From 9366ed58b46b5ba87bc1ee6eb22f955935d04fe0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 5 Jul 2022 19:38:31 +1000 Subject: [PATCH] Upgrade uses of hmac-md5 to DEFAULT_HMAC where the test is not hmac-md5 specific --- bin/tests/system/acl/ns2/named1.conf.in | 4 +-- bin/tests/system/acl/ns2/named2.conf.in | 4 +-- bin/tests/system/acl/ns2/named3.conf.in | 6 ++-- bin/tests/system/acl/ns2/named4.conf.in | 4 +-- bin/tests/system/acl/ns2/named5.conf.in | 4 +-- bin/tests/system/acl/tests.sh | 30 +++++++++---------- .../system/allow-query/ns2/named10.conf.in | 2 +- .../system/allow-query/ns2/named11.conf.in | 4 +-- .../system/allow-query/ns2/named12.conf.in | 2 +- .../system/allow-query/ns2/named30.conf.in | 2 +- .../system/allow-query/ns2/named31.conf.in | 4 +-- .../system/allow-query/ns2/named32.conf.in | 2 +- .../system/allow-query/ns2/named40.conf.in | 4 +-- bin/tests/system/allow-query/tests.sh | 18 +++++------ bin/tests/system/ans.pl | 5 ++++ bin/tests/system/catz/ns1/named.conf.in | 2 +- bin/tests/system/catz/ns2/named1.conf.in | 2 +- bin/tests/system/catz/ns2/named2.conf.in | 2 +- .../{bad-tsig.conf => bad-tsig.conf.in} | 3 +- bin/tests/system/checkconf/clean.sh | 3 +- .../checkconf/{good.conf => good.conf.in} | 2 +- bin/tests/system/checkconf/setup.sh | 2 ++ bin/tests/system/checkconf/tests.sh | 18 +++++------ bin/tests/system/notify/ns5/named.conf.in | 6 ++-- bin/tests/system/notify/tests.sh | 6 ++-- bin/tests/system/nsupdate/ns1/named.conf.in | 6 ++-- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/tests.sh | 8 ++--- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- bin/tests/system/xfer/ns2/named.conf.in | 2 +- bin/tests/system/xfer/ns3/named.conf.in | 2 +- bin/tests/system/xfer/ns4/named.conf.base | 4 +-- bin/tests/system/xfer/ns8/named.conf.in | 2 +- bin/tests/system/xfer/tests.sh | 8 ++--- 35 files changed, 93 insertions(+), 86 deletions(-) rename bin/tests/system/checkconf/{bad-tsig.conf => bad-tsig.conf.in} (94%) rename bin/tests/system/checkconf/{good.conf => good.conf.in} (99%) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index 8787c6afa2..682ba97f57 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -35,12 +35,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in index a95b4c18dd..7b1cea6fcd 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -35,12 +35,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in index 14cc3fec3f..6b35ba5a98 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -35,17 +35,17 @@ options { }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key three { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in index 77cf110a54..b23a1cab58 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -35,12 +35,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in index 5ccabf9255..52791aa2a1 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -37,12 +37,12 @@ options { }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index 9ee39843ae..fe54ef57f1 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -23,14 +23,14 @@ echo_i "testing basic ACL processing" # key "one" should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # any other key should be fine t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } copy_setports ns2/named2.conf.in ns2/named.conf @@ -40,18 +40,18 @@ sleep 5 # prefix 10/8 should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # any other address should work, as long as it sends key "one" t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } echo_i "testing nested ACL processing" @@ -63,31 +63,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # but only one or the other should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } t=`expr $t + 1` @@ -109,31 +109,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } # should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in index b91d19a940..ae485e82ad 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in index 308c4ca19e..8a5e806745 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in index 6b0fe552a4..a10c6d0f98 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in index aefc4740aa..52981a7a0b 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in index 27eccc2956..f6278703d7 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in index adbb203de0..6fd516bced 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ */ key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in index 364f94b2fc..de37915e67 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh index bbffe07cc1..97a0859637 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 @@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 @@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 @@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 @@ -533,7 +533,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -543,7 +543,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 @@ -554,7 +554,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl index 899a32596e..b74333b255 100644 --- a/bin/tests/system/ans.pl +++ b/bin/tests/system/ans.pl @@ -95,6 +95,8 @@ my $mainport = int($ENV{'PORT'}); if (!$mainport) { $mainport = 5300; } my $ctrlport = int($ENV{'EXTRAPORT1'}); if (!$ctrlport) { $ctrlport = 5301; } +my $hmac_algorithm = $ENV{'DEFAULT_HMAC'}; +if (!defined($hmac_algorithm)) { $hmac_algorithm = "hmac-sha256"; } # XXX: we should also be able to set the port numbers to listen on. my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr", @@ -174,6 +176,7 @@ sub handleUDP { } else { $tsig = Net::DNS::RR->new( name => $key_name, + algorithm => $hmac_algorithm, type => 'TSIG', key => $key_data); } @@ -390,6 +393,7 @@ sub handleTCP { if ($Net::DNS::VERSION < 0.69) { $tsig = Net::DNS::RR->new( "$key_name TSIG $key_data"); + $tsig->algorithm = $hmac_algorithm; } elsif ($Net::DNS::VERSION >= 0.81 && $continuation) { } elsif ($Net::DNS::VERSION >= 0.75 && @@ -398,6 +402,7 @@ sub handleTCP { } else { $tsig = Net::DNS::RR->new( name => $key_name, + algorithm => $hmac_algorithm, type => 'TSIG', key => $key_data); } diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 142128131c..e5d688cf51 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -122,5 +122,5 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index a587b383af..ba21963625 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -165,5 +165,5 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index 62b76a600e..cd5f2b97c7 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -122,5 +122,5 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf.in similarity index 94% rename from bin/tests/system/checkconf/bad-tsig.conf rename to bin/tests/system/checkconf/bad-tsig.conf.in index 4af25b0f1c..3e3023c5df 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf.in @@ -13,7 +13,6 @@ /* Bad secret */ key "badtsig" { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "jEdD+BPKg=="; }; - diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh index 0d6001da76..3b424be321 100644 --- a/bin/tests/system/checkconf/clean.sh +++ b/bin/tests/system/checkconf/clean.sh @@ -16,10 +16,11 @@ rm -f bad-kasp-keydir2.conf rm -f bad-kasp-keydir3.conf rm -f bad-kasp-keydir4.conf rm -f bad-kasp-keydir5.conf +rm -f bad-tsig.conf rm -f checkconf.out* rm -f diff.out* rm -f good-kasp.conf.in rm -f good-server-christmas-tree.conf -rm -f good.conf.in good.conf.out badzero.conf *.out +rm -f good.conf good.conf.raw good.conf.out badzero.conf *.out rm -f ns*/named.lock rm -rf test.keydir diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf.in similarity index 99% rename from bin/tests/system/checkconf/good.conf rename to bin/tests/system/checkconf/good.conf.in index 100ec3a827..1c136c703e 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf.in @@ -267,6 +267,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { - algorithm "hmac-md5"; + algorithm "@DEFAULT_HMAC@"; secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/checkconf/setup.sh b/bin/tests/system/checkconf/setup.sh index 7d83eb5463..77707226c9 100644 --- a/bin/tests/system/checkconf/setup.sh +++ b/bin/tests/system/checkconf/setup.sh @@ -17,4 +17,6 @@ copy_setports bad-kasp-keydir2.conf.in bad-kasp-keydir2.conf copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf +copy_setports bad-tsig.conf.in bad-tsig.conf +copy_setports good.conf.in good.conf cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index e1131dab51..5d6108ecd2 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -26,11 +26,11 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "checking that named-checkconf prints a known good config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in -[ -s good.conf.in ] || ret=1 -$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 -cmp good.conf.in good.conf.out || ret=1 +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.raw +[ -s good.conf.raw ] || ret=1 +$CHECKCONF -p good.conf.raw > checkconf.out$n || ret=1 +grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +cmp good.conf.raw good.conf.out || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -38,10 +38,10 @@ n=`expr $n + 1` echo_i "checking that named-checkconf -x removes secrets ($n)" ret=0 # ensure there is a secret and that it is not the check string. -grep 'secret "' good.conf.in > /dev/null || ret=1 -grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 -$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +grep 'secret "' good.conf.raw > /dev/null || ret=1 +grep 'secret "????????????????"' good.conf.raw > /dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.raw > checkconf.out$n || ret=1 +grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in index 5cab276526..4660fa2169 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -12,17 +12,17 @@ */ key "a" { - algorithm "hmac-md5"; + algorithm @DEFAULT_HMAC@; secret "aaaaaaaaaaaaaaaaaaaa"; }; key "b" { - algorithm "hmac-md5"; + algorithm @DEFAULT_HMAC@; secret "bbbbbbbbbbbbbbbbbbbb"; }; key "c" { - algorithm "hmac-md5"; + algorithm @DEFAULT_HMAC@; secret "cccccccccccccccccccc"; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index 04fd34b47f..5f4ad1c681 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig" $NSUPDATE << EOF server 10.53.0.5 ${PORT} zone x21 -key a aaaaaaaaaaaaaaaaaaaa +key $DEFAULT_HMAC:a aaaaaaaaaaaaaaaaaaaa update add added.x21 0 in txt "test string" send EOF @@ -187,9 +187,9 @@ fnb="dig.out.b.ns5.test$n" fnc="dig.out.c.ns5.test$n" for i in 1 2 3 4 5 6 7 8 9 do - dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:b:bbbbbbbbbbbbbbbbbbbb" @10.53.0.5 \ txt > "$fnb" || ret=1 - dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ + dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:c:cccccccccccccccccccc" @10.53.0.5 \ txt > "$fnc" || ret=1 grep "test string" "$fnb" > /dev/null && grep "test string" "$fnc" > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in index 2b67360c76..36e7b5910a 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -39,17 +39,17 @@ controls { }; key altkey { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key restricted.example.nil { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key zonesub-key.example.nil { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234subk8765"; }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in index c85eef52c9..356382a583 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -34,7 +34,7 @@ controls { }; key altkey { - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index a7a37c55d1..95bb5befd1 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -690,7 +690,7 @@ echo_i "check that 'update-policy subdomain' is properly enforced ($n)" # and thus this UPDATE should succeed. $NSUPDATE -d < nsupdate.out1-$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} -key restricted.example.nil 1234abcd8765 +key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765 update add restricted.example.nil 0 IN TXT everywhere. send END @@ -700,7 +700,7 @@ grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 # thus this UPDATE should fail. $NSUPDATE -d < nsupdate.out2-$n 2>&1 && ret=1 server 10.53.0.1 ${PORT} -key restricted.example.nil 1234abcd8765 +key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765 update add example.nil 0 IN TXT everywhere. send END @@ -715,7 +715,7 @@ echo_i "check that 'update-policy zonesub' is properly enforced ($n)" # the A record update should be rejected as it is not in the type list $NSUPDATE -d < nsupdate.out1-$n 2>&1 && ret=1 server 10.53.0.1 ${PORT} -key zonesub-key.example.nil 1234subk8765 +key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765 update add zonesub.example.nil 0 IN A 1.2.3.4 send END @@ -725,7 +725,7 @@ grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1 # the TXT record update should be accepted as it is in the type list $NSUPDATE -d < nsupdate.out2-$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} -key zonesub-key.example.nil 1234subk8765 +key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765 update add zonesub.example.nil 0 IN TXT everywhere. send END diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in index c2b57ddb12..83ba6040c4 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -12,7 +12,7 @@ */ key "update.example." { - algorithm "hmac-md5"; + algorithm @DEFAULT_HMAC@; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index a6de3124de..6d53af1c61 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi echo_i "updating zone (signed) ($n)" ret=0 -$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < dig.out.ns2.test$n || tmp=1 +$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns2.test$n || tmp=1 grep "^;" dig.out.ns2.test$n | cat_i # # Spin to allow the zone to transfer. # wait_for_xfer_tsig () { - $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1 + $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns3.test$n || return 1 grep "^;" dig.out.ns3.test$n > /dev/null && return 1 return 0 } @@ -414,7 +414,7 @@ echo_i "bad message id ($n)" sendcmd < ans5/badmessageid # Uncomment to see AXFR stream with mismatching IDs. -# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all +# $DIG $DIGOPTS @10.53.0.5 -y "${DEFAULT_HMAC}:tsig_key:LSAnCU+Z" nil. AXFR +all $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i @@ -465,7 +465,7 @@ test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || { n=$((n+1)) echo_i "test smaller transfer TCP message size ($n)" $DIG $DIGOPTS example. @10.53.0.8 axfr \ - -y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1 + -y "${DEFAULT_HMAC}:key1.:1234abcd8765" > dig.out.msgsize.test$n || status=1 bytes=`wc -c < dig.out.msgsize.test$n` if [ $bytes -ne 459357 ]; then