mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-01 06:55:30 +00:00
rndc: don't test hmac-md5 in FIPS mode
HMACMD5 is not permitted in FIPS mode. Only test HMACMD5 when not in FIPS mode.
This commit is contained in:
Mark Andrews
@@ -41,11 +41,14 @@ copy_setports ns5/named.conf.in ns5/named.conf
|
|||||||
copy_setports ns6/named.conf.in ns6/named.conf
|
copy_setports ns6/named.conf.in ns6/named.conf
|
||||||
copy_setports ns7/named.conf.in ns7/named.conf
|
copy_setports ns7/named.conf.in ns7/named.conf
|
||||||
|
|
||||||
|
keyset=
|
||||||
make_key () {
|
make_key () {
|
||||||
$RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \
|
$RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \
|
||||||
> ns4/key${1}.conf 2> /dev/null
|
> ns4/key${1}.conf 2> /dev/null
|
||||||
grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \
|
grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \
|
||||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||||
|
key='"'key$1'";'
|
||||||
|
keyset="$keyset $key"
|
||||||
}
|
}
|
||||||
|
|
||||||
$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
||||||
@@ -59,7 +62,6 @@ cat >> ns4/named.conf <<- EOF
|
|||||||
|
|
||||||
controls {
|
controls {
|
||||||
inet 10.53.0.4 port ${EXTRAPORT7}
|
inet 10.53.0.4 port ${EXTRAPORT7}
|
||||||
allow { any; } keys { "key1"; "key2"; "key3";
|
allow { any; } keys { $keyset };
|
||||||
"key4"; "key5"; "key6"; };
|
|
||||||
};
|
};
|
||||||
EOF
|
EOF
|
||||||
|
|||||||
@@ -237,7 +237,7 @@ mv -f ns2/other.db.new ns2/other.db
|
|||||||
$RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i
|
$RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i
|
||||||
sleep 1
|
sleep 1
|
||||||
[ -f ns2/other.db.jnl ] && {
|
[ -f ns2/other.db.jnl ] && {
|
||||||
echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1;
|
echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1;
|
||||||
}
|
}
|
||||||
$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1
|
$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1
|
||||||
server 10.53.0.2
|
server 10.53.0.2
|
||||||
@@ -370,7 +370,7 @@ ret=0
|
|||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
|
||||||
for i in 1 3 4 5 6
|
for i in 1 3 4 5 6
|
||||||
do
|
do
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||||
done
|
done
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
@@ -381,7 +381,7 @@ ret=0
|
|||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
|
||||||
for i in 1 2 4 5 6
|
for i in 1 2 4 5 6
|
||||||
do
|
do
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||||
done
|
done
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
@@ -392,7 +392,7 @@ ret=0
|
|||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
|
||||||
for i in 1 2 3 5 6
|
for i in 1 2 3 5 6
|
||||||
do
|
do
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||||
done
|
done
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
@@ -403,7 +403,7 @@ ret=0
|
|||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
|
||||||
for i in 1 2 3 4 6
|
for i in 1 2 3 4 6
|
||||||
do
|
do
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||||
done
|
done
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
@@ -414,7 +414,7 @@ ret=0
|
|||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
|
||||||
for i in 1 2 3 4 5
|
for i in 1 2 3 4 5
|
||||||
do
|
do
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
|
||||||
done
|
done
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
@@ -424,7 +424,8 @@ echo_i "testing single control channel with multiple algorithms ($n)"
|
|||||||
ret=0
|
ret=0
|
||||||
for i in 1 2 3 4 5 6
|
for i in 1 2 3 4 5 6
|
||||||
do
|
do
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1
|
test $i = 1 && $FEATURETEST --have-fips-mode && continue
|
||||||
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1
|
||||||
done
|
done
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
@@ -512,20 +513,20 @@ status=$((status+ret))
|
|||||||
|
|
||||||
for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288
|
for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288
|
||||||
do
|
do
|
||||||
n=$((n+1))
|
n=$((n+1))
|
||||||
echo_i "testing rndc buffer size limits (size=${i}) ($n)"
|
echo_i "testing rndc buffer size limits (size=${i}) ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 > rndc.out.$i.test$n || ret=1
|
$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 > rndc.out.$i.test$n || ret=1
|
||||||
actual_size=`$GENCHECK rndc.out.$i.test$n`
|
actual_size=`$GENCHECK rndc.out.$i.test$n`
|
||||||
if [ "$?" = "0" ]; then
|
if [ "$?" = "0" ]; then
|
||||||
expected_size=$((i+1))
|
expected_size=$((i+1))
|
||||||
if [ $actual_size != $expected_size ]; then ret=1; fi
|
if [ $actual_size != $expected_size ]; then ret=1; fi
|
||||||
else
|
else
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status+ret))
|
status=$((status+ret))
|
||||||
done
|
done
|
||||||
|
|
||||||
n=$((n+1))
|
n=$((n+1))
|
||||||
|
|||||||
@@ -18,6 +18,7 @@
|
|||||||
rm -f dig.out.*
|
rm -f dig.out.*
|
||||||
rm -f */named.memstats
|
rm -f */named.memstats
|
||||||
rm -f */named.conf
|
rm -f */named.conf
|
||||||
|
rm -f ns1/named-fips.conf
|
||||||
rm -f */named.run
|
rm -f */named.run
|
||||||
rm -f ns*/named.lock
|
rm -f ns*/named.lock
|
||||||
rm -f Kexample.net.*
|
rm -f Kexample.net.*
|
||||||
|
|||||||
Reference in New Issue
Block a user