Test support with legacy HMAC K files with nsupdate

tsig-keygen generates key files that are different to those that where generated by dnssec-keygen. Check that nsupdate can still read those old format files.
2026-02-27 03:51:16 -05:00 · 2023-06-19 14:14:39 +10:00 · 2023-06-19 14:14:39 +10:00 · e1fb17e72c
commit e1fb17e72c
parent 3f93d3f757
16 changed files with 98 additions and 0 deletions
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@ -33,6 +33,7 @@ rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.d
 rm -f ns1/many.test.db
 rm -f ns1/maxjournal.db
 rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
+rm -f ns1/legacy157.key ns1/legacy161.key ns1/legacy162.key ns1/legacy163.key ns1/legacy164.key ns1/legacy165.key
 rm -f ns1/sample.db
 rm -f ns1/tls.conf
 rm -f ns1/tls.options
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key
@ -0,0 +1 @@
+legacy-157. IN KEY 0 3 157 mGcDSCx/fF121GOVJlITLg==
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private
@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 157 (HMAC_MD5)
+Key: mGcDSCx/fF121GOVJlITLg==
+Bits: AAA=
+Created: 20230619042408
+Publish: 20230619042408
+Activate: 20230619042408
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key
@ -0,0 +1 @@
+legacy-161. IN KEY 0 3 161 N80fGvcr8JifzRUJ62R4rQ==
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private
@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 161 (HMAC_SHA1)
+Key: N80fGvcr8JifzRUJ62R4rQ==
+Bits: AAA=
+Created: 20230619042427
+Publish: 20230619042427
+Activate: 20230619042427
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key
@ -0,0 +1 @@
+legacy-162. IN KEY 0 3 162 nSIKzFAGS7/tvBs8JteI+Q==
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private
@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 162 (HMAC_SHA224)
+Key: nSIKzFAGS7/tvBs8JteI+Q==
+Bits: AAA=
+Created: 20230619042555
+Publish: 20230619042555
+Activate: 20230619042555
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key
@ -0,0 +1 @@
+legacy-163. IN KEY 0 3 163 CvaupxnDeES3HnlYhTq53w==
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private
@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 163 (HMAC_SHA256)
+Key: CvaupxnDeES3HnlYhTq53w==
+Bits: AAA=
+Created: 20230619042525
+Publish: 20230619042525
+Activate: 20230619042525
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key
@ -0,0 +1 @@
+legacy-164. IN KEY 0 3 164 wDldBJwJrYfPoL1Pj4ucOQ==
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private
@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 164 (HMAC_SHA384)
+Key: wDldBJwJrYfPoL1Pj4ucOQ==
+Bits: AAA=
+Created: 20230619042615
+Publish: 20230619042615
+Activate: 20230619042615
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key
@ -0,0 +1 @@
+legacy-165. IN KEY 0 3 165 OgZrTcEa8P76hVY+xyN7Wg==
--- a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private
+++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private
@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 165 (HMAC_SHA512)
+Key: OgZrTcEa8P76hVY+xyN7Wg==
+Bits: AAA=
+Created: 20230619042627
+Publish: 20230619042627
+Activate: 20230619042627
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@ -132,6 +132,12 @@ include "sha224.key";
 include "sha256.key";
 include "sha384.key";
 include "sha512.key";
+include "legacy157.key";
+include "legacy161.key";
+include "legacy162.key";
+include "legacy163.key";
+include "legacy164.key";
+include "legacy165.key";

 zone "keytests.nil" {
 	type primary;
@ -143,6 +149,12 @@ zone "keytests.nil" {
 	    grant sha256-key name sha256.keytests.nil. ANY;
 	    grant sha384-key name sha384.keytests.nil. ANY;
 	    grant sha512-key name sha512.keytests.nil. ANY;
+	    grant legacy-157 name 157.keytests.nil. ANY;
+	    grant legacy-161 name 161.keytests.nil. ANY;
+	    grant legacy-162 name 162.keytests.nil. ANY;
+	    grant legacy-163 name 163.keytests.nil. ANY;
+	    grant legacy-164 name 164.keytests.nil. ANY;
+	    grant legacy-165 name 165.keytests.nil. ANY;
 	};
 };

--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@ -92,6 +92,17 @@ $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
 $TSIGKEYGEN -a hmac-sha384 sha384-key > ns1/sha384.key
 $TSIGKEYGEN -a hmac-sha512 sha512-key > ns1/sha512.key

+if $FEATURETEST --md5; then
+	echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' > ns1/legacy157.key
+else
+	echo "/* MD5 NOT SUPPORTED */" > ns1/legacy157.key
+fi
+echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' > ns1/legacy161.key
+echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' > ns1/legacy162.key
+echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' > ns1/legacy163.key
+echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' > ns1/legacy164.key
+echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' > ns1/legacy165.key
+
 (cd ns3; $SHELL -e sign.sh)

 cp -f ns1/many.test.db.in ns1/many.test.db
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@ -1011,6 +1011,32 @@ else
    echo_i "skipped: DH not supported in FIPS mode"
 fi

+n=$((n + 1))
+ret=0
+echo_i "check TSIG key algorithms using legacy K file pairs (nsupdate -k) ($n)"
+if $FEATURETEST --md5
+then
+	ALGS="157 161 162 163 164 165"
+else
+	ALGS="161 162 163 164 165"
+	echo_i "skipping disabled md5 (157) algorithm"
+fi
+for alg in $ALGS; do
+    $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END > /dev/null || ret=1
+server 10.53.0.1 ${PORT}
+update add ${alg}.keytests.nil. 600 A 10.10.10.3
+send
+END
+done
+sleep 2
+for alg in $ALGS; do
+    $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+done
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
 n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
				`@ -0,0 +1 @@`
				`legacy-157. IN KEY 0 3 157 mGcDSCx/fF121GOVJlITLg==`
				`@ -0,0 +1 @@`
				`legacy-161. IN KEY 0 3 161 N80fGvcr8JifzRUJ62R4rQ==`
				`@ -0,0 +1 @@`
				`legacy-162. IN KEY 0 3 162 nSIKzFAGS7/tvBs8JteI+Q==`
				`@ -0,0 +1 @@`
				`legacy-163. IN KEY 0 3 163 CvaupxnDeES3HnlYhTq53w==`
				`@ -0,0 +1 @@`
				`legacy-164. IN KEY 0 3 164 wDldBJwJrYfPoL1Pj4ucOQ==`
				`@ -0,0 +1 @@`
				`legacy-165. IN KEY 0 3 165 OgZrTcEa8P76hVY+xyN7Wg==`