diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:38:29 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:38:29 +0000 |
| commit | 60e6ebff61b1c2f87ec78831b610b17fbd130ae3 (patch) | |
| tree | d14033338828a8a03b3562472148a3387b50215b /bind-9.11-fips-tests.patch | |
| parent | ad69e2cec05ad6d646c8b6e1355f0e18af3b7692 (diff) | |
automatic import of bindopeneuler24.03_LTS
Diffstat (limited to 'bind-9.11-fips-tests.patch')
| -rw-r--r-- | bind-9.11-fips-tests.patch | 959 |
1 files changed, 959 insertions, 0 deletions
diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch new file mode 100644 index 0000000..51927a4 --- /dev/null +++ b/bind-9.11-fips-tests.patch @@ -0,0 +1,959 @@ +From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH] FIPS tests changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Squashed commit of the following: + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 ++++----- + .../system/allow-query/ns2/named10.conf.in | 2 +- + .../system/allow-query/ns2/named11.conf.in | 4 +- + .../system/allow-query/ns2/named12.conf.in | 2 +- + .../system/allow-query/ns2/named30.conf.in | 2 +- + .../system/allow-query/ns2/named31.conf.in | 4 +- + .../system/allow-query/ns2/named32.conf.in | 2 +- + .../system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 ++--- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/feature-test.c | 14 ++++ + bin/tests/system/notify/ns5/named.conf.in | 6 +- + bin/tests/system/notify/tests.sh | 6 +- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 6 +- + bin/tests/system/nsupdate/tests.sh | 15 +++-- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++--- + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ + bin/tests/system/tsig/setup.sh | 5 ++ + bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 33 files changed, 162 insertions(+), 108 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 60f22e1..249f672 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index ada97bc..f82d858 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 97684e4..de6a2e9 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 462b3fa..994b35c 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 728da58..8f00d09 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -35,12 +35,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index be59d64..13d5bdc 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 7d43e36..f7b25f9 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 2952518..121557e 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index 0c01071..ceabbb5 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index 4c17292..9cd9d1f 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index a2690a4..f488730 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index a0708c8..51fa457 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index 687768e..d24d6d2 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fe40635..543c663 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -500,7 +500,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -510,7 +510,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -520,7 +520,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 1218669..e62715e 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index 30333e6..4005152 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e..e57c308 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index e09b9e8..2e824b3 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -210,6 +210,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 877504f..577660a 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -14,6 +14,7 @@ + #include <string.h> + #include <unistd.h> + ++#include <isc/md.h> + #include <isc/net.h> + #include <isc/print.h> + #include <isc/util.h> +@@ -186,6 +187,19 @@ main(int argc, char **argv) { + #endif /* ifdef DLZ_FILESYSTEM */ + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++ unsigned char digest[ISC_MAX_MD_SIZE]; ++ const unsigned char test[] = "test"; ++ unsigned int size = sizeof(digest); ++ ++ if (isc_md(ISC_MD_MD5, test, sizeof(test), ++ digest, &size) == ISC_R_SUCCESS) { ++ return (0); ++ } else { ++ return (1); ++ } ++ } ++ + if (strcmp(argv[1], "--with-idn") == 0) { + #ifdef HAVE_LIBIDN2 + return (0); +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index 1ee8df4..2b75d9a 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index 3d7e0b7..ec4d9a7 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -212,16 +212,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index b51e700..436c97d 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -37,7 +37,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index da6b3b4..c547e47 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index c055da3..4e1242b 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -56,7 +56,11 @@ EOF + + $DDNSCONFGEN -q -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi + $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b35d797..41c128e 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -797,7 +797,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -805,7 +812,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +@@ -816,7 +823,7 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1 + server 10.53.0.1 ${PORT} +@@ -825,7 +832,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index b59e7a7..04d5f5a 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -33,7 +33,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index 9fd84ed..d0b188f 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index 3470c4f..cf539cd 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index e3b4a45..ae21d04 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. + $SHELL clean.sh + + copy_setports ns1/named.conf.in ns1/named.conf ++ ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index 38d842a..668aa6f 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi + +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index 3873c7c..b359a5a 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index a50c896..8062d68 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 ++$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 + server 10.53.0.3 ${PORT} + update add updated.example. 600 A 10.10.10.1 + update add updated.example. 600 TXT Foo +-- +2.26.2 + |