Skip some FIPS changes in tests
HMAC_DEFAULT variable already solves those issues in upstream. Keep just some md5 disablement when MD5 based HMAC is unavailable too.
This commit is contained in:
Petr Menšík
parent
c95a309352
commit
e0c66624be
|
|
@ -1,4 +1,4 @@
|
|||
From 09030b066846a9b7252b5cb4f483d4a55b4639fc Mon Sep 17 00:00:00 2001
|
||||
From 305c3aec507f7f1fb64f92c28d086cd3acf45a5a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
|
|
@ -58,500 +58,32 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
|||
|
||||
Use hmac-sha256 instead of default hmac-md5 for allow-query
|
||||
---
|
||||
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
|
||||
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
|
||||
bin/tests/system/acl/ns2/named3.conf.in | 6 +-
|
||||
bin/tests/system/acl/ns2/named4.conf.in | 4 +-
|
||||
bin/tests/system/acl/ns2/named5.conf.in | 4 +-
|
||||
bin/tests/system/acl/tests.sh | 32 ++++-----
|
||||
.../system/allow-query/ns2/named10.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named11.conf.in | 4 +-
|
||||
.../system/allow-query/ns2/named12.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named30.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named31.conf.in | 4 +-
|
||||
.../system/allow-query/ns2/named32.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named40.conf.in | 4 +-
|
||||
bin/tests/system/allow-query/tests.sh | 18 ++---
|
||||
bin/tests/system/catz/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
|
||||
bin/tests/system/checkconf/good.conf | 2 +-
|
||||
bin/tests/system/feature-test.c | 14 ++++
|
||||
bin/tests/system/notify/ns5/named.conf.in | 6 +-
|
||||
bin/tests/system/notify/tests.sh | 6 +-
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/setup.sh | 6 +-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 ++-
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 22 +++---
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
|
||||
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||
32 files changed, 159 insertions(+), 106 deletions(-)
|
||||
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
bin/tests/system/acl/tests.sh | 2 +-
|
||||
bin/tests/system/feature-test.c | 14 ++++++
|
||||
bin/tests/system/nsupdate/setup.sh | 6 ++-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 +++-
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 22 ++++----
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +---
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/tests.sh | 67 +++++++++++++++----------
|
||||
9 files changed, 91 insertions(+), 48 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
index 745048a..93cb411 100644
|
||||
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
@@ -35,12 +35,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
index 21aa991..78e71cc 100644
|
||||
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
@@ -35,12 +35,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
index 3208c92..bed6325 100644
|
||||
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
@@ -35,17 +35,17 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key three {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
index 14e82ed..a22cafe 100644
|
||||
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
@@ -35,12 +35,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
index f43f33c..f4a865a 100644
|
||||
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
@@ -37,12 +37,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index ad98fa1..7a7ff4a 100644
|
||||
index df23d6a..0984d85 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
|
||||
# key "one" should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
|
||||
# any other key should be fine
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
copy_setports ns2/named2.conf.in ns2/named.conf
|
||||
@@ -40,18 +40,18 @@ sleep 5
|
||||
# prefix 10/8 should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# any other address should work, as long as it sends key "one"
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
echo_i "testing nested ACL processing"
|
||||
@@ -63,31 +63,31 @@ sleep 5
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# but only one or the other should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
t=`expr $t + 1`
|
||||
@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
||||
# and other values? right out
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||
@@ -109,31 +109,31 @@ sleep 5
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
echo_i "testing allow-query-on ACL processing"
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
index b91d19a..7d777c2 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
index 308c4ca..00f6f40 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234efgh8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
index 6b0fe55..491e514 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
index aefc474..7c06596 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
index 27eccc2..eecb990 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234efgh8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
index adbb203..744d122 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
index 364f94b..9518f82 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
|
||||
acl badaccept { 10.53.0.1; };
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234efgh8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||
index bbffe07..80da0fe 100644
|
||||
--- a/bin/tests/system/allow-query/tests.sh
|
||||
+++ b/bin/tests/system/allow-query/tests.sh
|
||||
@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key allowed - query allowed"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key not allowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key disallowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key allowed - query allowed"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key not allowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key disallowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -533,7 +533,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key allowed - query allowed"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -543,7 +543,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key not allowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -554,7 +554,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key disallowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
||||
index 1421281..424afb8 100644
|
||||
--- a/bin/tests/system/catz/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
||||
@@ -122,5 +122,5 @@ view "ch" ch {
|
||||
|
||||
key tsig_key. {
|
||||
secret "LSAnCU+Z";
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
index 4af25b0..9f202d5 100644
|
||||
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
||||
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
@@ -13,7 +13,7 @@
|
||||
|
||||
/* Bad secret */
|
||||
key "badtsig" {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "jEdD+BPKg==";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index 897dc86..e4b6dc1 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -270,6 +270,6 @@ dyndb "name" "library.so" {
|
||||
system;
|
||||
};
|
||||
key "mykey" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "qwertyuiopasdfgh";
|
||||
};
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index 3435c91..aaaa264 100644
|
||||
index b1adaed..3942df6 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -17,6 +17,7 @@
|
||||
|
|
@ -562,7 +94,7 @@ index 3435c91..aaaa264 100644
|
|||
#include <isc/net.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
@@ -133,6 +134,19 @@ main(int argc, char **argv) {
|
||||
@@ -143,6 +144,19 @@ main(int argc, char **argv) {
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
@ -582,87 +114,11 @@ index 3435c91..aaaa264 100644
|
|||
if (strcmp(argv[1], "--ipv6only=no") == 0) {
|
||||
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
|
||||
int s;
|
||||
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
||||
index 5cab276..d4a7bf3 100644
|
||||
--- a/bin/tests/system/notify/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
||||
@@ -12,17 +12,17 @@
|
||||
*/
|
||||
|
||||
key "a" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "aaaaaaaaaaaaaaaaaaaa";
|
||||
};
|
||||
|
||||
key "b" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "bbbbbbbbbbbbbbbbbbbb";
|
||||
};
|
||||
|
||||
key "c" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "cccccccccccccccccccc";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
||||
index 04fd34b..e5476ea 100644
|
||||
--- a/bin/tests/system/notify/tests.sh
|
||||
+++ b/bin/tests/system/notify/tests.sh
|
||||
@@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig"
|
||||
$NSUPDATE << EOF
|
||||
server 10.53.0.5 ${PORT}
|
||||
zone x21
|
||||
-key a aaaaaaaaaaaaaaaaaaaa
|
||||
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
|
||||
update add added.x21 0 in txt "test string"
|
||||
send
|
||||
EOF
|
||||
@@ -187,9 +187,9 @@ fnb="dig.out.b.ns5.test$n"
|
||||
fnc="dig.out.c.ns5.test$n"
|
||||
for i in 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
- dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
||||
+ dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
||||
txt > "$fnb" || ret=1
|
||||
- dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
|
||||
+ dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
|
||||
txt > "$fnc" || ret=1
|
||||
grep "test string" "$fnb" > /dev/null &&
|
||||
grep "test string" "$fnc" > /dev/null &&
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 81d0c99..effbe2e 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -39,7 +39,7 @@ controls {
|
||||
};
|
||||
|
||||
key altkey {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha512;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
index f1a1735..da2b3d1 100644
|
||||
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
@@ -34,7 +34,7 @@ controls {
|
||||
};
|
||||
|
||||
key altkey {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha512;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index 50056dc..a4a1a3f 100644
|
||||
index b7d7b38..25c4cb4 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -72,7 +72,11 @@ EOF
|
||||
@@ -73,7 +73,11 @@ EOF
|
||||
|
||||
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
|
||||
|
||||
|
|
@ -676,11 +132,11 @@ index 50056dc..a4a1a3f 100644
|
|||
$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
|
||||
$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index 0863d0a..559def7 100755
|
||||
index 5adc99c..54e1d53 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -841,7 +841,14 @@ fi
|
||||
n=`expr $n + 1`
|
||||
@@ -959,7 +959,14 @@ fi
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
|
|
@ -695,7 +151,7 @@ index 0863d0a..559def7 100755
|
|||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
@@ -849,7 +856,7 @@ send
|
||||
@@ -967,7 +974,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
|
|
@ -705,10 +161,10 @@ index 0863d0a..559def7 100755
|
|||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index 4dd6fa7..1b79263 100644
|
||||
index a8793f3..e6714c0 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -47,7 +47,7 @@ make_key () {
|
||||
@@ -48,7 +48,7 @@ make_key () {
|
||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
|
|
@ -718,7 +174,7 @@ index 4dd6fa7..1b79263 100644
|
|||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index e678153..e7ec855 100644
|
||||
index 424ac2b..27219a3 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
|
|
@ -778,22 +234,6 @@ index 76cf970..22637af 100644
|
|||
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..0682194
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index 34cc73b..d51ff21 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
|
|
@ -899,32 +339,6 @@ index 1067227..ee05e83 100644
|
|||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
index c2b57dd..cb13aa1 100644
|
||||
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
key "update.example." {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index a6de312..ebcadb1 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
|
||||
echo_i "updating zone (signed) ($n)"
|
||||
ret=0
|
||||
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
--
|
||||
2.37.3
|
||||
2.39.0
|
||||
|
||||
|
|
|
|||
|
|
@ -91,8 +91,8 @@ Source49: named-chroot.files
|
|||
# Common patches
|
||||
# Red Hat specific documentation is not relevant to upstream
|
||||
Patch1: bind-9.16-redhat_doc.patch
|
||||
# Later, many conflicts
|
||||
#Patch2: bind-9.11-fips-tests.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7417
|
||||
Patch2: bind-9.11-fips-tests.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
|
|
|
|||
Loading…
Reference in New Issue