diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index f2a9f1ef59..9c67956938 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -33,6 +33,7 @@ rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.d rm -f ns1/many.test.db rm -f ns1/maxjournal.db rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key +rm -f ns1/legacy157.key ns1/legacy161.key ns1/legacy162.key ns1/legacy163.key ns1/legacy164.key ns1/legacy165.key rm -f ns1/sample.db rm -f ns1/tls.conf rm -f ns1/tls.options diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key new file mode 100644 index 0000000000..bed002b19d --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key @@ -0,0 +1 @@ +legacy-157. IN KEY 0 3 157 mGcDSCx/fF121GOVJlITLg== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private new file mode 100644 index 0000000000..3ce72dd12d --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 157 (HMAC_MD5) +Key: mGcDSCx/fF121GOVJlITLg== +Bits: AAA= +Created: 20230619042408 +Publish: 20230619042408 +Activate: 20230619042408 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key new file mode 100644 index 0000000000..cb50883139 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key @@ -0,0 +1 @@ +legacy-161. IN KEY 0 3 161 N80fGvcr8JifzRUJ62R4rQ== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private new file mode 100644 index 0000000000..dea2850f66 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 161 (HMAC_SHA1) +Key: N80fGvcr8JifzRUJ62R4rQ== +Bits: AAA= +Created: 20230619042427 +Publish: 20230619042427 +Activate: 20230619042427 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key new file mode 100644 index 0000000000..126c94f943 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key @@ -0,0 +1 @@ +legacy-162. IN KEY 0 3 162 nSIKzFAGS7/tvBs8JteI+Q== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private new file mode 100644 index 0000000000..af78756918 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 162 (HMAC_SHA224) +Key: nSIKzFAGS7/tvBs8JteI+Q== +Bits: AAA= +Created: 20230619042555 +Publish: 20230619042555 +Activate: 20230619042555 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key new file mode 100644 index 0000000000..6945b1b6cd --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key @@ -0,0 +1 @@ +legacy-163. IN KEY 0 3 163 CvaupxnDeES3HnlYhTq53w== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private new file mode 100644 index 0000000000..590ba14623 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 163 (HMAC_SHA256) +Key: CvaupxnDeES3HnlYhTq53w== +Bits: AAA= +Created: 20230619042525 +Publish: 20230619042525 +Activate: 20230619042525 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key new file mode 100644 index 0000000000..4869618e83 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key @@ -0,0 +1 @@ +legacy-164. IN KEY 0 3 164 wDldBJwJrYfPoL1Pj4ucOQ== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private new file mode 100644 index 0000000000..f06f67a731 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 164 (HMAC_SHA384) +Key: wDldBJwJrYfPoL1Pj4ucOQ== +Bits: AAA= +Created: 20230619042615 +Publish: 20230619042615 +Activate: 20230619042615 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key new file mode 100644 index 0000000000..45a2811ba6 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key @@ -0,0 +1 @@ +legacy-165. IN KEY 0 3 165 OgZrTcEa8P76hVY+xyN7Wg== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private new file mode 100644 index 0000000000..1635f2aea8 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 165 (HMAC_SHA512) +Key: OgZrTcEa8P76hVY+xyN7Wg== +Bits: AAA= +Created: 20230619042627 +Publish: 20230619042627 +Activate: 20230619042627 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in index 0270e8ab4f..2c173bd5f2 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -132,6 +132,12 @@ include "sha224.key"; include "sha256.key"; include "sha384.key"; include "sha512.key"; +include "legacy157.key"; +include "legacy161.key"; +include "legacy162.key"; +include "legacy163.key"; +include "legacy164.key"; +include "legacy165.key"; zone "keytests.nil" { type primary; @@ -143,6 +149,12 @@ zone "keytests.nil" { grant sha256-key name sha256.keytests.nil. ANY; grant sha384-key name sha384.keytests.nil. ANY; grant sha512-key name sha512.keytests.nil. ANY; + grant legacy-157 name 157.keytests.nil. ANY; + grant legacy-161 name 161.keytests.nil. ANY; + grant legacy-162 name 162.keytests.nil. ANY; + grant legacy-163 name 163.keytests.nil. ANY; + grant legacy-164 name 164.keytests.nil. ANY; + grant legacy-165 name 165.keytests.nil. ANY; }; }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index 3108ad8de4..a143eac98d 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -92,6 +92,17 @@ $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key $TSIGKEYGEN -a hmac-sha384 sha384-key > ns1/sha384.key $TSIGKEYGEN -a hmac-sha512 sha512-key > ns1/sha512.key +if $FEATURETEST --md5; then + echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' > ns1/legacy157.key +else + echo "/* MD5 NOT SUPPORTED */" > ns1/legacy157.key +fi +echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' > ns1/legacy161.key +echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' > ns1/legacy162.key +echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' > ns1/legacy163.key +echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' > ns1/legacy164.key +echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' > ns1/legacy165.key + (cd ns3; $SHELL -e sign.sh) cp -f ns1/many.test.db.in ns1/many.test.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 8ba497e44c..eae4cdf338 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1011,6 +1011,32 @@ else echo_i "skipped: DH not supported in FIPS mode" fi +n=$((n + 1)) +ret=0 +echo_i "check TSIG key algorithms using legacy K file pairs (nsupdate -k) ($n)" +if $FEATURETEST --md5 +then + ALGS="157 161 162 163 164 165" +else + ALGS="161 162 163 164 165" + echo_i "skipping disabled md5 (157) algorithm" +fi +for alg in $ALGS; do + $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key < /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add ${alg}.keytests.nil. 600 A 10.10.10.3 +send +END +done +sleep 2 +for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 +done +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"