-
-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Sha1 runtime unittest #770
Open
pemensik
wants to merge
3
commits into
NLnetLabs:master
Choose a base branch
from
InfrastructureServices:sha1-runtime-unittest
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
WIP: Sha1 runtime unittest #770
pemensik
wants to merge
3
commits into
NLnetLabs:master
from
InfrastructureServices:sha1-runtime-unittest
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It were possible to enable them only from debugger. Allow setting them from command line also.
CentOS 9 has disabled SHA-1 validation by default. It makes possible passing of unit tests on such system. Make it possible to process also indeterminate result from rrset validation. It would mean that signature is not known bogus, but were not able to be validated at the same time.
RHEL 9 with DEFAULT crypto policy produces 3 errors pushed to the error stack in one failed case. Ensure it does not break following tests, but all of them are read after the call failure.
Currently fails to me
|
It seems many tests should be recreated with non-SHA1 algorithms if that is not required. Many of those tests would be just ignored and not checked on RHEL9-like systems. There is quite a lot of results when using command |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes complements PR #660, which added some support into unbound for runtime disabled SHA1 validation. Depending on setting in crypto policy and resulting codes in crypto library, it either considers signature indeterminate. That is roughly equivalent to insecure, but we have some signatures present and no proof about missing DS record.
This fixes unittest to pass on RHEL9, but rpl tests do not yet pass.