Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Sha1 runtime unittest #770

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

WIP: Sha1 runtime unittest #770

wants to merge 3 commits into from

Conversation

pemensik
Copy link
Contributor

These changes complements PR #660, which added some support into unbound for runtime disabled SHA1 validation. Depending on setting in crypto policy and resulting codes in crypto library, it either considers signature indeterminate. That is roughly equivalent to insecure, but we have some signatures present and no proof about missing DS record.

This fixes unittest to pass on RHEL9, but rpl tests do not yet pass.

@pemensik
Allow running unittest with verbosity logs enabled
c3079c2 
It were possible to enable them only from debugger. Allow setting them
from command line also.
@pemensik
Make unittest pass on system with SHA1 unavailable
0b47b6a 
CentOS 9 has disabled SHA-1 validation by default. It makes possible
passing of unit tests on such system. Make it possible to process also
indeterminate result from rrset validation. It would mean that signature
is not known bogus, but were not able to be validated at the same time.
@pemensik
Read all pushed errors from openssl
d08cb03 
RHEL 9 with DEFAULT crypto policy produces 3 errors pushed to the error
stack in one failed case. Ensure it does not break following tests, but
all of them are read after the call failure.
@pemensik
Copy link
Contributor Author

Currently fails to me make test with:

Oct 19 18:16:42 unbound[23932:0] info: testbound: do STEP 11 CHECK_AUTOTRUST
/tmp/testbound_23932_auto_example.com.tmp: 1 ok : ; autotrust trust anchor file
/tmp/testbound_23932_auto_example.com.tmp: 2 ok : ;;id: example.com. 1
/tmp/testbound_23932_auto_example.com.tmp: 3 ok : ;;last_queried: 1258969600 ;;Mon Nov 23 09:46:40 2009
Oct 19 18:16:42 unbound[23932:0] error: mismatch in file /tmp/testbound_23932_auto_example.com.tmp, line 4
Oct 19 18:16:42 unbound[23932:0] error: file has : ;;last_success: 1258962400 ;;Mon Nov 23 07:46:40 2009
Oct 19 18:16:42 unbound[23932:0] error: should be: ;;last_success: 1258969600 ;;Mon Nov 23 09:46:40 2009
/tmp/testbound_23932_auto_example.com.tmp: 5 ok : ;;next_probe_time: 1258972867 ;;Mon Nov 23 10:41:07 2009
Oct 19 18:16:42 unbound[23932:0] error: mismatch in file /tmp/testbound_23932_auto_example.com.tmp, line 6
Oct 19 18:16:42 unbound[23932:0] error: file has : ;;query_failed: 2
Oct 19 18:16:42 unbound[23932:0] error: should be: ;;query_failed: 0
Oct 19 18:16:42 unbound[23932:0] error: mismatch in file /tmp/testbound_23932_auto_example.com.tmp, line 7
Oct 19 18:16:42 unbound[23932:0] error: file has : ;;query_interval: 5400
Oct 19 18:16:42 unbound[23932:0] error: should be: ;;query_interval: 3600
/tmp/testbound_23932_auto_example.com.tmp: 8 ok : ;;retry_time: 3600
Oct 19 18:16:42 unbound[23932:0] error: mismatch in file /tmp/testbound_23932_auto_example.com.tmp, line 9
Oct 19 18:16:42 unbound[23932:0] error: file has : example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 07:46:40 2009
Oct 19 18:16:42 unbound[23932:0] error: should be: example.com.	3600	IN	DNSKEY	257 3 5 AwEAAdz+Xe5qS3BRnw1hBy2wL2wi0o3Nh94lDxtDtfOsmyJ0WD/25Ova9Pb27Yzh5XW/baENkI+xGJTFsljbi9bdSd0= ;{id = 63067 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=1258969600 ;;Mon Nov 23 09:46:40 2009
Oct 19 18:16:42 unbound[23932:0] error: mismatch in file /tmp/testbound_23932_auto_example.com.tmp, line 10
Oct 19 18:16:42 unbound[23932:0] error: file has : example.com.	10800	IN	DNSKEY	257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 07:46:40 2009
Oct 19 18:16:42 unbound[23932:0] error: should be: example.com.	3600	IN	DNSKEY	257 3 5 AwEAAd9vx7tR9cd9MMDh0gL/qHNTG4ykehjT3UzIIEtAi3Z4DI3/FFw9U/GjpYcqVC6hx2Yo1lbc4tVIa/uA0mbU7uE= ;{id = 58687 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=1258969600 ;;Mon Nov 23 09:46:40 2009
Oct 19 18:16:42 unbound[23932:0] error: autotrust check failed, could not read line
Oct 19 18:16:42 unbound[23932:0] error: file /tmp/testbound_23932_auto_example.com.tmp, line 11
Oct 19 18:16:42 unbound[23932:0] error: should be: example.com.	3600	IN	DNSKEY	257 3 5 AwEAAeu99txoU5i2Z4BVatCVi9PTj93oOPft8ZB9ovcjfzRZLpfc/woges07k5Ru+H44qSRxjtDKDqtf4QSo3RkkGLk= ;{id = 56782 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t0} ;;${ctime $t0}
Oct 19 18:16:42 unbound[23932:0] fatal error: autotrust_check failed 
../testdata/autotrust_10key.rpl  failed

@pemensik
Copy link
Contributor Author

It seems many tests should be recreated with non-SHA1 algorithms if that is not required. Many of those tests would be just ignored and not checked on RHEL9-like systems. There is quite a lot of results when using command grep 'RRSIG\s\+\w\+\s\+[57]\s' testdata/*.rpl. Is there documented any original data, how these test recipes were created? Were they created by hand or by some tool?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pemensik