From: Pieter Lexis Date: Sun, 2 Sep 2018 15:34:37 +0000 (+0200) Subject: Remove GOST support and Botan in the process X-Git-Tag: dnsdist-1.3.3~124^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a94c14760198a0b2e0dc9df49d1f51395e7ce39f;p=thirdparty%2Fpdns.git Remove GOST support and Botan in the process --- diff --git a/build-scripts/travis.sh b/build-scripts/travis.sh index 17bd22c69c..21d87d3195 100755 --- a/build-scripts/travis.sh +++ b/build-scripts/travis.sh @@ -381,7 +381,6 @@ install_dnsdist() { build_auth() { run "autoreconf -vi" - # Build without --enable-botan, no botan 2.x in Travis CI run "./configure \ ${sanitizerflags} \ --with-dynmodules='bind gmysql geoip gpgsql gsqlite3 ldap lua mydns opendbx pipe random remote tinydns godbc lua2' \ @@ -410,7 +409,6 @@ build_recursor() { run "tar xf pdns-recursor-*.tar.bz2" run "rm -f pdns-recursor-*.tar.bz2" run "cd pdns-recursor-*" - # Build without --enable-botan, no botan 2.x in Travis CI run "./configure \ ${sanitizerflags} \ --prefix=$PDNS_RECURSOR_DIR \ @@ -605,7 +603,6 @@ test_repo(){ } # global build requirements -# Add botan 2.x when available in Travis CI run "sudo apt-get -qq --no-install-recommends install \ libboost-all-dev \ libluajit-5.1-dev \ diff --git a/configure.ac b/configure.ac index 7984a4c153..3317d0d4fe 100644 --- a/configure.ac +++ b/configure.ac @@ -92,7 +92,6 @@ AC_CHECK_HEADERS( [have_mmap=no] ) -PDNS_ENABLE_BOTAN PDNS_CHECK_LIBSODIUM PDNS_CHECK_LIBDECAF PDNS_CHECK_LIBCRYPTO([ @@ -360,10 +359,6 @@ AS_IF([test "x$LIBDECAF_LIBS" != "x"], [AC_MSG_NOTICE([ed448: yes])], [AC_MSG_NOTICE([ed448: no])] ) -AS_IF([test "x$BOTAN_LIBS" != "x"], - [AC_MSG_NOTICE([gost: yes])], - [AC_MSG_NOTICE([gost: no])] -) AS_IF([test "x$needsqlite3" != "x"], [AC_MSG_NOTICE([SQLite3: yes])], [AC_MSG_NOTICE([SQLite3: no])] diff --git a/docs/appendices/crypto-export.rst b/docs/appendices/crypto-export.rst index c2eaf6b16c..c4079a60ac 100644 --- a/docs/appendices/crypto-export.rst +++ b/docs/appendices/crypto-export.rst @@ -7,6 +7,7 @@ PowerDNS does not itself implement any cryptographic algorithms but relies on th Starting with 4.0.0, PowerDNS will link in hash and cryptographic primitives from the open source `OpenSSL `_ library. Optionally, PowerDNS can link in a copy of the open source `Botan `_ cryptographic library. +Starting with 4.2.0, linking in Botan is no longer possible. Optionally, PowerDNS can link in a copy of the open source `Sodium `_ library. diff --git a/docs/dnssec/pkcs11.rst b/docs/dnssec/pkcs11.rst index 1982e875da..89f77246bc 100644 --- a/docs/dnssec/pkcs11.rst +++ b/docs/dnssec/pkcs11.rst @@ -21,7 +21,7 @@ Using with SoftHSM .. warning:: Due to an interaction between `SoftHSM and Botan `__, the PowerDNS Authoritative Server **will most likely** crash on exit when built with ``--enable-botan1.10 --enable-experimental-pkcs11``. - This is the case with the packages provided from the PowerDNS repositories. + In 4.2.0, Botan support has been removed and this is no longer an issue. To test this feature, a software HSM can be used. It is **not recommended** to use this in production. diff --git a/m4/pdns_enable_botan.m4 b/m4/pdns_enable_botan.m4 deleted file mode 100644 index 6299d2793f..0000000000 --- a/m4/pdns_enable_botan.m4 +++ /dev/null @@ -1,17 +0,0 @@ -AC_DEFUN([PDNS_ENABLE_BOTAN],[ - AC_MSG_CHECKING([whether we will be linking in Botan 2.x]) - AC_ARG_ENABLE([botan], - [AS_HELP_STRING([--enable-botan],[use Botan @<:@default=no@:>@])], - [enable_botan=$enableval], - [enable_botan=no] - ) - AC_MSG_RESULT([$enable_botan]) - AM_CONDITIONAL(BOTAN, [test "x$enable_botan" != "xno"]) - - AS_IF([test "x$enable_botan" != "xno"], [ - PKG_CHECK_MODULES([BOTAN], [botan-2], - [AC_DEFINE([HAVE_BOTAN],[1],[Define to 1 if you have botan])], - [AC_MSG_ERROR([Could not find botan])] - )] - ) -]) diff --git a/pdns/Makefile.am b/pdns/Makefile.am index dca59982a8..dfb1940859 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -20,10 +20,6 @@ AM_LDFLAGS = \ AM_LFLAGS = -i AM_YFLAGS = -d --verbose --debug -if BOTAN -AM_CPPFLAGS += $(BOTAN_CFLAGS) -endif - if PKCS11 AM_CPPFLAGS += $(P11KIT1_CFLAGS) endif @@ -255,11 +251,6 @@ pdns_server_SOURCES += lua-record.cc minicurl.cc minicurl.hh pdns_server_LDADD += $(LIBCURL) endif -if BOTAN -pdns_server_SOURCES += botansigners.cc -pdns_server_LDADD += $(BOTAN_LIBS) -endif - if LIBSODIUM pdns_server_SOURCES += sodiumsigners.cc pdns_server_LDADD += $(LIBSODIUM_LIBS) @@ -357,11 +348,6 @@ pdnsutil_LDADD = \ $(BOOST_PROGRAM_OPTIONS_LIBS) \ $(LIBCRYPTO_LIBS) -if BOTAN -pdnsutil_SOURCES += botansigners.cc -pdnsutil_LDADD += $(BOTAN_LIBS) -endif - if LIBSODIUM pdnsutil_SOURCES += sodiumsigners.cc pdnsutil_LDADD += $(LIBSODIUM_LIBS) @@ -815,11 +801,6 @@ if GSS_TSIG toysdig_LDADD += $(GSS_LIBS) endif -if BOTAN -toysdig_SOURCES += botansigners.cc -toysdig_LDADD += $(BOTAN_LIBS) -endif - if PKCS11 toysdig_SOURCES += pkcs11signers.cc pkcs11signers.hh toysdig_LDADD += $(P11KIT1_LIBS) @@ -1342,11 +1323,6 @@ testrunner_SOURCES += sodiumsigners.cc testrunner_LDADD += $(LIBSODIUM_LIBS) endif -if BOTAN -testrunner_SOURCES += botansigners.cc -testrunner_LDADD += $(BOTAN_LIBS) -endif - if LIBDECAF testrunner_SOURCES += decafsigners.cc testrunner_LDADD += $(LIBDECAF_LIBS) diff --git a/pdns/botansigners.cc b/pdns/botansigners.cc deleted file mode 100644 index cb04d72894..0000000000 --- a/pdns/botansigners.cc +++ /dev/null @@ -1,263 +0,0 @@ -/* - * This file is part of PowerDNS or dnsdist. - * Copyright -- PowerDNS.COM B.V. and its contributors - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of version 2 of the GNU General Public License as - * published by the Free Software Foundation. - * - * In addition, for the avoidance of any doubt, permission is granted to - * link this program with OpenSSL and to (re)distribute the binaries - * produced as the result of such linking. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif -#include -#include -#include -#include -#include -#include "dnssecinfra.hh" - -using namespace Botan; - -/* Государственный гимн Российской Федерации - (Gosudarstvenny Gimn Rossiyskoy Federatsii) - "The National Anthem of the Russian Federation" - - ~ Rossiya - svyashchennaya nasha derzhava, ~ - ~ Rossiya - lyubimaya nasha strana. ~ - ~ Moguchaya volya, velikaya slava - ~ - ~ Tvoyo dostoyanye na vse vremena! ~ - */ - -class GOSTDNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - explicit GOSTDNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm) {} - ~GOSTDNSCryptoKeyEngine(){} - void create(unsigned int bits) override; - string getName() const override { return "Botan 2 GOST"; } - storvector_t convertToISCVector() const override; - std::string getPubKeyHash() const override; - std::string sign(const std::string& msg) const override; - std::string hash(const std::string& msg) const override; - bool verify(const std::string& msg, const std::string& signature) const override; - std::string getPublicKeyString() const override; - int getBits() const override; - void fromISCMap(DNSKEYRecordContent& drc, std::map& content) override; - void fromPublicKeyString(const std::string& content) override; - void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw) override - {} - - static std::shared_ptr maker(unsigned int algorithm) - { - return std::make_shared(algorithm); - } - -private: - static EC_Group getParams() - { - return EC_Group("gost_256A"); - } - - shared_ptr d_key; - shared_ptr d_pubkey; -}; - -/* - ~ Slav'sya, Otechestvo nashe svobodnoye, ~ - ~ Bratskikh narodov soyuz vekovoy, ~ - ~ Predkami dannaya mudrost' narodnaya! ~ - ~ Slav'sya, strana! My gordimsya toboy! ~ -*/ - - -void GOSTDNSCryptoKeyEngine::create(unsigned int bits) -{ - AutoSeeded_RNG rng; - d_key = std::make_shared(rng, getParams()); -} - -int GOSTDNSCryptoKeyEngine::getBits() const -{ - return 256; -} - -/* - ~ Ot yuzhnykh morey do polyarnogo kraya ~ - ~ Raskinulis' nashi lesa i polya. ~ - ~ Odna ty na svete! Odna ty takaya - ~ - ~ Khranimaya Bogom rodnaya zemlya! ~ -*/ - -DNSCryptoKeyEngine::storvector_t GOSTDNSCryptoKeyEngine::convertToISCVector() const -{ - static const unsigned char asn1Prefix[]= - {0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, - 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01, 0x04, 0x22, 0x04, 0x20}; // this is DER, fixed for a 32 byte key - - storvector_t storvect; - storvect.push_back(make_pair("Algorithm", "12 (ECC-GOST)")); - - auto buffer = BigInt::encode(d_key->private_value()); - string gostasn1(reinterpret_cast(asn1Prefix), sizeof(asn1Prefix)); - gostasn1.append(buffer.begin(), buffer.end()); - storvect.push_back(make_pair("GostAsn1", gostasn1)); - return storvect; -} - -/* - ~ Slav'sya, Otechestvo nashe svobodnoye, ~ - ~ Bratskikh narodov soyuz vekovoy, ~ - ~ Predkami dannaya mudrost' narodnaya! ~ - ~ Slav'sya, strana! My gordimsya toboy! ~ -*/ - -void GOSTDNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap ) -{ - drc.d_algorithm = pdns_stou(stormap["algorithm"]); - string privateKey=stormap["gostasn1"]; - //cerr<<"PrivateKey.size() = "<(rng, getParams(), bigint); - - //cerr<<"Is the just imported key on the curve? " << d_key->public_point().on_the_curve()<public_point().is_zero()<private_value(); - auto buffer = BigInt::encode(x); - // cerr<<"And out again! "< msg_le(msg, msg + msg_len); - - for(size_t i = 0; i != msg_le.size() / 2; ++i) - std::swap(msg_le[i], msg_le[msg_le.size()-1-i]); - - return BigInt(&msg_le[0], msg_le.size()); - } - -} -void GOSTDNSCryptoKeyEngine::fromPublicKeyString(const std::string& input) -{ - BigInt x, y; - - x=decode_le((const byte*)input.c_str(), input.length()/2); - y=decode_le((const byte*)input.c_str() + input.length()/2, input.length()/2); - - auto params = getParams(); -#if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(2,5,0) - PointGFp point(params.get_curve(), x,y); -#else - PointGFp point(params.point(x,y)); -#endif - d_pubkey = std::make_shared(params, point); - d_key.reset(); -} - -std::string GOSTDNSCryptoKeyEngine::getPubKeyHash() const -{ - const BigInt&x = d_key->private_value(); - auto buffer = BigInt::encode(x); - return string(buffer.begin(), buffer.end()); -} - -std::string GOSTDNSCryptoKeyEngine::getPublicKeyString() const -{ - std::shared_ptr pk = d_pubkey ? d_pubkey : d_key; - const BigInt&x =pk->public_point().get_affine_x(); - const BigInt&y =pk->public_point().get_affine_y(); - - size_t part_size = std::max(x.bytes(), y.bytes()); - - std::vector bits(2*part_size); - - x.binary_encode(&bits[part_size - x.bytes()]); - y.binary_encode(&bits[2*part_size - y.bytes()]); - - // Keys are stored in little endian format (WTF) - for(size_t i = 0; i != part_size / 2; ++i) - { - std::swap(bits[i], bits[part_size-1-i]); - std::swap(bits[part_size+i], bits[2*part_size-1-i]); - } - - return string(bits.begin(), bits.end()); -} - -/* - ~ Shirokiy prostor dlya mechty i dlya zhizni. ~ - ~ Gryadushchiye nam otkryvayut goda. ~ - ~ Nam silu dayot nasha vernost' Otchizne. ~ - ~ Tak bylo, tak yest' i tak budet vsegda! ~ - */ - -std::string GOSTDNSCryptoKeyEngine::sign(const std::string& msg) const -{ - AutoSeeded_RNG rng; - PK_Signer signer(*d_key, rng, "Raw"); - signer.update(hash(msg)); - auto signature = signer.signature(rng); - return string(signature.begin(), signature.end()); -} - -std::string GOSTDNSCryptoKeyEngine::hash(const std::string& orig) const -{ - GOST_34_11 hasher; - auto result = hasher.process(orig); - return string(result.begin(), result.end()); -} - - -bool GOSTDNSCryptoKeyEngine::verify(const std::string& message, const std::string& signature) const -{ - std::shared_ptr pk = d_pubkey ? d_pubkey : d_key; - PK_Verifier verifier(*pk, "Raw"); - verifier.update(hash(message)); - return verifier.check_signature(reinterpret_cast(signature.c_str()), signature.size()); -} - -/* - ~ Slav'sya, Otechestvo nashe svobodnoye, ~ - ~ Bratskikh narodov soyuz vekovoy, ~ - ~ Predkami dannaya mudrost' narodnaya! ~ - ~ Slav'sya, strana! My gordimsya toboy! ~ -*/ - - -////////////////////////////// - -namespace { -struct LoaderStruct -{ - LoaderStruct() - { - DNSCryptoKeyEngine::report(12, &GOSTDNSCryptoKeyEngine::maker); - } -} loaderBotan2; -} diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 70a0346152..09901dde98 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -1,7 +1,7 @@ JSON11_LIBS = $(top_srcdir)/ext/json11/libjson11.la PROBDS_LIBS = $(top_srcdir)/ext/probds/libprobds.la -AM_CPPFLAGS = $(LUA_CFLAGS) $(YAHTTP_CFLAGS) $(BOOST_CPPFLAGS) $(BOTAN_CFLAGS) $(LIBSODIUM_CFLAGS) $(NET_SNMP_CFLAGS) $(SANITIZER_FLAGS) -O3 -Wall -pthread -DSYSCONFDIR=\"${sysconfdir}\" $(SYSTEMD_CFLAGS) +AM_CPPFLAGS = $(LUA_CFLAGS) $(YAHTTP_CFLAGS) $(BOOST_CPPFLAGS) $(LIBSODIUM_CFLAGS) $(NET_SNMP_CFLAGS) $(SANITIZER_FLAGS) -O3 -Wall -pthread -DSYSCONFDIR=\"${sysconfdir}\" $(SYSTEMD_CFLAGS) AM_CPPFLAGS += \ -I$(top_srcdir)/ext/json11 \ @@ -44,7 +44,6 @@ endif EXTRA_DIST = \ NOTICE \ .version \ - botansigners.cc \ build-aux/gen-version \ contrib/* \ devpollmplexer.cc \ @@ -301,15 +300,6 @@ testrunner_LDFLAGS += \ $(BOOST_FILESYSTEM_LDFLAGS) endif -if BOTAN -pdns_recursor_SOURCES += \ - botansigners.cc -pdns_recursor_LDADD += $(BOTAN_LIBS) -testrunner_SOURCES += \ - botansigners.cc -testrunner_LDADD += $(BOTAN_LIBS) -endif - if LIBSODIUM pdns_recursor_SOURCES += \ sodiumsigners.cc diff --git a/pdns/recursordist/botansigners.cc b/pdns/recursordist/botansigners.cc deleted file mode 120000 index edbcea7f54..0000000000 --- a/pdns/recursordist/botansigners.cc +++ /dev/null @@ -1 +0,0 @@ -../botansigners.cc \ No newline at end of file diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac index adbb49cbbb..3b38e9fd50 100644 --- a/pdns/recursordist/configure.ac +++ b/pdns/recursordist/configure.ac @@ -111,7 +111,6 @@ PDNS_CHECK_LUA_HPP PDNS_ENABLE_VERBOSE_LOGGING # Crypto libraries -PDNS_ENABLE_BOTAN PDNS_CHECK_LIBCRYPTO([ ],[ AC_MSG_ERROR([OpenSSL/libcrypto not found]) @@ -232,10 +231,6 @@ AS_IF([test "x$LIBDECAF_LIBS" != "x"], [AC_MSG_NOTICE([libdecaf ed25519 and ed448: yes])], [AC_MSG_NOTICE([libdecaf ed25519 and ed448: no])] ) -AS_IF([test "x$BOTAN_LIBS" != "x"], - [AC_MSG_NOTICE([Botan gost: yes])], - [AC_MSG_NOTICE([Botan gost: no])] -) AS_IF([test "x$PROTOBUF_LIBS" != "x" -a x"$PROTOC" != "x"], [AC_MSG_NOTICE([Protobuf: yes])], [AC_MSG_NOTICE([Protobuf: no])] diff --git a/pdns/recursordist/m4/pdns_enable_botan.m4 b/pdns/recursordist/m4/pdns_enable_botan.m4 deleted file mode 120000 index 8029a935de..0000000000 --- a/pdns/recursordist/m4/pdns_enable_botan.m4 +++ /dev/null @@ -1 +0,0 @@ -../../../m4/pdns_enable_botan.m4 \ No newline at end of file diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index 7ef9a5c846..9dd703bff9 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -10071,143 +10071,6 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_two_highest) { } } -#ifdef HAVE_BOTAN -BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_prefer_sha384_over_gost) { - std::unique_ptr sr; - initSR(sr, true); - - setDNSSECValidation(sr, DNSSECMode::ValidateAll); - - primeHints(); - const DNSName target("com."); - testkeysset_t keys, keys2; - - auto luaconfsCopy = g_luaconfs.getCopy(); - luaconfsCopy.dsAnchors.clear(); - generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); - generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA384, keys); - g_luaconfs.setState(luaconfsCopy); - - // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo - generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::GOST, keys2); - // But add the existing root key otherwise no RRSIG can be created - auto rootkey = keys.find(g_rootdnsname); - keys2.insert(*rootkey); - - sr->setAsyncCallback([target, keys, keys2](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res, bool* chained) { - DNSName auth = domain; - auth.chopOff(); - if (type == QType::DS || type == QType::DNSKEY) { - if (domain == target) { - if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) { - return 0; - } - } - return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); - } - return 0; - }); - - dsmap_t ds; - auto state = sr->getDSRecords(target, ds, false, 0, false); - BOOST_CHECK_EQUAL(state, Secure); - BOOST_REQUIRE_EQUAL(ds.size(), 1); - for (const auto& i : ds) { - BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA384); - } -} - -BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_prefer_sha256_over_gost) { - std::unique_ptr sr; - initSR(sr, true); - - setDNSSECValidation(sr, DNSSECMode::ValidateAll); - - primeHints(); - const DNSName target("com."); - testkeysset_t keys, keys2; - - auto luaconfsCopy = g_luaconfs.getCopy(); - luaconfsCopy.dsAnchors.clear(); - generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); - generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); - g_luaconfs.setState(luaconfsCopy); - - // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo - generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::GOST, keys2); - // But add the existing root key otherwise no RRSIG can be created - auto rootkey = keys.find(g_rootdnsname); - keys2.insert(*rootkey); - - sr->setAsyncCallback([target, keys, keys2](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res, bool* chained) { - DNSName auth = domain; - auth.chopOff(); - if (type == QType::DS || type == QType::DNSKEY) { - if (domain == target) { - if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) { - return 0; - } - } - return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); - } - return 0; - }); - - dsmap_t ds; - auto state = sr->getDSRecords(target, ds, false, 0, false); - BOOST_CHECK_EQUAL(state, Secure); - BOOST_REQUIRE_EQUAL(ds.size(), 1); - for (const auto& i : ds) { - BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256); - } -} - -BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_prefer_gost_over_sha1) { - std::unique_ptr sr; - initSR(sr, true); - - setDNSSECValidation(sr, DNSSECMode::ValidateAll); - - primeHints(); - const DNSName target("com."); - testkeysset_t keys, keys2; - - auto luaconfsCopy = g_luaconfs.getCopy(); - luaconfsCopy.dsAnchors.clear(); - generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); - generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys); - g_luaconfs.setState(luaconfsCopy); - - // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo - generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::GOST, keys2); - // But add the existing root key otherwise no RRSIG can be created - auto rootkey = keys.find(g_rootdnsname); - keys2.insert(*rootkey); - - sr->setAsyncCallback([target, keys, keys2](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res, bool* chained) { - DNSName auth = domain; - auth.chopOff(); - if (type == QType::DS || type == QType::DNSKEY) { - if (domain == target) { - if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) { - return 0; - } - } - return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); - } - return 0; - }); - - dsmap_t ds; - auto state = sr->getDSRecords(target, ds, false, 0, false); - BOOST_CHECK_EQUAL(state, Secure); - BOOST_REQUIRE_EQUAL(ds.size(), 1); - for (const auto& i : ds) { - BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::GOST); - } -} -#endif // HAVE_BOTAN110 - /* // cerr<<"asyncresolve called to ask "< -#endif /* HAVE_BOTAN */ - static ProductType productType; string compilerVersion() @@ -87,9 +83,6 @@ void showProductVersion() void showBuildConfiguration() { g_log<