From 56ad05f50e59a7c5befc939e5f38c0ef7fcfeedb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Squashed commit of the following: commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa Author: Petr Menšík Date: Wed Mar 7 20:35:13 2018 +0100 Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. commit ab303db70082db76ecf36493d0b82ef3e8750cad Author: Petr Menšík Date: Wed Mar 7 18:11:10 2018 +0100 Changed root key to be RSASHA256 Change bad trusted key to be the same algorithm. commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 Author: Petr Menšík Date: Wed Mar 7 16:56:17 2018 +0100 Change used key to not use hmac-md5 Fix upforwd test, do not use hmac-md5 commit aec891571626f053acfb4d0a247240cbc21a84e9 Author: Petr Menšík Date: Wed Mar 7 15:54:11 2018 +0100 Increase bitsize of DSA key to pass FIPS 140-2 mode. commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 Author: Petr Menšík Date: Wed Mar 7 15:41:08 2018 +0100 Fix tsig and rndc tests for disabled md5 Use hmac-sha256 instead of hmac-md5. commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 Author: Petr Menšík Date: Wed Mar 7 13:21:00 2018 +0100 Add md5 availability detection to featuretest commit f389a918803e2853e4b55fed62765dc4a492e34f Author: Petr Menšík Date: Wed Mar 7 10:44:23 2018 +0100 Change tests to not use hmac-md5 algorithms if not required Use hmac-sha256 instead of default hmac-md5 for allow-query --- bin/tests/system/acl/ns2/named1.conf.in | 4 +-- bin/tests/system/acl/ns2/named2.conf.in | 4 +-- bin/tests/system/acl/ns2/named3.conf.in | 6 ++-- bin/tests/system/acl/ns2/named4.conf.in | 4 +-- bin/tests/system/acl/ns2/named5.conf.in | 4 +-- bin/tests/system/acl/tests.sh | 30 +++++++++---------- .../system/allow-query/ns2/named10.conf.in | 2 +- .../system/allow-query/ns2/named11.conf.in | 4 +-- .../system/allow-query/ns2/named12.conf.in | 2 +- .../system/allow-query/ns2/named30.conf.in | 2 +- .../system/allow-query/ns2/named31.conf.in | 4 +-- .../system/allow-query/ns2/named32.conf.in | 2 +- .../system/allow-query/ns2/named40.conf.in | 4 +-- bin/tests/system/allow-query/tests.sh | 18 +++++------ bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- bin/tests/system/feature-test.c | 13 ++++++++ bin/tests/system/notify/ns5/named.conf.in | 6 ++-- bin/tests/system/notify/tests.sh | 6 ++-- bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/tests.sh | 4 +-- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- 24 files changed, 72 insertions(+), 59 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index 745048a..93cb411 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -35,12 +35,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in index 21aa991..78e71cc 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -35,12 +35,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in index 3208c92..bed6325 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -35,17 +35,17 @@ options { }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key three { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in index 14e82ed..a22cafe 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -35,12 +35,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in index f43f33c..f4a865a 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -37,12 +37,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index bdac1d2..020a7a1 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -24,7 +24,7 @@ echo_i "testing basic ACL processing" # key "one" should fail t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 @@ -33,7 +33,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # any other key should be fine t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -46,7 +46,7 @@ sleep 5 # prefix 10/8 should fail t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 @@ -55,7 +55,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # any other address should work, as long as it sends key "one" t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 @@ -63,7 +63,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -78,7 +78,7 @@ sleep 5 # should succeed t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -87,7 +87,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -96,7 +96,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -105,7 +105,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -114,7 +114,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # but only one or the other should fail t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 @@ -145,7 +145,7 @@ sleep 5 # should succeed t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -154,7 +154,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should succeed t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 && { echo_i "test $t failed" status=1 @@ -163,7 +163,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 && { # should fail t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 @@ -172,7 +172,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # should fail t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y $DEFAULT_HMAC:two:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 @@ -181,7 +181,7 @@ grep "^;" dig.out.${t} >/dev/null 2>&1 || { # should fail t=$(expr $t + 1) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t} + @10.53.0.2 -b 10.53.0.3 axfr -y $DEFAULT_HMAC:one:1234abcd8765 >dig.out.${t} grep "^;" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed" status=1 diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in index b91d19a..7d777c2 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in index 308c4ca..00f6f40 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ */ key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in index 6b0fe55..491e514 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in index aefc474..7c06596 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in index 27eccc2..eecb990 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ */ key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in index adbb203..744d122 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in index 364f94b..9518f82 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh index 1cb7da3..96f6545 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -183,7 +183,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -196,7 +196,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -209,7 +209,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -342,7 +342,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -355,7 +355,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -368,7 +368,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -501,7 +501,7 @@ status=$(expr $status + $ret) n=$(expr $n + 1) echo_i "test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -511,7 +511,7 @@ status=$(expr $status + $ret) n=$(expr $n + 1) echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -521,7 +521,7 @@ status=$(expr $status + $ret) n=$(expr $n + 1) echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y $DEFAULT_HMAC:one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf index 4af25b0..9f202d5 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -13,7 +13,7 @@ /* Bad secret */ key "badtsig" { - algorithm hmac-md5; + algorithm hmac-sha256; secret "jEdD+BPKg=="; }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 0ecdb68..90b8ab3 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -284,6 +284,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { - algorithm "hmac-md5"; + algorithm "hmac-sha256"; secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index e502ee9..cdbc92f 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -211,6 +211,19 @@ main(int argc, char **argv) { #endif /* ifdef DLZ_FILESYSTEM */ } + if (strcmp(argv[1], "--md5") == 0) { + unsigned char digest[ISC_MAX_MD_SIZE]; + const unsigned char test[] = "test"; + unsigned int size = sizeof(digest); + + if (isc_md(ISC_MD_MD5, test, sizeof(test), + digest, &size) == ISC_R_SUCCESS) { + return (0); + } else { + return (1); + } + } + if (strcmp(argv[1], "--with-idn") == 0) { #ifdef HAVE_LIBIDN2 return (0); diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in index 5cab276..d4a7bf3 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -12,17 +12,17 @@ */ key "a" { - algorithm "hmac-md5"; + algorithm "hmac-sha256"; secret "aaaaaaaaaaaaaaaaaaaa"; }; key "b" { - algorithm "hmac-md5"; + algorithm "hmac-sha256"; secret "bbbbbbbbbbbbbbbbbbbb"; }; key "c" { - algorithm "hmac-md5"; + algorithm "hmac-sha256"; secret "cccccccccccccccccccc"; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index fcc51d5..0ab99db 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -210,15 +210,15 @@ ret=0 $NSUPDATE <dig.out.b.ns5.test$n || ret=1 - $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ + $DIG $DIGOPTS added.x21. -y ${DEFAULT_HMAC}:c:cccccccccccccccccccc @10.53.0.5 \ txt >dig.out.c.ns5.test$n || ret=1 grep "test string" dig.out.b.ns5.test$n >/dev/null \ && grep "test string" dig.out.c.ns5.test$n >/dev/null \ diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in index a5cc36d..7bb8923 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -40,7 +40,7 @@ controls { }; key altkey { - algorithm hmac-md5; + algorithm hmac-sha512; secret "1234abcd8765"; }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in index f1a1735..da2b3d1 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -34,7 +34,7 @@ controls { }; key altkey { - algorithm hmac-md5; + algorithm hmac-sha512; secret "1234abcd8765"; }; diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index def99c4..00d2987 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1033,7 +1033,7 @@ fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -y) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" </dev/null || ret=1 server 10.53.0.1 ${PORT} @@ -1042,7 +1042,7 @@ send END done sleep 2 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 >/dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in index c2b57dd..cb13aa1 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -12,7 +12,7 @@ */ key "update.example." { - algorithm "hmac-md5"; + algorithm "hmac-sha256"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index 9165ba9..063e28d 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -92,7 +92,7 @@ fi echo_i "updating zone (signed) ($n)" ret=0 -$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <