Upgrade uses of hmac-md5 to DEFAULT_HMAC

where the test is not hmac-md5 specific
2025-08-30 14:07:59 +00:00 · 2022-07-05 19:38:31 +10:00
parent c533e8bc5b
commit 9366ed58b4
35 changed files with 93 additions and 86 deletions
--- a/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -35,12 +35,12 @@ options {
 };

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -35,12 +35,12 @@ options {
 };

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -35,17 +35,17 @@ options {
 };

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key three {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -35,12 +35,12 @@ options {
 };

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -37,12 +37,12 @@ options {
 };

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
 # key "one" should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }


 # any other key should be fine
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 copy_setports ns2/named2.conf.in ns2/named.conf
@@ -40,18 +40,18 @@ sleep 5
 # prefix 10/8 should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }

 # any other address should work, as long as it sends key "one"
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }

 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 echo_i "testing nested ACL processing"
@@ -63,31 +63,31 @@ sleep 5
 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 # but only one or the other should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }

 t=`expr $t + 1`
@@ -109,31 +109,31 @@ sleep 5
 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }

 # should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.2 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }

 # should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.1 axfr -y "${DEFAULT_HMAC}:two:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }

 # should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 10.53.0.3 axfr -y "${DEFAULT_HMAC}:one:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }

 echo_i "testing allow-query-on ACL processing"
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -12,7 +12,7 @@
 */

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -12,12 +12,12 @@
 */

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234efgh8765";
 };

--- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -12,7 +12,7 @@
 */

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -12,7 +12,7 @@
 */

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -12,12 +12,12 @@
 */

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234efgh8765";
 };

--- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -12,7 +12,7 @@
 */

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
 acl badaccept { 10.53.0.1; };

 key one {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key two {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234efgh8765";
 };

--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2

 echo_i "test $n: key allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2

 echo_i "test $n: key not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2

 echo_i "test $n: key disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2

 echo_i "test $n: views key allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2

 echo_i "test $n: views key not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2

 echo_i "test $n: views key disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
@@ -533,7 +533,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -543,7 +543,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:two:1234efgh8765" a.keyallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
@@ -554,7 +554,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y "${DEFAULT_HMAC}:one:1234abcd8765" a.keydisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
--- a/bin/tests/system/ans.pl
+++ b/bin/tests/system/ans.pl
@@ -95,6 +95,8 @@ my $mainport = int($ENV{'PORT'});
 if (!$mainport) { $mainport = 5300; }
 my $ctrlport = int($ENV{'EXTRAPORT1'});
 if (!$ctrlport) { $ctrlport = 5301; }
+my $hmac_algorithm = $ENV{'DEFAULT_HMAC'};
+if (!defined($hmac_algorithm)) { $hmac_algorithm = "hmac-sha256"; }

 # XXX: we should also be able to set the port numbers to listen on.
 my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
@@ -174,6 +176,7 @@ sub handleUDP {
 				} else {
 					$tsig = Net::DNS::RR->new(
 							name => $key_name,
+							algorithm => $hmac_algorithm,
 							type => 'TSIG',
 							key  => $key_data);
 				}
@@ -390,6 +393,7 @@ sub handleTCP {
 				if ($Net::DNS::VERSION < 0.69) {
 					$tsig = Net::DNS::RR->new(
 						   "$key_name TSIG $key_data");
+					$tsig->algorithm = $hmac_algorithm;
 				} elsif ($Net::DNS::VERSION >= 0.81 &&
 					 $continuation) {
 				} elsif ($Net::DNS::VERSION >= 0.75 &&
@@ -398,6 +402,7 @@ sub handleTCP {
 				} else {
 					$tsig = Net::DNS::RR->new(
 							name => $key_name,
+							algorithm => $hmac_algorithm,
 							type => 'TSIG',
 							key  => $key_data);
 				}
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -122,5 +122,5 @@ view "ch" ch {

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -165,5 +165,5 @@ view "ch" ch {

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -122,5 +122,5 @@ view "ch" ch {

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };
--- a/bin/tests/system/checkconf/bad-tsig.conf.in
+++ b/bin/tests/system/checkconf/bad-tsig.conf.in
@@ -13,7 +13,6 @@

 /* Bad secret */
 key "badtsig" {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "jEdD+BPKg==";
 };
-
--- a/bin/tests/system/checkconf/clean.sh
+++ b/bin/tests/system/checkconf/clean.sh
@@ -16,10 +16,11 @@ rm -f bad-kasp-keydir2.conf
 rm -f bad-kasp-keydir3.conf
 rm -f bad-kasp-keydir4.conf
 rm -f bad-kasp-keydir5.conf
+rm -f bad-tsig.conf
 rm -f checkconf.out*
 rm -f diff.out*
 rm -f good-kasp.conf.in
 rm -f good-server-christmas-tree.conf
-rm -f good.conf.in good.conf.out badzero.conf *.out
+rm -f good.conf good.conf.raw good.conf.out badzero.conf *.out
 rm -f ns*/named.lock
 rm -rf test.keydir
--- a/bin/tests/system/checkconf/good.conf.in
+++ b/bin/tests/system/checkconf/good.conf.in
@@ -267,6 +267,6 @@ dyndb "name" "library.so" {
 	system;
 };
 key "mykey" {
-	algorithm "hmac-md5";
+	algorithm "@DEFAULT_HMAC@";
 	secret "qwertyuiopasdfgh";
 };
--- a/bin/tests/system/checkconf/setup.sh
+++ b/bin/tests/system/checkconf/setup.sh
@@ -17,4 +17,6 @@ copy_setports bad-kasp-keydir2.conf.in bad-kasp-keydir2.conf
 copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf
 copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf
 copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf
+copy_setports bad-tsig.conf.in bad-tsig.conf
+copy_setports good.conf.in good.conf
 cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -26,11 +26,11 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "checking that named-checkconf prints a known good config ($n)"
 ret=0
-awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
-[ -s good.conf.in ] || ret=1
-$CHECKCONF -p good.conf.in  > checkconf.out$n || ret=1
-grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
-cmp good.conf.in good.conf.out || ret=1
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.raw
+[ -s good.conf.raw ] || ret=1
+$CHECKCONF -p good.conf.raw  > checkconf.out$n || ret=1
+grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+cmp good.conf.raw good.conf.out || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@@ -38,10 +38,10 @@ n=`expr $n + 1`
 echo_i "checking that named-checkconf -x removes secrets ($n)"
 ret=0
 # ensure there is a secret and that it is not the check string.
-grep 'secret "' good.conf.in > /dev/null || ret=1
-grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
-$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
-grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+grep 'secret "' good.conf.raw > /dev/null || ret=1
+grep 'secret "????????????????"' good.conf.raw > /dev/null 2>&1 && ret=1
+$CHECKCONF -p -x good.conf.raw > checkconf.out$n || ret=1
+grep -v '^good.conf.raw:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
 grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -12,17 +12,17 @@
 */

 key "a" {
-	algorithm "hmac-md5";
+	algorithm @DEFAULT_HMAC@;
 	secret "aaaaaaaaaaaaaaaaaaaa";
 };

 key "b" {
-	algorithm "hmac-md5";
+	algorithm @DEFAULT_HMAC@;
 	secret "bbbbbbbbbbbbbbbbbbbb";
 };

 key "c" {
-	algorithm "hmac-md5";
+	algorithm @DEFAULT_HMAC@;
 	secret "cccccccccccccccccccc";
 };

--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig"
 $NSUPDATE << EOF
 server 10.53.0.5 ${PORT}
 zone x21
-key a aaaaaaaaaaaaaaaaaaaa
+key $DEFAULT_HMAC:a aaaaaaaaaaaaaaaaaaaa
 update add added.x21 0 in txt "test string"
 send
 EOF
@@ -187,9 +187,9 @@ fnb="dig.out.b.ns5.test$n"
 fnc="dig.out.c.ns5.test$n"
 for i in 1 2 3 4 5 6 7 8 9
 do
-	dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+	dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:b:bbbbbbbbbbbbbbbbbbbb" @10.53.0.5 \
 		txt > "$fnb" || ret=1
-	dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+	dig_plus_opts added.x21. -y "${DEFAULT_HMAC}:c:cccccccccccccccccccc" @10.53.0.5 \
 		txt > "$fnc" || ret=1
 	grep "test string" "$fnb" > /dev/null &&
 	grep "test string" "$fnc" > /dev/null &&
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -39,17 +39,17 @@ controls {
 };

 key altkey {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key restricted.example.nil {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

 key zonesub-key.example.nil {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234subk8765";
 };

--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -34,7 +34,7 @@ controls {
 };

 key altkey {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -690,7 +690,7 @@ echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
 # and thus this UPDATE should succeed.
 $NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
 server 10.53.0.1 ${PORT}
-key restricted.example.nil 1234abcd8765
+key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765
 update add restricted.example.nil 0 IN TXT everywhere.
 send
 END
@@ -700,7 +700,7 @@ grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
 # thus this UPDATE should fail.
 $NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
 server 10.53.0.1 ${PORT}
-key restricted.example.nil 1234abcd8765
+key $DEFAULT_HMAC:restricted.example.nil 1234abcd8765
 update add example.nil 0 IN TXT everywhere.
 send
 END
@@ -715,7 +715,7 @@ echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
 # the A record update should be rejected as it is not in the type list
 $NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
 server 10.53.0.1 ${PORT}
-key zonesub-key.example.nil 1234subk8765
+key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765
 update add zonesub.example.nil 0 IN A 1.2.3.4
 send
 END
@@ -725,7 +725,7 @@ grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
 # the TXT record update should be accepted as it is in the type list
 $NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
 server 10.53.0.1 ${PORT}
-key zonesub-key.example.nil 1234subk8765
+key $DEFAULT_HMAC:zonesub-key.example.nil 1234subk8765
 update add zonesub.example.nil 0 IN TXT everywhere.
 send
 END
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -12,7 +12,7 @@
 */

 key "update.example." {
-	algorithm "hmac-md5";
+	algorithm @DEFAULT_HMAC@;
 	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };

--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi

 echo_i "updating zone (signed) ($n)"
 ret=0
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+$NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
 server 10.53.0.3 ${PORT}
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
--- a/bin/tests/system/xfer/ns2/named.conf.in
+++ b/bin/tests/system/xfer/ns2/named.conf.in
@@ -35,7 +35,7 @@ controls {
 };

 key tsigzone. {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/xfer/ns3/named.conf.in
+++ b/bin/tests/system/xfer/ns3/named.conf.in
@@ -33,7 +33,7 @@ controls {
 };

 key tsigzone. {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/xfer/ns4/named.conf.base
+++ b/bin/tests/system/xfer/ns4/named.conf.base
@@ -31,12 +31,12 @@ key rndc_key {

 key unused_key. {
 	secret "1234abcd8765";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };

 controls {
--- a/bin/tests/system/xfer/ns8/named.conf.in
+++ b/bin/tests/system/xfer/ns8/named.conf.in
@@ -31,7 +31,7 @@ options {
 };

 key key1. {
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 	secret "1234abcd8765";
 };

--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -48,14 +48,14 @@ status=$((status+tmp))
 n=$((n+1))
 echo_i "testing TSIG signed zone transfers ($n)"
 tmp=0
-$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1
+$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns2.test$n || tmp=1
 grep "^;" dig.out.ns2.test$n | cat_i

 #
 # Spin to allow the zone to transfer.
 #
 wait_for_xfer_tsig () {
-	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1
+	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" > dig.out.ns3.test$n || return 1
 	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
 	return 0
 }
@@ -414,7 +414,7 @@ echo_i "bad message id ($n)"
 sendcmd < ans5/badmessageid

 # Uncomment to see AXFR stream with mismatching IDs.
-# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all
+# $DIG $DIGOPTS @10.53.0.5 -y "${DEFAULT_HMAC}:tsig_key:LSAnCU+Z" nil. AXFR +all

 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i

@@ -465,7 +465,7 @@ test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || {
 n=$((n+1))
 echo_i "test smaller transfer TCP message size ($n)"
 $DIG $DIGOPTS example. @10.53.0.8 axfr \
-	-y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1
+	-y "${DEFAULT_HMAC}:key1.:1234abcd8765" > dig.out.msgsize.test$n || status=1

 bytes=`wc -c < dig.out.msgsize.test$n`
 if [ $bytes -ne 459357 ]; then