+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- max-rsa-exponent-size 34;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- max-rsa-exponent-size 4097;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- max-rsa-exponent-size 0;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- max-rsa-exponent-size 35;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- max-rsa-exponent-size 4096;
-};
*/
options {
- max-rsa-exponent-size 1;
+ max-rsa-exponent-size @max_rsa_exponent_size@;
};
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-. ../conf.sh
-
-status=0
-
-rm -f dig.out.*
-
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
-
-for f in conf/good*.conf; do
- echo_i "checking '$f'"
- ret=0
- $CHECKCONF $f >/dev/null || ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
- status=$((status + ret))
-done
-
-for f in conf/bad*.conf; do
- echo_i "checking '$f'"
- ret=0
- $CHECKCONF $f >/dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
- status=$((status + ret))
-done
-
-echo_i "checking that RSA big exponent keys can't be loaded"
-ret=0
-grep "out of range" ns2/signer.err >/dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "checking that RSA big exponent signature can't validate"
-ret=0
-$DIG $DIGOPTS a.example @10.53.0.2 >dig.out.ns2 || ret=1
-$DIG $DIGOPTS a.example @10.53.0.3 >dig.out.ns3 || ret=1
-grep "status: NOERROR" dig.out.ns2 >/dev/null || ret=1
-grep "status: SERVFAIL" dig.out.ns3 >/dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import os
+import subprocess
+
+import dns.message
+import pytest
+
+import isctest
+
+CHECKCONF = os.environ["CHECKCONF"]
+
+
+@pytest.mark.parametrize("exponent_size", [0, 35, 666, 1024, 2048, 3072, 4096])
+def test_max_rsa_exponent_size_good(exponent_size, templates):
+ templates.render("options.conf", {"max_rsa_exponent_size": exponent_size})
+ isctest.run.cmd([CHECKCONF, "options.conf"])
+
+
+@pytest.mark.parametrize("exponent_size", [1, 34, 4097])
+def test_max_rsa_exponent_size_bad(exponent_size, templates):
+ templates.render("options.conf", {"max_rsa_exponent_size": exponent_size})
+ with pytest.raises(subprocess.CalledProcessError):
+ isctest.run.cmd([CHECKCONF, "options.conf"], log_stdout=True)
+
+
+def test_rsa_big_exponent_keys_cant_load():
+ with open("ns2/signer.err", encoding="utf-8") as file:
+ assert (
+ "dnssec-signzone: fatal: cannot load dnskey Kexample.+008+52810.key: out of range"
+ in file.read()
+ )
+
+
+def test_rsa_big_exponent_keys_cant_validate():
+ msg = dns.message.make_query("a.example.", "A")
+ res2 = isctest.query.tcp(msg, "10.53.0.2")
+ isctest.check.noerror(res2)
+ res3 = isctest.query.tcp(msg, "10.53.0.3")
+ isctest.check.servfail(res3)
+++ /dev/null
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-
-def test_rsabigexponent(run_tests_sh):
- run_tests_sh()
projects / thirdparty / bind9.git / commitdiff
