import bind-9.11.26-3.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:38:43 -04:00 committed by Andrew Lukoshko
parent cacdacb017
commit e50e0af00e
16 changed files with 622 additions and 1499 deletions

View File

@ -1,2 +1,2 @@
ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/bind-9.11.20.tar.gz
SOURCES/bind-9.11.26.tar.gz
SOURCES/random.data

View File

@ -1,5 +1,5 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
index a18b222..26a7e4e 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 4b8ca13..32f4470 100644
index 390aa0c..e59a118 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@ -130,7 +130,7 @@ index 4b8ca13..32f4470 100644
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 4b8ca13..4175996 100644
index 390aa0c..851a008 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
@ -273,10 +273,10 @@ index 3166368..890574f 100644
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index a058c91..d4b689a 100644
index 2c19e7e..8223d5e 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
@@ -13,13 +13,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
@ -294,10 +294,10 @@ index a058c91..d4b689a 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.ac b/configure.ac
index 9b7d778..59ba20b 100644
index c6715b4..8144268 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
@@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -312,24 +312,26 @@ index 9b7d778..59ba20b 100644
#
# was --with-randomdev specified?
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
@@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- want_openssl_hash="no"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
+# if test "yes" = "$want_native_pkcs11"
+# then
+# use_openssl="native_pkcs11"
+# AC_MSG_RESULT(use of native PKCS11 instead)
+# fi
+#if test "yes" = "$want_native_pkcs11"
+#then
+# use_openssl="native_pkcs11"
+# want_openssl_hash="no"
+# AC_MSG_RESULT(use of native PKCS11 instead)
+#fi
if test "auto" = "$use_openssl"
then
@@ -1511,6 +1513,7 @@ then
@@ -1572,6 +1574,7 @@ then
fi
done
fi
@ -337,7 +339,7 @@ index 9b7d778..59ba20b 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1532,11 +1535,10 @@ case "$with_gost" in
@@ -1593,11 +1596,10 @@ case "$with_gost" in
;;
esac
@ -352,7 +354,7 @@ index 9b7d778..59ba20b 100644
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
@@ -1607,7 +1609,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@ -363,7 +365,7 @@ index 9b7d778..59ba20b 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
@@ -1639,7 +1643,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
@ -372,7 +374,7 @@ index 9b7d778..59ba20b 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -380,7 +382,7 @@ index 9b7d778..59ba20b 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2291,6 +2296,7 @@ esac
@@ -2353,6 +2358,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@ -388,7 +390,7 @@ index 9b7d778..59ba20b 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@ -400,7 +402,7 @@ index 9b7d778..59ba20b 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@ -411,7 +413,7 @@ index 9b7d778..59ba20b 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@ -437,7 +439,7 @@ index 9b7d778..59ba20b 100644
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 81270a0..bcb5312 100644
index f089bea..3ed939b 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
@ -450,7 +452,7 @@ index 81270a0..bcb5312 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 7f09bd6..c388d9e 100644
index 8fc4e94..5eefb14 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
@ -525,7 +527,7 @@ index 7f09bd6..c388d9e 100644
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index 8ad54bb..a3ecdfb 100644
index 7e3e9ce..58d7466 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
@ -539,7 +541,7 @@ index 8ad54bb..a3ecdfb 100644
CWARNINGS =
# Alphabetically
@@ -103,40 +103,40 @@ version.@O@: version.c
@@ -107,40 +107,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@ -593,10 +595,10 @@ index 8ad54bb..a3ecdfb 100644
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
diff --git a/make/includes.in b/make/includes.in
index fa86ad1..3cfbe9f 100644
index 66efe68..966671f 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
@@ -41,3 +41,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include

View File

@ -1,57 +0,0 @@
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:53:33 +0200
Subject: [PATCH] Fix CVE-2020-8622
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
---
lib/dns/message.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index d9e341a..7c813a5 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->header_ok = 0;
msg->question_ok = 0;
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+ isc_buffer_usedregion(&origsource, &msg->saved);
+ } else {
+ msg->saved.length = isc_buffer_usedlength(&origsource);
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+ if (msg->saved.base == NULL) {
+ return (ISC_R_NOMEMORY);
+ }
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
+ msg->saved.length);
+ msg->free_saved = 1;
+ }
+
isc_buffer_remainingregion(source, &r);
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_UNEXPECTEDEND);
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
}
truncated:
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
- isc_buffer_usedregion(&origsource, &msg->saved);
- else {
- msg->saved.length = isc_buffer_usedlength(&origsource);
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
- if (msg->saved.base == NULL)
- return (ISC_R_NOMEMORY);
- memmove(msg->saved.base, isc_buffer_base(&origsource),
- msg->saved.length);
- msg->free_saved = 1;
- }
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
return (DNS_R_RECOVERABLE);
--
2.26.2

View File

@ -1,400 +0,0 @@
From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:54:39 +0200
Subject: [PATCH] Fix CVE-2020-8623
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
---
lib/dns/pkcs11dh_link.c | 15 ++++++-
lib/dns/pkcs11dsa_link.c | 8 +++-
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
lib/isc/include/pk11/internal.h | 3 +-
lib/isc/pk11.c | 61 ++++++++++++++++---------
5 files changed, 121 insertions(+), 45 deletions(-)
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
index e2b60ea..4cd8e32 100644
--- a/lib/dns/pkcs11dh_link.c
+++ b/lib/dns/pkcs11dh_link.c
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
CK_ATTRIBUTE *attr;
int special = 0;
+ unsigned int bits;
isc_result_t result;
isc_buffer_remainingregion(data, &r);
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
pub = r.base;
isc_region_consume(&r, publen);
- key->key_size = pk11_numbits(prime, plen_);
+ result = pk11_numbits(prime, plen_, &bits);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup;
+ }
+ key->key_size = bits;
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
if (dh->repr == NULL)
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dh = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx;
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dh, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
index 12d707a..24d4c14 100644
--- a/lib/dns/pkcs11dsa_link.c
+++ b/lib/dns/pkcs11dsa_link.c
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dsa = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
index 6c280bf..86e136a 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
/*
* Reject incorrect RSA key lengths.
@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
for (attr = pk11_attribute_first(rsa);
attr != NULL;
attr = pk11_attribute_next(rsa, attr))
+ {
switch (attr->type) {
case CKA_MODULUS:
INSIST(keyTemplate[5].type == attr->type);
@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen) > maxbits &&
- maxbits != 0)
+ unsigned int bits;
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS ||
+ (bits > maxbits && maxbits != 0)) {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
+ }
pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = false;
PK11_RET(pkcs_C_CreateObject,
@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
keyTemplate[5].ulValueLen = attr->ulValueLen;
break;
case CKA_PUBLIC_EXPONENT:
+ unsigned int bits;
INSIST(keyTemplate[6].type == attr->type);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen);
@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen)
- > RSA_MAX_PUBEXP_BITS)
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
+ {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
pk11_ctx->object = CK_INVALID_HANDLE;
@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *exponent = NULL, *modulus = NULL;
CK_ATTRIBUTE *attr;
unsigned int length;
+ unsigned int bits;
+ isc_result_t ret = ISC_R_SUCCESS;
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (e_bytes == 0) {
if (r.length < 2) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
e_bytes = (*r.base) << 8;
isc_region_consume(&r, 1);
@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
if (r.length < e_bytes) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
exponent = r.base;
isc_region_consume(&r, e_bytes);
modulus = r.base;
mod_bytes = r.length;
- key->key_size = pk11_numbits(modulus, mod_bytes);
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
isc_buffer_forward(data, length);
@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
rsa->repr,
rsa->attrcnt * sizeof(*attr));
}
+ ret = ISC_R_NOMEMORY;
+
+ err:
isc_safe_memwipe(rsa, sizeof(*rsa));
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (ISC_R_NOMEMORY);
+ return (ret);
}
static isc_result_t
@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
pk11_object_t *pubrsa;
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
+ unsigned int bits;
if (label == NULL)
return (DST_R_NOENGINE);
@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
const char *engine = NULL, *label = NULL;
+ unsigned int bits;
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
unsigned int i;
+ unsigned int bits;
UNUSED(pin);
@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index 603712a..b9680bc 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size);
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 4b85527..9c450da 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) {
return (token->slotid);
}
-unsigned int
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
unsigned int bitcnt, i;
CK_BYTE top;
- if (bytecnt == 0)
- return (0);
+ if (bytecnt == 0) {
+ *bits = 0;
+ return (ISC_R_SUCCESS);
+ }
bitcnt = bytecnt * 8;
for (i = 0; i < bytecnt; i++) {
top = data[i];
@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
bitcnt -= 8;
continue;
}
- if (top & 0x80)
- return (bitcnt);
- if (top & 0x40)
- return (bitcnt - 1);
- if (top & 0x20)
- return (bitcnt - 2);
- if (top & 0x10)
- return (bitcnt - 3);
- if (top & 0x08)
- return (bitcnt - 4);
- if (top & 0x04)
- return (bitcnt - 5);
- if (top & 0x02)
- return (bitcnt - 6);
- if (top & 0x01)
- return (bitcnt - 7);
+ if (top & 0x80) {
+ *bits = bitcnt;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x40) {
+ *bits = bitcnt - 1;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x20) {
+ *bits = bitcnt - 2;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x10) {
+ *bits = bitcnt - 3;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x08) {
+ *bits = bitcnt - 4;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x04) {
+ *bits = bitcnt - 5;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x02) {
+ *bits = bitcnt - 6;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x01) {
+ *bits = bitcnt - 7;
+ return (ISC_R_SUCCESS);
+ }
break;
}
- INSIST(0);
- ISC_UNREACHABLE();
+ return (ISC_R_RANGE);
}
CK_ATTRIBUTE *
--
2.26.2

View File

@ -1,152 +0,0 @@
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jul 2020 23:36:03 +1000
Subject: [PATCH] Add a test for update-policy 'subdomain'
The new test checks that 'update-policy subdomain' is properly enforced.
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
Add a test for update-policy 'zonesub'
The new test checks that 'update-policy zonesub' is properly enforced.
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
---
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
2 files changed, 68 insertions(+), 4 deletions(-)
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 26b6b7c9ab..540a984842 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -36,6 +36,16 @@ key altkey {
secret "1234abcd8765";
};
+key restricted.example.nil {
+ algorithm hmac-md5;
+ secret "1234abcd8765";
+};
+
+key zonesub-key.example.nil {
+ algorithm hmac-md5;
+ secret "1234subk8765";
+};
+
include "ddns.key";
zone "example.nil" {
@@ -44,7 +54,9 @@ zone "example.nil" {
check-integrity no;
check-mx ignore;
update-policy {
+ grant zonesub-key.example.nil zonesub TXT;
grant ddns-key.example.nil subdomain example.nil ANY;
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
};
allow-transfer { any; };
};
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b08c5220e7..5f09e8c5bf 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -428,7 +428,7 @@ EOF
# this also proves that the server is still running.
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -443,7 +443,7 @@ EOF
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -460,7 +460,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -485,7 +485,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -631,6 +631,58 @@ then
echo_i "failed"; status=1
fi
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
+# grant zonesub-key.example.nil zonesub TXT;
+# the A record update should be rejected as it is not in the type list
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN A 1.2.3.4
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
+# the TXT record update should be accepted as it is in the type list
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
n=`expr $n + 1`
ret=0
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
--
2.26.2

View File

@ -1,32 +0,0 @@
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:55:50 +0200
Subject: [PATCH] Fix CVE-2020-8624
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
---
bin/named/zoneconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 55f191b..b77a07c 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
- if (mtype == dns_ssumatchtype_subdomain) {
+ if (mtype == dns_ssumatchtype_subdomain &&
+ strcasecmp(str, "zonesub") == 0) {
usezone = true;
}
--
2.26.2

View File

@ -1,4 +1,4 @@
From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001
From c928591eb2a3b17c5be0cad56c8e061ebba11a95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 20 Dec 2018 11:52:12 +0100
Subject: [PATCH] Fix implicit declaration warning
@ -11,7 +11,7 @@ header providing it in files that use it.
2 files changed, 2 insertions(+)
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 36ee6c7..6051cd2 100644
index 4b5b901..a3dd450 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -21,6 +21,7 @@
@ -23,7 +23,7 @@ index 36ee6c7..6051cd2 100644
#include <isc/sockaddr.h>
#include <isc/socket.h>
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 70805bb..33870f3 100644
index c37b235..7786801 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -18,6 +18,7 @@
@ -31,9 +31,9 @@ index 70805bb..33870f3 100644
#include <isc/buffer.h>
#include <isc/mem.h>
+#include <isc/md5.h>
#include <isc/print.h>
#include <isc/print.h>
#include <isc/refcount.h>
#include <isc/serial.h>
--
2.14.5
2.26.2

View File

@ -1,4 +1,4 @@
From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001
From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes
@ -80,7 +80,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100
bin/tests/system/digdelv/tests.sh | 20 +++---
bin/tests/system/dlv/ns1/sign.sh | 4 +-
bin/tests/system/dlv/ns2/sign.sh | 4 +-
bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++---------
bin/tests/system/dnssec/ns2/sign.sh | 8 +--
bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
bin/tests/system/dnssec/tests.sh | 4 +-
@ -92,22 +92,19 @@ Date: Wed Mar 7 10:44:23 2018 +0100
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
bin/tests/system/nsupdate/setup.sh | 7 +-
bin/tests/system/nsupdate/tests.sh | 11 ++-
bin/tests/system/nsupdate/tests.sh | 11 +++-
bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 23 ++++---
bin/tests/system/tsig/clean.sh | 1 +
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
bin/tests/system/tsiggss/setup.sh | 2 +-
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +-
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
45 files changed, 232 insertions(+), 171 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
43 files changed, 220 insertions(+), 170 deletions(-)
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 0ea6502..026db3f 100644
index 9999ada..e3f8d0e 100644
--- a/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -33,12 +33,12 @@ options {
@ -126,7 +123,7 @@ index 0ea6502..026db3f 100644
};
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
index b877880..d8f50be 100644
index f8ec34e..d2d6ad3 100644
--- a/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -33,12 +33,12 @@ options {
@ -145,7 +142,7 @@ index b877880..d8f50be 100644
};
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
index 0a95062..aa54088 100644
index 2acb813..6a00344 100644
--- a/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -33,17 +33,17 @@ options {
@ -170,7 +167,7 @@ index 0a95062..aa54088 100644
};
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
index 7cdcb6e..606a345 100644
index bca3ee1..5913420 100644
--- a/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -33,12 +33,12 @@ options {
@ -189,7 +186,7 @@ index 7cdcb6e..606a345 100644
};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
index 4b4e050..0e679a8 100644
index 9ef8171..5ae8d38 100644
--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -34,12 +34,12 @@ options {
@ -208,7 +205,7 @@ index 4b4e050..0e679a8 100644
};
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index 09f31f2..f88f0d4 100644
index 2ee34a0..a73a54e 100644
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
@ -334,7 +331,7 @@ index 09f31f2..f88f0d4 100644
echo_i "testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
index 1569913..e9c5c2d 100644
index a579f32..3b8f853 100644
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -12,7 +12,7 @@
@ -347,7 +344,7 @@ index 1569913..e9c5c2d 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
index 18ac91c..2b1c873 100644
index 166afa1..997ece9 100644
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -12,12 +12,12 @@
@ -366,7 +363,7 @@ index 18ac91c..2b1c873 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
index b824844..dd48945 100644
index 25271a5..a9cb65d 100644
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -12,7 +12,7 @@
@ -379,7 +376,7 @@ index b824844..dd48945 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
index aeb1540..bfce58b 100644
index c7c8254..f165e65 100644
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -12,7 +12,7 @@
@ -392,7 +389,7 @@ index aeb1540..bfce58b 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
index d4b7432..e0f5252 100644
index 567bbcc..4fd2035 100644
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -12,12 +12,12 @@
@ -411,7 +408,7 @@ index d4b7432..e0f5252 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
index c025938..87afb3f 100644
index b75161f..7b254e6 100644
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -12,7 +12,7 @@
@ -424,7 +421,7 @@ index c025938..87afb3f 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
index d83b376..d726b94 100644
index 9e17818..22f5001 100644
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
@ -443,7 +440,7 @@ index d83b376..d726b94 100644
};
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
index fb6059d..f960156 100644
index 791a1a4..95cd971 100644
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -190,7 +190,7 @@ rndc_reload
@ -528,7 +525,7 @@ index fb6059d..f960156 100644
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
index 74b7d37..c353766 100644
index 6856ec7..0ac1fa3 100644
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -61,5 +61,5 @@ zone "catalog4.example" {
@ -539,7 +536,7 @@ index 74b7d37..c353766 100644
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
index ee83efb..35ced08 100644
index dd3a9dc..77b8d96 100644
--- a/bin/tests/system/catz/ns2/named.conf.in
+++ b/bin/tests/system/catz/ns2/named.conf.in
@@ -70,5 +70,5 @@ zone "catalog4.example" {
@ -550,7 +547,7 @@ index ee83efb..35ced08 100644
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
index 21be03e..e57c308 100644
index 338dddb..90cd424 100644
--- a/bin/tests/system/checkconf/bad-tsig.conf
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -11,7 +11,7 @@
@ -563,10 +560,10 @@ index 21be03e..e57c308 100644
};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 9ab35b3..486551a 100644
index 2282f87..1359cf3 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
@@ -159,6 +159,6 @@ dyndb "name" "library.so" {
system;
};
key "mykey" {
@ -575,7 +572,7 @@ index 9ab35b3..486551a 100644
secret "qwertyuiopasdfgh";
};
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
index f4e30f5..9f53e31 100644
index b66207a..359b220 100644
--- a/bin/tests/system/digdelv/ns2/example.db
+++ b/bin/tests/system/digdelv/ns2/example.db
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
@ -601,10 +598,10 @@ index f4e30f5..9f53e31 100644
; TTL of 3 weeks
weeks 1814400 A 10.53.0.2
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index ade45ce..d3aff24 100644
index 2109001..ded5557 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
@@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +rrcomments works for DNSKEY($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -613,7 +610,7 @@ index ade45ce..d3aff24 100644
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
@@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -622,7 +619,7 @@ index ade45ce..d3aff24 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
@@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +nosplit works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -631,7 +628,7 @@ index ade45ce..d3aff24 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
@@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -640,7 +637,7 @@ index ade45ce..d3aff24 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
@@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -649,7 +646,7 @@ index ade45ce..d3aff24 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then
@@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +rrcomments works for DNSKEY($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -658,7 +655,7 @@ index ade45ce..d3aff24 100644
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
@@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -667,7 +664,7 @@ index ade45ce..d3aff24 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then
@@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -676,7 +673,7 @@ index ade45ce..d3aff24 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then
@@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -685,7 +682,7 @@ index ade45ce..d3aff24 100644
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 14 || ret=1
@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -695,7 +692,7 @@ index ade45ce..d3aff24 100644
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 4 || ret=1
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
index 606e7cc..a3a0d60 100755
index 14ca5db..3f522d0 100755
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -23,8 +23,8 @@ infile=root.db.in
@ -710,7 +707,7 @@ index 606e7cc..a3a0d60 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
index 9825c57..202c978 100755
index d870798..b0ab372 100755
--- a/bin/tests/system/dlv/ns2/sign.sh
+++ b/bin/tests/system/dlv/ns2/sign.sh
@@ -24,8 +24,8 @@ zonefile=druz.db
@ -725,7 +722,7 @@ index 9825c57..202c978 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
index 1e39862..4ed19ac 100755
index ba39f90..f20a2dd 100755
--- a/bin/tests/system/dlv/ns6/sign.sh
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
@ -912,7 +909,7 @@ index 1e39862..4ed19ac 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 13fb924..1ffa279 100644
index e28b3f1..29c169b 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
@ -945,7 +942,7 @@ index 13fb924..1ffa279 100644
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
index ed30460..e6b1126 100644
index 75cf699..b4d848c 100644
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
@@ -10,5 +10,5 @@
@ -956,10 +953,10 @@ index ed30460..e6b1126 100644
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
};
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index b31c1b4..a5e237b 100644
index 3e8e4d5..da692f9 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3235,8 +3235,8 @@ do
@@ -3257,8 +3257,8 @@ do
alg=`expr $alg + 1`
continue;;
3) size="-b 512";;
@ -971,7 +968,7 @@ index b31c1b4..a5e237b 100644
8) size="-b 512";;
10) size="-b 1024";;
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index c1249ed..20a3139 100644
index 5e473ab..b08692e 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -19,6 +19,7 @@
@ -983,14 +980,14 @@ index c1249ed..20a3139 100644
#ifdef WIN32
@@ -47,6 +48,7 @@ usage() {
fprintf(stderr, " --have-geoip2\n");
fprintf(stderr, " --have-libxml2\n");
fprintf(stderr, " --ipv6only=no\n");
+ fprintf(stderr, " --md5\n");
fprintf(stderr, " --rpz-nsdname\n");
fprintf(stderr, " --rpz-nsip\n");
fprintf(stderr, " --with-idn\n");
@@ -155,6 +157,18 @@ main(int argc, char **argv) {
fprintf(stderr, "\t--have-geoip\n");
fprintf(stderr, "\t--have-libxml2\n");
fprintf(stderr, "\t--ipv6only=no\n");
+ fprintf(stderr, "\t--md5\n");
fprintf(stderr, "\t--rpz-log-qtype-qclass\n");
fprintf(stderr, "\t--rpz-nsdname\n");
fprintf(stderr, "\t--rpz-nsip\n");
@@ -194,6 +196,18 @@ main(int argc, char **argv) {
#endif
}
@ -1010,7 +1007,7 @@ index c1249ed..20a3139 100644
#ifdef ENABLE_RPZ_NSIP
return (0);
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
index f755581..4a7d890 100755
index 479f98c..4d4a765 100755
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
@ -1025,7 +1022,7 @@ index f755581..4a7d890 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
index f755581..4a7d890 100755
index 479f98c..4d4a765 100755
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
@ -1040,7 +1037,7 @@ index f755581..4a7d890 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
index cfcfe8f..0a1614d 100644
index 157ef16..b802288 100644
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -10,17 +10,17 @@
@ -1065,7 +1062,7 @@ index cfcfe8f..0a1614d 100644
};
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index 1f6e6d0..c08bd25 100644
index f9fd3f5..916af75 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -212,16 +212,16 @@ ret=0
@ -1089,7 +1086,7 @@ index 1f6e6d0..c08bd25 100644
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 1d999ad..26b6b7c 100644
index b0ded3a..cb80269 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -32,7 +32,7 @@ controls {
@ -1102,7 +1099,7 @@ index 1d999ad..26b6b7c 100644
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
index 4549184..cb7dccd 100644
index e6e2382..b0a94e0 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -33,7 +33,7 @@ controls {
@ -1115,10 +1112,10 @@ index 4549184..cb7dccd 100644
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 21805c5..0d3d85c 100644
index 6fbf1d7..a712b17 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -58,7 +58,12 @@ EOF
@@ -53,7 +53,12 @@ EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
@ -1133,10 +1130,10 @@ index 21805c5..0d3d85c 100644
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 4da4849..b3bc807 100755
index 6b2c8f6..96ad95e 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -708,7 +708,14 @@ fi
@@ -788,7 +788,14 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms ($n)"
@ -1152,7 +1149,7 @@ index 4da4849..b3bc807 100755
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -716,7 +723,7 @@ send
@@ -796,7 +803,7 @@ send
END
done
sleep 2
@ -1162,10 +1159,10 @@ index 4da4849..b3bc807 100755
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index 343869e..c30efb0 100644
index 2eb2cd5..36f5114 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -37,7 +37,7 @@ make_key () {
@@ -35,7 +35,7 @@ make_key () {
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
}
@ -1175,7 +1172,7 @@ index 343869e..c30efb0 100644
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 57e066d..186a723 100644
index 4e25e51..cb8934c 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
@ -1208,17 +1205,8 @@ index 57e066d..186a723 100644
n=`expr $n + 1`
echo_i "testing rndc with hmac-sha1 ($n)"
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
index 576ec70..cb7a852 100644
--- a/bin/tests/system/tsig/clean.sh
+++ b/bin/tests/system/tsig/clean.sh
@@ -20,3 +20,4 @@ rm -f */named.run
rm -f ns*/named.lock
rm -f Kexample.net.+163+*
rm -f keygen.out?
+rm -f ns1/named.conf
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
index fbf30c6..f61657d 100644
index 4905ffd..958d9fb 100644
--- a/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -21,10 +21,7 @@ options {
@ -1246,10 +1234,10 @@ index fbf30c6..f61657d 100644
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index 4dd4a25..aa0f966 100644
index f42aa79..bfcf4a6 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -17,3 +17,8 @@ $SHELL clean.sh
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
copy_setports ns1/named.conf.in ns1/named.conf
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
@ -1259,7 +1247,7 @@ index 4dd4a25..aa0f966 100644
+ cat ns1/rndc5.conf.in >> ns1/named.conf
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index f731fa6..cade35b 100644
index ed41e1d..98c542e 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
@ -1273,13 +1261,6 @@ index f731fa6..cade35b 100644
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
-fi
-
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (old form)"
@ -1289,7 +1270,13 @@ index f731fa6..cade35b 100644
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+ echo_i "fetching using hmac-md5 (new form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
@ -1351,10 +1338,10 @@ index f731fa6..cade35b 100644
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
index 0d21c7b..dbcb7b4 100644
index f04c907..09da5f9 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
@@ -16,5 +16,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
@ -1362,7 +1349,7 @@ index 0d21c7b..dbcb7b4 100644
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index e0a30cd..6a77b1c 100644
index 4ddd7a4..238f52a 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -10,7 +10,7 @@
@ -1375,7 +1362,7 @@ index e0a30cd..6a77b1c 100644
};
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index b0694bb..9adae82 100644
index 1cf8d3b..f4c3216 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
@ -1387,22 +1374,6 @@ index b0694bb..9adae82 100644
server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
--
2.20.1
2.26.2

View File

@ -1,288 +0,0 @@
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +-
lib/dns/spnego.c | 4 +-
lib/isc/Makefile.in | 8 +---
lib/isc/include/isc/safe.h | 18 ++------
lib/isc/safe.c | 83 ------------------------------------
lib/isc/tests/safe_test.c | 18 --------
7 files changed, 11 insertions(+), 126 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6dded0c..a9c5557 100644