.sh
|
||||
@@ -3235,8 +3235,8 @@ do
|
||||
@@ -3257,8 +3257,8 @@ do
|
||||
alg=`expr $alg + 1`
|
||||
continue;;
|
||||
3) size="-b 512";;
|
||||
@ -971,7 +968,7 @@ index b31c1b4..a5e237b 100644
|
||||
8) size="-b 512";;
|
||||
10) size="-b 1024";;
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index c1249ed..20a3139 100644
|
||||
index 5e473ab..b08692e 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -19,6 +19,7 @@
|
||||
@ -983,14 +980,14 @@ index c1249ed..20a3139 100644
|
||||
|
||||
#ifdef WIN32
|
||||
@@ -47,6 +48,7 @@ usage() {
|
||||
fprintf(stderr, " --have-geoip2\n");
|
||||
fprintf(stderr, " --have-libxml2\n");
|
||||
fprintf(stderr, " --ipv6only=no\n");
|
||||
+ fprintf(stderr, " --md5\n");
|
||||
fprintf(stderr, " --rpz-nsdname\n");
|
||||
fprintf(stderr, " --rpz-nsip\n");
|
||||
fprintf(stderr, " --with-idn\n");
|
||||
@@ -155,6 +157,18 @@ main(int argc, char **argv) {
|
||||
fprintf(stderr, "\t--have-geoip\n");
|
||||
fprintf(stderr, "\t--have-libxml2\n");
|
||||
fprintf(stderr, "\t--ipv6only=no\n");
|
||||
+ fprintf(stderr, "\t--md5\n");
|
||||
fprintf(stderr, "\t--rpz-log-qtype-qclass\n");
|
||||
fprintf(stderr, "\t--rpz-nsdname\n");
|
||||
fprintf(stderr, "\t--rpz-nsip\n");
|
||||
@@ -194,6 +196,18 @@ main(int argc, char **argv) {
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -1010,7 +1007,7 @@ index c1249ed..20a3139 100644
|
||||
#ifdef ENABLE_RPZ_NSIP
|
||||
return (0);
|
||||
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
index f755581..4a7d890 100755
|
||||
index 479f98c..4d4a765 100755
|
||||
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
@@ -21,8 +21,8 @@ infile=signed.db.in
|
||||
@ -1025,7 +1022,7 @@ index f755581..4a7d890 100755
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
index f755581..4a7d890 100755
|
||||
index 479f98c..4d4a765 100755
|
||||
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
@@ -21,8 +21,8 @@ infile=signed.db.in
|
||||
@ -1040,7 +1037,7 @@ index f755581..4a7d890 100755
|
||||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
||||
index cfcfe8f..0a1614d 100644
|
||||
index 157ef16..b802288 100644
|
||||
--- a/bin/tests/system/notify/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
||||
@@ -10,17 +10,17 @@
|
||||
@ -1065,7 +1062,7 @@ index cfcfe8f..0a1614d 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
||||
index 1f6e6d0..c08bd25 100644
|
||||
index f9fd3f5..916af75 100644
|
||||
--- a/bin/tests/system/notify/tests.sh
|
||||
+++ b/bin/tests/system/notify/tests.sh
|
||||
@@ -212,16 +212,16 @@ ret=0
|
||||
@ -1089,7 +1086,7 @@ index 1f6e6d0..c08bd25 100644
|
||||
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
||||
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 1d999ad..26b6b7c 100644
|
||||
index b0ded3a..cb80269 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -32,7 +32,7 @@ controls {
|
||||
@ -1102,7 +1099,7 @@ index 1d999ad..26b6b7c 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
index 4549184..cb7dccd 100644
|
||||
index e6e2382..b0a94e0 100644
|
||||
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
@@ -33,7 +33,7 @@ controls {
|
||||
@ -1115,10 +1112,10 @@ index 4549184..cb7dccd 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index 21805c5..0d3d85c 100644
|
||||
index 6fbf1d7..a712b17 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -58,7 +58,12 @@ EOF
|
||||
@@ -53,7 +53,12 @@ EOF
|
||||
|
||||
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
|
||||
|
||||
@ -1133,10 +1130,10 @@ index 21805c5..0d3d85c 100644
|
||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index 4da4849..b3bc807 100755
|
||||
index 6b2c8f6..96ad95e 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -708,7 +708,14 @@ fi
|
||||
@@ -788,7 +788,14 @@ fi
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms ($n)"
|
||||
@ -1152,7 +1149,7 @@ index 4da4849..b3bc807 100755
|
||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
@@ -716,7 +723,7 @@ send
|
||||
@@ -796,7 +803,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
@ -1162,10 +1159,10 @@ index 4da4849..b3bc807 100755
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index 343869e..c30efb0 100644
|
||||
index 2eb2cd5..36f5114 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -37,7 +37,7 @@ make_key () {
|
||||
@@ -35,7 +35,7 @@ make_key () {
|
||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
@ -1175,7 +1172,7 @@ index 343869e..c30efb0 100644
|
||||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index 57e066d..186a723 100644
|
||||
index 4e25e51..cb8934c 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@ -1208,17 +1205,8 @@ index 57e066d..186a723 100644
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
|
||||
index 576ec70..cb7a852 100644
|
||||
--- a/bin/tests/system/tsig/clean.sh
|
||||
+++ b/bin/tests/system/tsig/clean.sh
|
||||
@@ -20,3 +20,4 @@ rm -f */named.run
|
||||
rm -f ns*/named.lock
|
||||
rm -f Kexample.net.+163+*
|
||||
rm -f keygen.out?
|
||||
+rm -f ns1/named.conf
|
||||
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
index fbf30c6..f61657d 100644
|
||||
index 4905ffd..958d9fb 100644
|
||||
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
@@ -21,10 +21,7 @@ options {
|
||||
@ -1246,10 +1234,10 @@ index fbf30c6..f61657d 100644
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index 4dd4a25..aa0f966 100644
|
||||
index f42aa79..bfcf4a6 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
+++ b/bin/tests/system/tsig/setup.sh
|
||||
@@ -17,3 +17,8 @@ $SHELL clean.sh
|
||||
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
@ -1259,7 +1247,7 @@ index 4dd4a25..aa0f966 100644
|
||||
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||
+fi
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index f731fa6..cade35b 100644
|
||||
index ed41e1d..98c542e 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||
@ -1273,13 +1261,6 @@ index f731fa6..cade35b 100644
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
-fi
|
||||
-
|
||||
-echo_i "fetching using hmac-md5 (new form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5 (old form)"
|
||||
@ -1289,7 +1270,13 @@ index f731fa6..cade35b 100644
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+
|
||||
|
||||
-echo_i "fetching using hmac-md5 (new form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+ echo_i "fetching using hmac-md5 (new form)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
@ -1351,10 +1338,10 @@ index f731fa6..cade35b 100644
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
|
||||
index 0d21c7b..dbcb7b4 100644
|
||||
index f04c907..09da5f9 100644
|
||||
--- a/bin/tests/system/tsiggss/setup.sh
|
||||
+++ b/bin/tests/system/tsiggss/setup.sh
|
||||
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
@@ -16,5 +16,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
@ -1362,7 +1349,7 @@ index 0d21c7b..dbcb7b4 100644
|
||||
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
|
||||
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
|
||||
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
index e0a30cd..6a77b1c 100644
|
||||
index 4ddd7a4..238f52a 100644
|
||||
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
@ -1375,7 +1362,7 @@ index e0a30cd..6a77b1c 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index b0694bb..9adae82 100644
|
||||
index 1cf8d3b..f4c3216 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
@ -1387,22 +1374,6 @@ index b0694bb..9adae82 100644
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..0682194
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
--
|
||||
2.20.1
|
||||
2.26.2
|
||||
|
||||
|
@ -1,288 +0,0 @@
|
||||
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Wed, 25 Apr 2018 14:04:31 +0200
|
||||
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
|
||||
|
||||
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
|