Emit deprecated warning for K* file pairs

We try reading the same file using different methods so only
emit a warning if we successfully read the file.

bin/tests/system/nsupdate/clean.sh

@@ -70,6 +70,7 @@ rm -f ns9/denyname.example.db
 rm -f ns9/example.com.db
 rm -f ns9/in-addr.db
 rm -f perl.update_test.out
+rm -f nsupdate.alg-*
 rm -f nsupdate.out*
 rm -f typelist.out.*
 rm -f update.out.*

bin/tests/system/nsupdate/tests.sh

@@ -1022,7 +1022,7 @@ else
 	echo_i "skipping disabled md5 (157) algorithm"
 fi
 for alg in $ALGS; do
-    $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END > /dev/null || ret=1
+    $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END > nsupdate.alg-$alg.out 2>&1 || ret=1
 server 10.53.0.1 ${PORT}
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
 send
@@ -1031,6 +1031,7 @@ done
 sleep 2
 for alg in $ALGS; do
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+    grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1
 done
 if [ $ret -ne 0 ]; then
     echo_i "failed"

bin/tests/system/tsig/tests.sh

@@ -261,8 +261,9 @@ if $FEATURETEST --md5
 then
 	echo_i "fetching using hmac-md5 (legacy)"
 	ret=0
-	$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy || ret=1
+	$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1
 	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1
+	grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1
 	if [ $ret -eq 1 ] ; then
 		echo_i "failed"; status=1
 	fi
@@ -272,39 +273,44 @@ fi
 
 echo_i "fetching using hmac-sha1 (legacy)"
 ret=0
-$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy || ret=1
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1
 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
 	echo_i "failed"; status=1
 fi
 
 echo_i "fetching using hmac-sha224 (legacy)"
 ret=0
-$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 || ret=1
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1
 grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
 	echo_i "failed"; status=1
 fi
 
 echo_i "fetching using hmac-sha256 (legacy)"
 ret=0
-$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 || ret=1
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1
 grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
 	echo_i "failed"; status=1
 fi
 
 echo_i "fetching using hmac-sha384 (legacy)"
 ret=0
-$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 || ret=1
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1
 grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
 	echo_i "failed"; status=1
 fi
 
 echo_i "fetching using hmac-sha512 (legacy)"
 ret=0
-$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 || ret=1
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1
 grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
 	echo_i "failed"; status=1

lib/dns/hmac_link.c

@@ -32,6 +32,7 @@
 
 #include <isc/buffer.h>
 #include <isc/hmac.h>
+#include <isc/lex.h>
 #include <isc/md.h>
 #include <isc/mem.h>
 #include <isc/nonce.h>
@@ -99,7 +100,17 @@
 	}                                                                      \
 	static isc_result_t hmac##alg##_parse(                                 \
 		dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {            \
-		return (hmac_parse(ISC_MD_##alg, key, lexer, pub));            \
+		const char *file = isc_lex_getsourcename(lexer);               \
+		isc_result_t result;                                           \
+		result = hmac_parse(ISC_MD_##alg, key, lexer, pub);            \
+		if (result == ISC_R_SUCCESS && file != NULL) {                 \
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,       \
+				      DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,   \
+				      "%s: Use of K* file pairs for HMAC is "  \
+				      "deprecated\n",                          \
+				      file);                                   \
+		}                                                              \
+		return (result);                                               \
 	}                                                                      \
 	static dst_func_t hmac##alg##_functions = {                            \
 		hmac##alg##_createctx,                                         \