76074cd59a
Reworked custom redhat version. Complete version is now part of library names. Libraries are not recommended for any third party application. They are still required for bind-dyndb-ldap only. Version of named changed, only suffix -RH is appended to upstream version. Therefore dig would not contain version 9.6.11-RedHat-9.6.11-1.fc34, but only 9.6.13-RH. Version of fedora build have to be obtained from rpm -q bind. Version is now part of library names, bind-libs-lite was merged to bind-libs. bind-dyndb-ldap needs whole bind, no point to offer smaller library set just for its dependencies. Updated also named(8) manual page to match current state of SELinux.
960 lines
32 KiB
Diff
960 lines
32 KiB
Diff
From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
|
Subject: [PATCH] FIPS tests changes
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Squashed commit of the following:
|
|
|
|
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 20:35:13 2018 +0100
|
|
|
|
Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
|
|
|
|
commit ab303db70082db76ecf36493d0b82ef3e8750cad
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 18:11:10 2018 +0100
|
|
|
|
Changed root key to be RSASHA256
|
|
|
|
Change bad trusted key to be the same algorithm.
|
|
|
|
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 16:56:17 2018 +0100
|
|
|
|
Change used key to not use hmac-md5
|
|
|
|
Fix upforwd test, do not use hmac-md5
|
|
|
|
commit aec891571626f053acfb4d0a247240cbc21a84e9
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 15:54:11 2018 +0100
|
|
|
|
Increase bitsize of DSA key to pass FIPS 140-2 mode.
|
|
|
|
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 15:41:08 2018 +0100
|
|
|
|
Fix tsig and rndc tests for disabled md5
|
|
|
|
Use hmac-sha256 instead of hmac-md5.
|
|
|
|
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 13:21:00 2018 +0100
|
|
|
|
Add md5 availability detection to featuretest
|
|
|
|
commit f389a918803e2853e4b55fed62765dc4a492e34f
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
Date: Wed Mar 7 10:44:23 2018 +0100
|
|
|
|
Change tests to not use hmac-md5 algorithms if not required
|
|
|
|
Use hmac-sha256 instead of default hmac-md5 for allow-query
|
|
---
|
|
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
|
|
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
|
|
bin/tests/system/acl/ns2/named3.conf.in | 6 +-
|
|
bin/tests/system/acl/ns2/named4.conf.in | 4 +-
|
|
bin/tests/system/acl/ns2/named5.conf.in | 4 +-
|
|
bin/tests/system/acl/tests.sh | 32 ++++-----
|
|
.../system/allow-query/ns2/named10.conf.in | 2 +-
|
|
.../system/allow-query/ns2/named11.conf.in | 4 +-
|
|
.../system/allow-query/ns2/named12.conf.in | 2 +-
|
|
.../system/allow-query/ns2/named30.conf.in | 2 +-
|
|
.../system/allow-query/ns2/named31.conf.in | 4 +-
|
|
.../system/allow-query/ns2/named32.conf.in | 2 +-
|
|
.../system/allow-query/ns2/named40.conf.in | 4 +-
|
|
bin/tests/system/allow-query/tests.sh | 18 ++---
|
|
bin/tests/system/catz/ns1/named.conf.in | 2 +-
|
|
bin/tests/system/catz/ns2/named.conf.in | 2 +-
|
|
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
|
|
bin/tests/system/checkconf/good.conf | 2 +-
|
|
bin/tests/system/feature-test.c | 14 ++++
|
|
bin/tests/system/notify/ns5/named.conf.in | 6 +-
|
|
bin/tests/system/notify/tests.sh | 6 +-
|
|
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
|
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
|
bin/tests/system/nsupdate/setup.sh | 6 +-
|
|
bin/tests/system/nsupdate/tests.sh | 15 +++--
|
|
bin/tests/system/rndc/setup.sh | 2 +-
|
|
bin/tests/system/rndc/tests.sh | 23 ++++---
|
|
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
|
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
|
bin/tests/system/tsig/setup.sh | 5 ++
|
|
bin/tests/system/tsig/tests.sh | 65 ++++++++++++-------
|
|
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
|
bin/tests/system/upforwd/tests.sh | 2 +-
|
|
33 files changed, 162 insertions(+), 108 deletions(-)
|
|
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
|
|
|
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
|
index 60f22e1..249f672 100644
|
|
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
|
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
|
@@ -33,12 +33,12 @@ options {
|
|
};
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
|
index ada97bc..f82d858 100644
|
|
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
|
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
|
@@ -33,12 +33,12 @@ options {
|
|
};
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
|
index 97684e4..de6a2e9 100644
|
|
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
|
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
|
@@ -33,17 +33,17 @@ options {
|
|
};
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key three {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
|
index 462b3fa..994b35c 100644
|
|
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
|
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
|
@@ -33,12 +33,12 @@ options {
|
|
};
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
|
index 728da58..8f00d09 100644
|
|
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
|
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
|
@@ -35,12 +35,12 @@ options {
|
|
};
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
|
index be59d64..13d5bdc 100644
|
|
--- a/bin/tests/system/acl/tests.sh
|
|
+++ b/bin/tests/system/acl/tests.sh
|
|
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
|
# key "one" should fail
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
|
|
# any other key should be fine
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
copy_setports ns2/named2.conf.in ns2/named.conf
|
|
@@ -39,18 +39,18 @@ sleep 5
|
|
# prefix 10/8 should fail
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
# any other address should work, as long as it sends key "one"
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
echo_i "testing nested ACL processing"
|
|
@@ -62,31 +62,31 @@ sleep 5
|
|
# should succeed
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should succeed
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should succeed
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should succeed
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
# but only one or the other should fail
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
t=`expr $t + 1`
|
|
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
|
# and other values? right out
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
|
@@ -108,31 +108,31 @@ sleep 5
|
|
# should succeed
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should succeed
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should fail
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should fail
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
# should fail
|
|
t=`expr $t + 1`
|
|
$DIG $DIGOPTS tsigzone. \
|
|
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
|
|
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
|
|
|
echo_i "testing allow-query-on ACL processing"
|
|
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
|
index 7d43e36..f7b25f9 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
|
@@ -10,7 +10,7 @@
|
|
*/
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
|
index 2952518..121557e 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
|
@@ -10,12 +10,12 @@
|
|
*/
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234efgh8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
|
index 0c01071..ceabbb5 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
|
@@ -10,7 +10,7 @@
|
|
*/
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
|
index 4c17292..9cd9d1f 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
|
@@ -10,7 +10,7 @@
|
|
*/
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
|
index a2690a4..f488730 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
|
@@ -10,12 +10,12 @@
|
|
*/
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234efgh8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
|
index a0708c8..51fa457 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
|
@@ -10,7 +10,7 @@
|
|
*/
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
|
index 687768e..d24d6d2 100644
|
|
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
|
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
|
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
|
|
acl badaccept { 10.53.0.1; };
|
|
|
|
key one {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
key two {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "1234efgh8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
|
index fe40635..543c663 100644
|
|
--- a/bin/tests/system/allow-query/tests.sh
|
|
+++ b/bin/tests/system/allow-query/tests.sh
|
|
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
|
|
|
|
echo_i "test $n: key allowed - query allowed"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
|
|
|
|
echo_i "test $n: key not allowed - query refused"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
|
|
|
|
echo_i "test $n: key disallowed - query refused"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
|
|
|
|
echo_i "test $n: views key allowed - query allowed"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
|
|
|
|
echo_i "test $n: views key not allowed - query refused"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
|
|
|
|
echo_i "test $n: views key disallowed - query refused"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
|
|
n=`expr $n + 1`
|
|
echo_i "test $n: zone key allowed - query allowed"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
|
|
n=`expr $n + 1`
|
|
echo_i "test $n: zone key not allowed - query refused"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
|
|
n=`expr $n + 1`
|
|
echo_i "test $n: zone key disallowed - query refused"
|
|
ret=0
|
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
|
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
|
index 1218669..e62715e 100644
|
|
--- a/bin/tests/system/catz/ns1/named.conf.in
|
|
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
|
@@ -61,5 +61,5 @@ zone "catalog4.example" {
|
|
|
|
key tsig_key. {
|
|
secret "LSAnCU+Z";
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
};
|
|
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
|
|
index 30333e6..4005152 100644
|
|
--- a/bin/tests/system/catz/ns2/named.conf.in
|
|
+++ b/bin/tests/system/catz/ns2/named.conf.in
|
|
@@ -70,5 +70,5 @@ zone "catalog4.example" {
|
|
|
|
key tsig_key. {
|
|
secret "LSAnCU+Z";
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
};
|
|
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
|
index 21be03e..e57c308 100644
|
|
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
|
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
|
@@ -11,7 +11,7 @@
|
|
|
|
/* Bad secret */
|
|
key "badtsig" {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha256;
|
|
secret "jEdD+BPKg==";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
|
index e09b9e8..2e824b3 100644
|
|
--- a/bin/tests/system/checkconf/good.conf
|
|
+++ b/bin/tests/system/checkconf/good.conf
|
|
@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
|
|
system;
|
|
};
|
|
key "mykey" {
|
|
- algorithm "hmac-md5";
|
|
+ algorithm "hmac-sha256";
|
|
secret "qwertyuiopasdfgh";
|
|
};
|
|
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
|
index 877504f..577660a 100644
|
|
--- a/bin/tests/system/feature-test.c
|
|
+++ b/bin/tests/system/feature-test.c
|
|
@@ -14,6 +14,7 @@
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
+#include <isc/md.h>
|
|
#include <isc/net.h>
|
|
#include <isc/print.h>
|
|
#include <isc/util.h>
|
|
@@ -186,6 +187,19 @@ main(int argc, char **argv) {
|
|
#endif /* ifdef DLZ_FILESYSTEM */
|
|
}
|
|
|
|
+ if (strcmp(argv[1], "--md5") == 0) {
|
|
+ unsigned char digest[ISC_MAX_MD_SIZE];
|
|
+ const unsigned char test[] = "test";
|
|
+ unsigned int size = sizeof(digest);
|
|
+
|
|
+ if (isc_md(ISC_MD_MD5, test, sizeof(test),
|
|
+ digest, &size) == ISC_R_SUCCESS) {
|
|
+ return (0);
|
|
+ } else {
|
|
+ return (1);
|
|
+ }
|
|
+ }
|
|
+
|
|
if (strcmp(argv[1], "--with-idn") == 0) {
|
|
#ifdef HAVE_LIBIDN2
|
|
return (0);
|
|
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
|
index 1ee8df4..2b75d9a 100644
|
|
--- a/bin/tests/system/notify/ns5/named.conf.in
|
|
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
|
@@ -10,17 +10,17 @@
|
|
*/
|
|
|
|
key "a" {
|
|
- algorithm "hmac-md5";
|
|
+ algorithm "hmac-sha256";
|
|
secret "aaaaaaaaaaaaaaaaaaaa";
|
|
};
|
|
|
|
key "b" {
|
|
- algorithm "hmac-md5";
|
|
+ algorithm "hmac-sha256";
|
|
secret "bbbbbbbbbbbbbbbbbbbb";
|
|
};
|
|
|
|
key "c" {
|
|
- algorithm "hmac-md5";
|
|
+ algorithm "hmac-sha256";
|
|
secret "cccccccccccccccccccc";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
|
index 3d7e0b7..ec4d9a7 100644
|
|
--- a/bin/tests/system/notify/tests.sh
|
|
+++ b/bin/tests/system/notify/tests.sh
|
|
@@ -212,16 +212,16 @@ ret=0
|
|
$NSUPDATE << EOF
|
|
server 10.53.0.5 ${PORT}
|
|
zone x21
|
|
-key a aaaaaaaaaaaaaaaaaaaa
|
|
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
|
|
update add added.x21 0 in txt "test string"
|
|
send
|
|
EOF
|
|
|
|
for i in 1 2 3 4 5 6 7 8 9
|
|
do
|
|
- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
|
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
|
txt > dig.out.b.ns5.test$n || ret=1
|
|
- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
|
|
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
|
|
txt > dig.out.c.ns5.test$n || ret=1
|
|
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
|
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
index b51e700..436c97d 100644
|
|
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
|
@@ -37,7 +37,7 @@ controls {
|
|
};
|
|
|
|
key altkey {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha512;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
|
index da6b3b4..c547e47 100644
|
|
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
|
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
|
@@ -32,7 +32,7 @@ controls {
|
|
};
|
|
|
|
key altkey {
|
|
- algorithm hmac-md5;
|
|
+ algorithm hmac-sha512;
|
|
secret "1234abcd8765";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
|
index c055da3..4e1242b 100644
|
|
--- a/bin/tests/system/nsupdate/setup.sh
|
|
+++ b/bin/tests/system/nsupdate/setup.sh
|
|
@@ -56,7 +56,11 @@ EOF
|
|
|
|
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
|
|
|
|
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
|
+if $FEATURETEST --md5; then
|
|
+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
|
+else
|
|
+ echo -n > ns1/md5.key
|
|
+fi
|
|
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
|
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
|
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
|
index b35d797..41c128e 100755
|
|
--- a/bin/tests/system/nsupdate/tests.sh
|
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
|
@@ -797,7 +797,14 @@ fi
|
|
n=`expr $n + 1`
|
|
ret=0
|
|
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
|
+if $FEATURETEST --md5
|
|
+then
|
|
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
|
+else
|
|
+ ALGS="sha1 sha224 sha256 sha384 sha512"
|
|
+ echo_i "skipping disabled md5 algorithm"
|
|
+fi
|
|
+for alg in $ALGS; do
|
|
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
|
server 10.53.0.1 ${PORT}
|
|
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
|
@@ -805,7 +812,7 @@ send
|
|
END
|
|
done
|
|
sleep 2
|
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
|
+for alg in $ALGS; do
|
|
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
|
done
|
|
if [ $ret -ne 0 ]; then
|
|
@@ -816,7 +823,7 @@ fi
|
|
n=`expr $n + 1`
|
|
ret=0
|
|
echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
|
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
|
+for alg in $ALGS; do
|
|
secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
|
|
$NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
|
|
server 10.53.0.1 ${PORT}
|
|
@@ -825,7 +832,7 @@ send
|
|
END
|
|
done
|
|
sleep 2
|
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
|
+for alg in $ALGS; do
|
|
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
|
|
done
|
|
if [ $ret -ne 0 ]; then
|
|
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
|
index b59e7a7..04d5f5a 100644
|
|
--- a/bin/tests/system/rndc/setup.sh
|
|
+++ b/bin/tests/system/rndc/setup.sh
|
|
@@ -33,7 +33,7 @@ make_key () {
|
|
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
|
}
|
|
|
|
-make_key 1 ${EXTRAPORT1} hmac-md5
|
|
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
|
make_key 2 ${EXTRAPORT2} hmac-sha1
|
|
make_key 3 ${EXTRAPORT3} hmac-sha224
|
|
make_key 4 ${EXTRAPORT4} hmac-sha256
|
|
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
|
index 9fd84ed..d0b188f 100644
|
|
--- a/bin/tests/system/rndc/tests.sh
|
|
+++ b/bin/tests/system/rndc/tests.sh
|
|
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
status=`expr $status + $ret`
|
|
|
|
n=`expr $n + 1`
|
|
-echo_i "testing rndc with hmac-md5 ($n)"
|
|
-ret=0
|
|
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
|
-for i in 2 3 4 5 6
|
|
-do
|
|
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
-done
|
|
-if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
-status=`expr $status + $ret`
|
|
+if $FEATURETEST --md5
|
|
+then
|
|
+ echo_i "testing rndc with hmac-md5 ($n)"
|
|
+ ret=0
|
|
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
|
+ for i in 2 3 4 5 6
|
|
+ do
|
|
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
+ done
|
|
+ if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
+ status=`expr $status + $ret`
|
|
+else
|
|
+ echo_i "skipping rndc with hmac-md5 ($n)"
|
|
+fi
|
|
|
|
n=`expr $n + 1`
|
|
echo_i "testing rndc with hmac-sha1 ($n)"
|
|
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
|
index 3470c4f..cf539cd 100644
|
|
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
|
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
|
@@ -21,10 +21,7 @@ options {
|
|
notify no;
|
|
};
|
|
|
|
-key "md5" {
|
|
- secret "97rnFx24Tfna4mHPfgnerA==";
|
|
- algorithm hmac-md5;
|
|
-};
|
|
+# md5 key appended by setup.sh at the end
|
|
|
|
key "sha1" {
|
|
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
|
@@ -51,10 +48,7 @@ key "sha512" {
|
|
algorithm hmac-sha512;
|
|
};
|
|
|
|
-key "md5-trunc" {
|
|
- secret "97rnFx24Tfna4mHPfgnerA==";
|
|
- algorithm hmac-md5-80;
|
|
-};
|
|
+# md5-trunc key appended by setup.sh at the end
|
|
|
|
key "sha1-trunc" {
|
|
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
|
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
|
new file mode 100644
|
|
index 0000000..0682194
|
|
--- /dev/null
|
|
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
|
@@ -0,0 +1,10 @@
|
|
+# Conditionally included when support for MD5 is available
|
|
+key "md5" {
|
|
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
|
+ algorithm hmac-md5;
|
|
+};
|
|
+
|
|
+key "md5-trunc" {
|
|
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
|
+ algorithm hmac-md5-80;
|
|
+};
|
|
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
|
index e3b4a45..ae21d04 100644
|
|
--- a/bin/tests/system/tsig/setup.sh
|
|
+++ b/bin/tests/system/tsig/setup.sh
|
|
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
|
|
$SHELL clean.sh
|
|
|
|
copy_setports ns1/named.conf.in ns1/named.conf
|
|
+
|
|
+if $FEATURETEST --md5
|
|
+then
|
|
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
|
+fi
|
|
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
|
index 38d842a..668aa6f 100644
|
|
--- a/bin/tests/system/tsig/tests.sh
|
|
+++ b/bin/tests/system/tsig/tests.sh
|
|
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
|
|
|
status=0
|
|
|
|
-echo_i "fetching using hmac-md5 (old form)"
|
|
-ret=0
|
|
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
|
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
|
-if [ $ret -eq 1 ] ; then
|
|
- echo_i "failed"; status=1
|
|
-fi
|
|
+if $FEATURETEST --md5
|
|
+then
|
|
+ echo_i "fetching using hmac-md5 (old form)"
|
|
+ ret=0
|
|
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
|
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
|
+ if [ $ret -eq 1 ] ; then
|
|
+ echo_i "failed"; status=1
|
|
+ fi
|
|
|
|
-echo_i "fetching using hmac-md5 (new form)"
|
|
-ret=0
|
|
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
|
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
|
-if [ $ret -eq 1 ] ; then
|
|
- echo_i "failed"; status=1
|
|
+ echo_i "fetching using hmac-md5 (new form)"
|
|
+ ret=0
|
|
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
|
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
|
+ if [ $ret -eq 1 ] ; then
|
|
+ echo_i "failed"; status=1
|
|
+ fi
|
|
+else
|
|
+ echo_i "skipping using hmac-md5"
|
|
fi
|
|
|
|
echo_i "fetching using hmac-sha1"
|
|
@@ -87,12 +92,17 @@ fi
|
|
# Truncated TSIG
|
|
#
|
|
#
|
|
-echo_i "fetching using hmac-md5 (trunc)"
|
|
-ret=0
|
|
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
|
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
|
-if [ $ret -eq 1 ] ; then
|
|
- echo_i "failed"; status=1
|
|
+if $FEATURETEST --md5
|
|
+then
|
|
+ echo_i "fetching using hmac-md5 (trunc)"
|
|
+ ret=0
|
|
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
|
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
|
+ if [ $ret -eq 1 ] ; then
|
|
+ echo_i "failed"; status=1
|
|
+ fi
|
|
+else
|
|
+ echo_i "skipping using hmac-md5 (trunc)"
|
|
fi
|
|
|
|
echo_i "fetching using hmac-sha1 (trunc)"
|
|
@@ -141,12 +151,17 @@ fi
|
|
# Check for bad truncation.
|
|
#
|
|
#
|
|
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
|
-ret=0
|
|
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
|
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
|
-if [ $ret -eq 1 ] ; then
|
|
- echo_i "failed"; status=1
|
|
+if $FEATURETEST --md5
|
|
+then
|
|
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
|
+ ret=0
|
|
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
|
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
|
+ if [ $ret -eq 1 ] ; then
|
|
+ echo_i "failed"; status=1
|
|
+ fi
|
|
+else
|
|
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
|
fi
|
|
|
|
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
|
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
|
index 3873c7c..b359a5a 100644
|
|
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
|
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
|
@@ -10,7 +10,7 @@
|
|
*/
|
|
|
|
key "update.example." {
|
|
- algorithm "hmac-md5";
|
|
+ algorithm "hmac-sha256";
|
|
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
|
};
|
|
|
|
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
|
index a50c896..8062d68 100644
|
|
--- a/bin/tests/system/upforwd/tests.sh
|
|
+++ b/bin/tests/system/upforwd/tests.sh
|
|
@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
|
|
|
echo_i "updating zone (signed) ($n)"
|
|
ret=0
|
|
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
|
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
|
server 10.53.0.3 ${PORT}
|
|
update add updated.example. 600 A 10.10.10.1
|
|
update add updated.example. 600 TXT Foo
|
|
--
|
|
2.26.2
|
|
|