From 4a1bbbbe8ff1951dba9f5d6a69c42dcf274877d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 22 Jun 2018 14:05:43 +0200 Subject: [PATCH 2/2] Squashed commit of the following: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit d1de64d54126a9662b0f709adf1467f1ca3caa50 Author: Petr Menšík Date: Wed Jun 20 19:15:31 2018 +0200 Fix allow_query tests with hmac-256 keys commit 854606588f53ee403364461ad29dc1cfd29525a0 Author: Petr Menšík Date: Wed Mar 7 15:54:11 2018 +0100 Increase bitsize of DSA key to pass FIPS 140-2 mode. commit 98dae21d1f863fa26c125271392288730da52842 Author: Petr Menšík Date: Thu Apr 19 18:28:09 2018 +0200 Fix nsupdate, tsig and rndc tests. Do not use md5 by default for rndc, skip gracefully md5 if not available. Rename md5 keys to rndc*.conf, to pass util/merge_copyrights change. Fix dynamic ports merge. commit 0ec5e2522aa32931cda5abd07a757035078840ea Author: Petr Menšík Date: Wed Jun 20 19:34:20 2018 +0200 Use testcrypto for crypto detection. Generate random data per test into test directory. commit 0ca3c85fa6450ae8b347fa5585d0134ebe41682c Author: Petr Menšík Date: Wed Mar 7 13:21:00 2018 +0100 Add md5 availability detection to featuretest commit c1b104ccf66a1ec37e941e303a56675c7dcccbaa Author: Petr Menšík Date: Mon Jan 22 14:12:37 2018 +0100 Update system tests to detect MD5 disabled at runtime commit 743d24de87b6f022b99d14d3109958660b9ee07b Author: Petr Menšík Date: Fri Feb 23 21:57:11 2018 +0100 Make testcrypto FIPS compatible (cherry picked from commit 0e15cc7012c537a5d683c35534d33d23fcc4d942) commit 325dc1f4f37dc4b7133dd39d7780c10d183e4808 Author: Evan Hunt Date: Mon Oct 31 23:01:38 2016 -0700 [v9_9] 4496. [func] dig: add +idnout to control whether labels are display in punycode or not. Requires idn support to be enabled at compile time. [RT #43398] (cherry picked from commit 42470b0b87da24b18e0ff6ce78f3143e89df6d31) (cherry picked from commit 6552f33198438390724c5823b8dbcf477ec9638c) (cherry picked from commit 7aec46a5ef4074c3957d525643188257c7575841) Skip IDN part and import only feature-test from system tests (cherry picked from commit 61a01f48604ff6f5f84b64a5aaee722ebae8fadc) commit d435ac7bcf72117e75e534c23fca1852f4140eb8 Author: Petr Menšík Date: Wed Mar 7 10:44:23 2018 +0100 Use hmac-sha256 instead of default hmac-md5 for allow-query. Do not use hmac-md5 in tests by default, make it pass with MD5 disabled. commit 067ca65156a9fadb191b7c9073904a43f57f1896 Author: Evan Hunt Date: Thu Feb 6 19:48:49 2014 -0800 [v9_9] add testcrypto.sh (cherry picked from commit e9a2673e85173d93be168f561c5c77184d4e839d) commit 3fd542379fa381b54381e07d6625ce53f9f9b1f0 Author: Petr Menšík Date: Thu Jun 21 12:00:35 2018 +0200 Revert "4450. [port] Provide more nuanced HSM support which better matches" This reverts commit f3b4d031c1f714ff6e862670663aa5a18650951e. Revert PK11_MD5_DISABLED also from remaining files. Keep documentation changes. commit f90934f734796595135cdd7a5008555a615dfe8e Author: Petr Menšík Date: Wed Jun 20 19:31:19 2018 +0200 Fix rndc-confgen default algorithm, report true algorithm in usage. commit dd53212c12c6943a21a3c24d60995edd19e1d9f7 Author: Petr Menšík Date: Fri Feb 23 21:21:30 2018 +0100 Cleanup only if initialization was successful commit f163ea51c46bb22bf264a1ac983e2027e43845fa Author: Petr Menšík Date: Mon Feb 5 12:19:28 2018 +0100 Ensure dst backend is initialized first even before hmac algorithms. commit 58751b60bd39168b7c8f817ede70473842432081 Author: Petr Menšík Date: Mon Feb 5 12:17:54 2018 +0100 Skip initialization of MD5 based algorithms if not available. commit 0572b98430d3c80f4a0b0c592b1e3bf7fde9b768 Author: Petr Menšík Date: Mon Feb 5 10:21:27 2018 +0100 Change secalgs skipping to be more safe commit 994f497a032930fce1370d507a265fbb293c66f4 Author: Petr Menšík Date: Wed Jan 31 18:26:11 2018 +0100 Skip MD5 algorithm also in case of NULL name commit abd82fbd2507c4b8f20e1ade202fd66d224fd646 Author: Petr Menšík Date: Wed Jan 31 16:54:29 2018 +0100 Revert part of commit 1b5c641416eb6de7fc232fc89d31a40a4d439f3d related to SHA1. commit b3c832d53a14a0779f598869bb99685c8e4b2bc0 Author: Petr Menšík Date: Wed Jan 31 11:38:12 2018 +0100 Make MD5 behave like unknown algorithm in TSIG. commit a64a3d6962ee93d6f8699b29bd6507dba0c244ed Author: Petr Menšík Date: Tue Nov 28 20:14:37 2017 +0100 Select token with most supported functions, instead of demanding it must support all functions Initialize PKCS#11 always until successfully initialized commit db118c6368668099ea1b6e75860cc12e178afa3b Author: Petr Menšík Date: Mon Jan 22 16:17:44 2018 +0100 Handle MD5 unavailability from DST commit 8f8824dca2f5b4d5a3a176d31ac3ee612321c4e3 Author: Petr Menšík Date: Mon Jan 22 14:11:16 2018 +0100 Check runtime flag from library and applications, fail gracefully. commit bd431384af7dcde8827e670c8749517ad677a967 Author: Petr Menšík Date: Mon Jan 22 08:39:08 2018 +0100 Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not defined. TODO: pk11.c should accept slot without MD5 support. commit 160b13979ef3d0e92d2dd52d0987a3ec979be6cf Author: Petr Menšík Date: Mon Jan 22 07:21:04 2018 +0100 Add runtime detection whether MD5 is useable. commit 23b27ce0f2ad496c331ae40349cc1074a1b11804 Author: Mark Andrews Date: Fri Aug 19 08:25:54 2016 +1000 4450. [port] Provide more nuanced HSM support which better matches the specific PKCS11 providers capabilities. [RT #42458] (cherry picked from commit 8ee6f289d87851a5b898b24a64587f0e6bc225bc) --- bin/tests/system/Makefile.in | 25 +++- bin/tests/system/acl/ns2/named1.conf | 4 +- bin/tests/system/acl/ns2/named2.conf | 4 +- bin/tests/system/acl/ns2/named3.conf | 6 +- bin/tests/system/acl/ns2/named4.conf | 4 +- bin/tests/system/acl/ns2/named5.conf | 4 +- bin/tests/system/acl/tests.sh | 32 +++--- bin/tests/system/allow_query/ns2/named10.conf | 2 +- bin/tests/system/allow_query/ns2/named11.conf | 4 +- bin/tests/system/allow_query/ns2/named12.conf | 2 +- bin/tests/system/allow_query/ns2/named30.conf | 2 +- bin/tests/system/allow_query/ns2/named31.conf | 4 +- bin/tests/system/allow_query/ns2/named32.conf | 2 +- bin/tests/system/allow_query/ns2/named40.conf | 4 +- bin/tests/system/allow_query/tests.sh | 18 +-- bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/conf.sh.in | 6 +- bin/tests/system/digdelv/ns2/example.db | 15 ++- bin/tests/system/digdelv/tests.sh | 4 +- bin/tests/system/dlv/ns1/sign.sh | 4 +- bin/tests/system/dlv/ns2/sign.sh | 4 +- bin/tests/system/dlv/ns3/sign.sh | 68 +++++------ bin/tests/system/dlv/ns6/sign.sh | 64 +++++------ bin/tests/system/dnssec/ns2/sign.sh | 8 +- bin/tests/system/dnssec/prereq.sh | 11 +- bin/tests/system/feature-test.c | 159 ++++++++++++++++++++++++++ bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- bin/tests/system/keymgr/prereq.sh | 15 +-- bin/tests/system/nsupdate/ns1/named.conf | 2 +- bin/tests/system/nsupdate/ns2/named.conf | 2 +- bin/tests/system/nsupdate/setup.sh | 7 +- bin/tests/system/nsupdate/tests.sh | 11 +- bin/tests/system/rndc/setup.sh | 4 +- bin/tests/system/rndc/tests.sh | 22 ++-- bin/tests/system/testcrypto.sh | 71 ++++++++++++ bin/tests/system/tkey/keycreate.c | 3 + bin/tests/system/tkey/keydelete.c | 18 ++- bin/tests/system/tkey/prereq.sh | 11 +- bin/tests/system/tsig/clean.sh | 1 + bin/tests/system/tsig/ns1/named.conf | 12 +- bin/tests/system/tsig/ns1/rndc5.conf.in | 22 ++++ bin/tests/system/tsig/setup.sh | 25 ++++ bin/tests/system/tsig/tests.sh | 75 +++++++----- bin/tests/system/tsiggss/setup.sh | 2 +- bin/tests/system/upforwd/ns1/named.conf | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- 47 files changed, 547 insertions(+), 230 deletions(-) create mode 100644 bin/tests/system/feature-test.c create mode 100644 bin/tests/system/testcrypto.sh create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in create mode 100644 bin/tests/system/tsig/setup.sh diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index 0c7fdffd01..afee71b2bb 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -23,10 +23,31 @@ top_srcdir = @top_srcdir@ SUBDIRS = dlzexternal dyndb filter-aaaa geoip lwresd rpz rrl \ rsabigexponent tkey tsiggss -TARGETS = +CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES} + +CDEFINES = @USE_GSSAPI@ +CWARNINGS = + +DNSLIBS = +ISCLIBS = ../../../lib/isc/libisc.@A@ + +DNSDEPLIBS = +ISCDEPLIBS = + +DEPLIBS = + +LIBS = @LIBS@ + +OBJS = feature-test.@O@ +SRCS = feature-test.c + +TARGETS = feature-test@EXEEXT@ @BIND9_MAKE_RULES@ +feature-test@EXEEXT@: feature-test.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} + # Running the scripts below is bypassed when a separate # build directory is used. @@ -38,6 +59,8 @@ test: subdirs testclean clean distclean:: if test -f ./cleanall.sh; then sh ./cleanall.sh; fi rm -f systests.output + rm -f ${TARGETS} + rm -f ${OBJS} distclean:: rm -f conf.sh diff --git a/bin/tests/system/acl/ns2/named1.conf b/bin/tests/system/acl/ns2/named1.conf index b70d1dd761..9037a15c9d 100644 --- a/bin/tests/system/acl/ns2/named1.conf +++ b/bin/tests/system/acl/ns2/named1.conf @@ -35,12 +35,12 @@ options { include "../../common/controls.conf"; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named2.conf b/bin/tests/system/acl/ns2/named2.conf index bcd7e0df19..648c5fdbdc 100644 --- a/bin/tests/system/acl/ns2/named2.conf +++ b/bin/tests/system/acl/ns2/named2.conf @@ -35,12 +35,12 @@ options { include "../../common/controls.conf"; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named3.conf b/bin/tests/system/acl/ns2/named3.conf index ea2cbcb44a..546ecf6af4 100644 --- a/bin/tests/system/acl/ns2/named3.conf +++ b/bin/tests/system/acl/ns2/named3.conf @@ -35,17 +35,17 @@ options { include "../../common/controls.conf"; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key three { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named4.conf b/bin/tests/system/acl/ns2/named4.conf index 99edf7ebe5..4c84d0f163 100644 --- a/bin/tests/system/acl/ns2/named4.conf +++ b/bin/tests/system/acl/ns2/named4.conf @@ -35,12 +35,12 @@ options { include "../../common/controls.conf"; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named5.conf b/bin/tests/system/acl/ns2/named5.conf index d17e1cf7b7..52ae56300e 100644 --- a/bin/tests/system/acl/ns2/named5.conf +++ b/bin/tests/system/acl/ns2/named5.conf @@ -36,12 +36,12 @@ options { include "../../common/controls.conf"; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index 7207c5a1d3..753f9f6743 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -28,13 +28,13 @@ echo "I:testing basic ACL processing" # key "one" should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } # any other key should be fine t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } cp -f ns2/named2.conf ns2/named.conf @@ -44,18 +44,18 @@ sleep 5 # prefix 10/8 should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } # any other address should work, as long as it sends key "one" t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } echo "I:testing nested ACL processing" @@ -67,31 +67,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } # but only one or the other should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } t=`expr $t + 1` @@ -102,7 +102,7 @@ grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $tt failed" ; status=1; } # and other values? right out t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two @@ -113,31 +113,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } # should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } # should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } # should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out + @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } echo "I:testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow_query/ns2/named10.conf b/bin/tests/system/allow_query/ns2/named10.conf index 17786e6f87..918b185671 100644 --- a/bin/tests/system/allow_query/ns2/named10.conf +++ b/bin/tests/system/allow_query/ns2/named10.conf @@ -20,7 +20,7 @@ controls { /* empty */ }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow_query/ns2/named11.conf b/bin/tests/system/allow_query/ns2/named11.conf index 3d225bd9a2..2ccd8d4b3f 100644 --- a/bin/tests/system/allow_query/ns2/named11.conf +++ b/bin/tests/system/allow_query/ns2/named11.conf @@ -20,12 +20,12 @@ controls { /* empty */ }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow_query/ns2/named12.conf b/bin/tests/system/allow_query/ns2/named12.conf index e5e64184c8..fd322bb709 100644 --- a/bin/tests/system/allow_query/ns2/named12.conf +++ b/bin/tests/system/allow_query/ns2/named12.conf @@ -19,7 +19,7 @@ controls { /* empty */ }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow_query/ns2/named30.conf b/bin/tests/system/allow_query/ns2/named30.conf index 9182f21af3..585436f1d9 100644 --- a/bin/tests/system/allow_query/ns2/named30.conf +++ b/bin/tests/system/allow_query/ns2/named30.conf @@ -20,7 +20,7 @@ controls { /* empty */ }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow_query/ns2/named31.conf b/bin/tests/system/allow_query/ns2/named31.conf index 19efdf397e..d7f0e80616 100644 --- a/bin/tests/system/allow_query/ns2/named31.conf +++ b/bin/tests/system/allow_query/ns2/named31.conf @@ -20,12 +20,12 @@ controls { /* empty */ }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow_query/ns2/named32.conf b/bin/tests/system/allow_query/ns2/named32.conf index 3c207f3422..4d66a3812d 100644 --- a/bin/tests/system/allow_query/ns2/named32.conf +++ b/bin/tests/system/allow_query/ns2/named32.conf @@ -19,7 +19,7 @@ controls { /* empty */ }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow_query/ns2/named40.conf b/bin/tests/system/allow_query/ns2/named40.conf index cb81c79e5d..c581c5eefd 100644 --- a/bin/tests/system/allow_query/ns2/named40.conf +++ b/bin/tests/system/allow_query/ns2/named40.conf @@ -23,12 +23,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm hmac-sha256; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow_query/tests.sh b/bin/tests/system/allow_query/tests.sh index 0592c342d4..c5ef867451 100644 --- a/bin/tests/system/allow_query/tests.sh +++ b/bin/tests/system/allow_query/tests.sh @@ -195,7 +195,7 @@ sleep 5 echo "I:test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -209,7 +209,7 @@ sleep 5 echo "I:test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -223,7 +223,7 @@ sleep 5 echo "I:test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -366,7 +366,7 @@ sleep 5 echo "I:test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -380,7 +380,7 @@ sleep 5 echo "I:test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -394,7 +394,7 @@ sleep 5 echo "I:test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -530,7 +530,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -540,7 +540,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -550,7 +550,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf index 8f0ecf7ea0..0e4718994f 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -18,7 +18,7 @@ /* Bad secret */ key "badtsig" { - algorithm hmac-md5; + algorithm hmac-sha256; secret "jEdD+BPKg=="; }; diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 930928b429..420320c737 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -56,6 +56,10 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint VERIFY=$TOP/bin/dnssec/dnssec-verify ARPANAME=$TOP/bin/tools/arpaname SAMPLE=$TOP/lib/export/samples/sample +GENRANDOM=$TOP/bin/tools/genrandom +FEATURETEST=$TOP/bin/tests/system/feature-test + +RANDFILE=$TOP/bin/tests/system/random.data # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. @@ -89,4 +93,4 @@ fi export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \ PERL PYTHON SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \ - JOURNALPRINT ARPANAME SAMPLE + JOURNALPRINT ARPANAME SAMPLE FEATURETEST diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db index 0a1aa5d615..fd3ed3a045 100644 --- a/bin/tests/system/digdelv/ns2/example.db +++ b/bin/tests/system/digdelv/ns2/example.db @@ -41,10 +41,13 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 ;; ;; we are not testing DNSSEC behavior, so we don't care about the semantics ;; of the following records. -dnskey 300 DNSKEY 256 3 1 ( - AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg - +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD - Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R - b9VIE5x7KNHAYTvTO5d4S8M= - ) +dnskey 300 DNSKEY 256 3 8 ( + AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo + EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba + zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R + qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/ + KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld + QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG + /idCeeQlaLU= + ) diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index a19256cde3..bdfacf9fb4 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -59,7 +59,7 @@ if [ -x ${DIG} ] ; then echo "I:checking dig +rrcomments works for DNSKEY($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 - grep "; ZSK; alg = RSAMD5 *; key id = 30795" < dig.out.test$n > /dev/null || ret=1 + grep "; ZSK; alg = RSASHA256 *; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -146,7 +146,7 @@ if [ -n "${DELV}" -a -x "${DELV}" ] ; then echo "I:checking delv +rrcomments works for DNSKEY($n)" ret=0 $DELV $DELVOPTS @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 - grep "; ZSK; alg = RSAMD5 *; key id = 30795" < delv.out.test$n > /dev/null || ret=1 + grep "; ZSK; alg = RSASHA256 *; key id = 36895" < dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh index 9854f5b7ce..cf261c136c 100755 --- a/bin/tests/system/dlv/ns1/sign.sh +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -30,8 +30,8 @@ infile=root.db.in zonefile=root.db outfile=root.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh index edcc8f21d4..4e142b00d8 100755 --- a/bin/tests/system/dlv/ns2/sign.sh +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -31,8 +31,8 @@ zonefile=druz.db outfile=druz.pre dlvzone=utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh index 6bdc2f6cc5..64c5846f7d 100755 --- a/bin/tests/system/dlv/ns3/sign.sh +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -34,8 +34,8 @@ zonefile=child1.utld.db outfile=child1.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -49,8 +49,8 @@ zonefile=child3.utld.db outfile=child3.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -64,8 +64,8 @@ zonefile=child4.utld.db outfile=child4.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -79,8 +79,8 @@ zonefile=child5.utld.db outfile=child5.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -93,8 +93,8 @@ infile=child.db.in zonefile=child7.utld.db outfile=child7.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -107,8 +107,8 @@ infile=child.db.in zonefile=child8.utld.db outfile=child8.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -122,8 +122,8 @@ zonefile=child9.utld.db outfile=child9.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -136,8 +136,8 @@ zonefile=child10.utld.db outfile=child10.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -151,8 +151,8 @@ outfile=child1.druz.signed dlvsets="$dlvsets dlvset-$zone" dssets="$dssets dsset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -167,8 +167,8 @@ outfile=child3.druz.signed dlvsets="$dlvsets dlvset-$zone" dssets="$dssets dsset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -183,8 +183,8 @@ outfile=child4.druz.signed dlvsets="$dlvsets dlvset-$zone" dssets="$dssets dsset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -199,8 +199,8 @@ outfile=child5.druz.signed dlvsets="$dlvsets dlvset-$zone" dssets="$dssets dsset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -214,8 +214,8 @@ zonefile=child7.druz.db outfile=child7.druz.signed dssets="$dssets dsset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile @@ -228,8 +228,8 @@ infile=child.db.in zonefile=child8.druz.db outfile=child8.druz.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -243,8 +243,8 @@ zonefile=child9.druz.db outfile=child9.druz.signed dlvsets="$dlvsets dlvset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -258,8 +258,8 @@ outfile=child10.druz.signed dlvsets="$dlvsets dlvset-$zone" dssets="$dssets dsset-$zone" -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -272,8 +272,8 @@ infile=dlv.db.in zonefile=dlv.utld.db outfile=dlv.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh index 2bc133e5d6..227c1cb69f 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -28,8 +28,8 @@ infile=child.db.in zonefile=grand.child1.utld.db outfile=grand.child1.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -43,8 +43,8 @@ zonefile=grand.child3.utld.db outfile=grand.child3.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -58,8 +58,8 @@ zonefile=grand.child4.utld.db outfile=grand.child4.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -73,8 +73,8 @@ zonefile=grand.child5.utld.db outfile=grand.child5.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -88,8 +88,8 @@ zonefile=grand.child7.utld.db outfile=grand.child7.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -103,8 +103,8 @@ zonefile=grand.child8.utld.db outfile=grand.child8.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -118,8 +118,8 @@ zonefile=grand.child9.utld.db outfile=grand.child9.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -132,8 +132,8 @@ zonefile=grand.child10.utld.db outfile=grand.child10.signed dlvzone=dlv.utld. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -145,8 +145,8 @@ infile=child.db.in zonefile=grand.child1.druz.db outfile=grand.child1.druz.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -160,8 +160,8 @@ zonefile=grand.child3.druz.db outfile=grand.child3.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -175,8 +175,8 @@ zonefile=grand.child4.druz.db outfile=grand.child4.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -190,8 +190,8 @@ zonefile=grand.child5.druz.db outfile=grand.child5.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -205,8 +205,8 @@ zonefile=grand.child7.druz.db outfile=grand.child7.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -220,8 +220,8 @@ zonefile=grand.child8.druz.db outfile=grand.child8.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -235,8 +235,8 @@ zonefile=grand.child9.druz.db outfile=grand.child9.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -249,8 +249,8 @@ zonefile=grand.child10.druz.db outfile=grand.child10.druz.signed dlvzone=dlv.druz. -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 118b8a6d6b..0c4dcb4b19 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -38,8 +38,8 @@ do cp ../ns3/dsset-$subdomain.example. . done -keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` -keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -98,7 +98,7 @@ privzone=private.secure.example. privinfile=private.secure.example.db.in privzonefile=private.secure.example.db -privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` +privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone` cat $privinfile $privkeyname.key >$privzonefile @@ -111,7 +111,7 @@ dlvzone=dlv. dlvinfile=dlv.db.in dlvzonefile=dlv.db -dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` +dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone` cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh index 113e372c28..84630d8abc 100644 --- a/bin/tests/system/dnssec/prereq.sh +++ b/bin/tests/system/dnssec/prereq.sh @@ -17,13 +17,4 @@ # $Id: prereq.sh,v 1.13 2009/10/28 00:27:10 marka Exp $ -../../../tools/genrandom 400 random.data - -if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1 -then - rm -f Kfoo* -else - echo "I:This test requires cryptography" >&2 - echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2 - exit 1 -fi +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c new file mode 100644 index 0000000000..495f46a32a --- /dev/null +++ b/bin/tests/system/feature-test.c @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +#include + +#include +#include +#include +#include + +#include +#include +#include + +#ifdef WIN32 +#include +#endif + +#ifndef MAXHOSTNAMELEN +#ifdef HOST_NAME_MAX +#define MAXHOSTNAMELEN HOST_NAME_MAX +#else +#define MAXHOSTNAMELEN 256 +#endif +#endif + +static void +usage() { + fprintf(stderr, "usage: feature-test \n"); + fprintf(stderr, "args:\n"); + fprintf(stderr, " --enable-filter-aaaa\n"); + fprintf(stderr, " --gethostname\n"); + fprintf(stderr, " --gssapi\n"); + fprintf(stderr, " --have-dlopen\n"); + fprintf(stderr, " --have-geoip\n"); + fprintf(stderr, " --have-libxml2\n"); + fprintf(stderr, " --md5\n"); + fprintf(stderr, " --rpz-nsip\n"); + fprintf(stderr, " --rpz-nsdname\n"); + fprintf(stderr, " --with-idn\n"); +} + +int +main(int argc, char **argv) { + if (argc != 2) { + usage(); + return (1); + } + + if (strcmp(argv[1], "--enable-filter-aaaa") == 0) { +#ifdef ALLOW_FILTER_AAAA + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--gethostname") == 0) { + char hostname[MAXHOSTNAMELEN]; + int n; +#ifdef WIN32 + /* From lwres InitSocket() */ + WORD wVersionRequested; + WSADATA wsaData; + int err; + + wVersionRequested = MAKEWORD(2, 0); + err = WSAStartup( wVersionRequested, &wsaData ); + if (err != 0) { + fprintf(stderr, "WSAStartup() failed: %d\n", err); + exit(1); + } +#endif + + n = gethostname(hostname, sizeof(hostname)); + if (n == -1) { + perror("gethostname"); + return(1); + } + fprintf(stdout, "%s\n", hostname); +#ifdef WIN32 + WSACleanup(); +#endif + return (0); + } + + if (strcmp(argv[1], "--gssapi") == 0) { +#if defined(GSSAPI) + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--have-dlopen") == 0) { +#if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN) + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--have-geoip") == 0) { +#ifdef HAVE_GEOIP + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--have-libxml2") == 0) { +#ifdef HAVE_LIBXML2 + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--md5") == 0) { + if (isc_md5_available()) { + return (0); + } else { + return (1); + } + } + + if (strcmp(argv[1], "--rpz-nsip") == 0) { +#ifdef ENABLE_RPZ_NSIP + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--rpz-nsdname") == 0) { +#ifdef ENABLE_RPZ_NSDNAME + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--with-idn") == 0) { +#ifdef WITH_IDN + return (0); +#else + return (1); +#endif + } + + fprintf(stderr, "unknown arg: %s\n", argv[1]); + usage(); + return (1); +} diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh index 203e37ebfb..e0c696b986 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -27,8 +27,8 @@ infile=signed.db.in zonefile=signed.db.signed outfile=signed.db.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh index ff33b10a19..74d755763a 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -27,8 +27,8 @@ infile=signed.db.in zonefile=signed.db.signed outfile=signed.db.signed -keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/keymgr/prereq.sh b/bin/tests/system/keymgr/prereq.sh index be2546ec59..e71cc9f03a 100644 --- a/bin/tests/system/keymgr/prereq.sh +++ b/bin/tests/system/keymgr/prereq.sh @@ -14,17 +14,4 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -../../../tools/genrandom 400 random.data - -if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1 -then - rm -f Kfoo* -else - echo "I:This test requires cryptography" >&2 - echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2 - exit 1 -fi -#exec $SHELL ../testcrypto.sh +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf index 86fe91d070..c53da11685 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf +++ b/bin/tests/system/nsupdate/ns1/named.conf @@ -42,7 +42,7 @@ controls { }; key altkey { - algorithm hmac-md5; + algorithm hmac-sha512; secret "1234abcd8765"; }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf b/bin/tests/system/nsupdate/ns2/named.conf index 6db32202ff..68022656ec 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf +++ b/bin/tests/system/nsupdate/ns2/named.conf @@ -33,7 +33,7 @@ options { }; key altkey { - algorithm hmac-md5; + algorithm hmac-sha512; secret "1234abcd8765"; }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index bb015142da..e97406956a 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -53,8 +53,13 @@ EOF ../../../tools/genrandom 400 random.data $DDNSCONFGEN -q -r random.data -z example.nil > ns1/ddns.key +if $FEATURETEST --md5; then + $DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +else + echo -n > ns1/md5.key +fi + -$DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key $DDNSCONFGEN -q -r random.data -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key $DDNSCONFGEN -q -r random.data -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -r random.data -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index b9a1c90536..821d7a65e2 100644 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -516,7 +516,14 @@ fi n=`expr $n + 1` ret=0 echo "I:check TSIG key algorithms ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +if $FEATURETEST --md5 +then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" +else + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" +fi +for alg in $ALGS; do $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 5300 update add ${alg}.keytests.nil. 600 A 10.10.10.3 @@ -524,7 +531,7 @@ send END done sleep 2 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do $DIG +short @10.53.0.1 -p 5300 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index ce80005faf..a7c66841cc 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -22,7 +22,7 @@ SYSTEMTESTTOP=.. sh clean.sh -../../../tools/genrandom 400 random.data +../../../tools/genrandom 800 random.data sh ../genzone.sh 2 >ns2/nil.db sh ../genzone.sh 2 >ns2/other.db @@ -37,7 +37,7 @@ make_key () { sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf } -make_key 1 hmac-md5 +$FEATURETEST --md5 && make_key 1 hmac-md5 make_key 2 hmac-sha1 make_key 3 hmac-sha224 make_key 4 hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index 01dbc811ae..20a90850d1 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -246,14 +246,20 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` echo "I:testing rndc with hmac-md5" -ret=0 -$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -for i in 2 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -done -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` +if $FEATURETEST --md5 +then + echo "I:testing rndc with hmac-md5" + ret=0 + $RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6 + do + $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +else + echo "W:skipping rndc with hmac-md5" +fi echo "I:testing rndc with hmac-sha1" ret=0 diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh new file mode 100644 index 0000000000..e21f18b5f5 --- /dev/null +++ b/bin/tests/system/testcrypto.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# +# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +SYSTEMTESTTOP=${SYSTEMTESTTOP:=..} +. $SYSTEMTESTTOP/conf.sh + +# Unlike 9.11, keep generated data in current directory +RANDFILE=random.data + +test -r $RANDFILE || $GENRANDOM 800 $RANDFILE + +prog=$0 + +args="-r $RANDFILE" +alg="-a RSASHA1 -b 2048" +quiet=0 + +msg1="cryptography" +msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11" +while test "$#" -gt 0; do + case $1 in + -q) + args="$args -q" + quiet=1 + ;; + rsa|RSA) + alg="" + msg1="RSA cryptography" + ;; + gost|GOST) + alg="-a eccgost" + msg1="GOST cryptography" + msg2="--with-gost" + ;; + ecdsa|ECDSA) + alg="-a ecdsap256sha256" + msg1="ECDSA cryptography" + msg2="--with-ecdsa" + ;; + *) + echo "${prog}: unknown argument" + exit 1 + ;; + esac + shift +done + + +if $KEYGEN $args $alg foo > /dev/null 2>&1 +then + rm -f Kfoo* +else + if test $quiet -eq 0; then + echo "I:This test requires support for $msg1" >&2 + echo "I:configure with $msg2" >&2 + fi + exit 255 +fi diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index af17582096..b61b5d0796 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -143,6 +144,8 @@ sendquery(isc_task_t *task, isc_event_t *event) { static char keystr[] = "0123456789ab"; isc_event_free(&event); + if (isc_md5_available() == ISC_FALSE) + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); result = ISC_R_FAILURE; if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index 1bb33e85fe..da4b1c3c09 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -228,12 +228,18 @@ main(int argc, char **argv) { type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); CHECK("dst_key_fromnamedfile", result); - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - DNS_TSIG_HMACMD5_NAME, - dstkey, ISC_TRUE, NULL, 0, 0, - mctx, ring, &tsigkey); - dst_key_free(&dstkey); - CHECK("dns_tsigkey_createfromkey", result); + if (isc_md5_available()) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), + DNS_TSIG_HMACMD5_NAME, + dstkey, ISC_TRUE, + NULL, 0, 0, + mctx, ring, &tsigkey); + dst_key_free(&dstkey); + CHECK("dns_tsigkey_createfromkey", result); + } else { + dst_key_free(&dstkey); + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); + } (void)isc_app_run(); diff --git a/bin/tests/system/tkey/prereq.sh b/bin/tests/system/tkey/prereq.sh index 66295fee90..310849f08e 100644 --- a/bin/tests/system/tkey/prereq.sh +++ b/bin/tests/system/tkey/prereq.sh @@ -17,13 +17,4 @@ # $Id: prereq.sh,v 1.12 2009/03/02 23:47:43 tbox Exp $ -../../../tools/genrandom 400 random.data - -if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1 -then - rm -f foo* -else - echo "I:This test requires cryptography" >&2 - echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2 - exit 1 -fi +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh index 0e98b4047b..b11a378006 100644 --- a/bin/tests/system/tsig/clean.sh +++ b/bin/tests/system/tsig/clean.sh @@ -23,3 +23,4 @@ rm -f dig.out.* rm -f */named.memstats rm -f */named.run +rm -f ns1/rndc5.conf diff --git a/bin/tests/system/tsig/ns1/named.conf b/bin/tests/system/tsig/ns1/named.conf index b48de835f4..e7e568acc7 100644 --- a/bin/tests/system/tsig/ns1/named.conf +++ b/bin/tests/system/tsig/ns1/named.conf @@ -30,10 +30,7 @@ options { notify no; }; -key "md5" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5; -}; +# md5 key included from rndc5.conf key "sha1" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; @@ -60,10 +57,7 @@ key "sha512" { algorithm hmac-sha512; }; -key "md5-trunc" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5-80; -}; +# md5-trunc key included from rndc5.conf key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; @@ -94,3 +88,5 @@ zone "example.nil" { type master; file "example.db"; }; + +include "rndc5.conf"; diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in new file mode 100644 index 0000000000..f9b17d6e8e --- /dev/null +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* These md5 keys are used only when MD5 is not disabled in build */ +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; +}; + +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; +}; + diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh new file mode 100644 index 0000000000..7f9049ae76 --- /dev/null +++ b/bin/tests/system/tsig/setup.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 800 $RANDFILE + +if $FEATURETEST --md5 +then + # Include MD5 keys only if it is + cp ns1/rndc5.conf.in ns1/rndc5.conf +else + echo "# MD5 disabled" > ns1/rndc5.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 50ac8d23e6..bd502dd718 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -31,22 +31,27 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f status=0 -echo "I:fetching using hmac-md5 (old form)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-md5 (new form)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 +if $FEATURETEST --md5 +then + echo "I:fetching using hmac-md5 (old form)" + ret=0 + $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + -y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo "I: failed"; status=1 + fi + + echo "I:fetching using hmac-md5 (new form)" + ret=0 + $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + -y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5" fi echo "I:fetching using hmac-sha1" @@ -99,13 +104,19 @@ fi # Truncated TSIG # # + +if $FEATURETEST --md5 +then echo "I:fetching using hmac-md5 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1 -grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 + ret=0 + $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo "I: failed"; status=1 + fi +else + echo "W:skipping using hmac-md5 (trunc)" fi echo "I:fetching using hmac-sha1 (trunc)" @@ -159,13 +170,19 @@ fi # Check for bad truncation. # # -echo "I:fetching using hmac-md5-80 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1 -grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 + +if $FEATURETEST --md5 +then + echo "I:fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo "I: failed"; status=1 + fi +else + echo "W:skipping using hmac-md5-80 (BADTRUNC)" fi echo "I:fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh index 00222bad05..e795df3bff 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh @@ -26,5 +26,5 @@ rm -f ns1/*.jnl ns1/K*.key ns1/K*.private ns1/_default.tsigkeys ../../../tools/genrandom 400 $RANDFILE -key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` +key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/upforwd/ns1/named.conf b/bin/tests/system/upforwd/ns1/named.conf index 8d9d2fa0d9..c3c0238073 100644 --- a/bin/tests/system/upforwd/ns1/named.conf +++ b/bin/tests/system/upforwd/ns1/named.conf @@ -18,7 +18,7 @@ /* $Id: named.conf,v 1.11 2007/06/18 23:47:31 tbox Exp $ */ key "update.example." { - algorithm "hmac-md5"; + algorithm "hmac-sha256"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index a138649ac3..e14a592db6 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo "I:failed"; status=`expr $status + $ret`; fi echo "I:updating zone (signed)" ret=0 -$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <