diff options
Diffstat (limited to '')
| -rw-r--r-- | bin/tests/system/tsig/clean.sh | 22 | ||||
| -rw-r--r-- | bin/tests/system/tsig/ns1/example.db | 161 | ||||
| -rw-r--r-- | bin/tests/system/tsig/ns1/named.conf.in | 87 | ||||
| -rw-r--r-- | bin/tests/system/tsig/setup.sh | 19 | ||||
| -rw-r--r-- | bin/tests/system/tsig/tests.sh | 222 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/authsock.pl | 89 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/clean.sh | 25 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/administrator.ccache | bin | 0 -> 2315 bytes | |||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/dns.keytab | bin | 0 -> 1087 bytes | |||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/example.nil.db.in | 51 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/named.conf.in | 47 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/testdenied.ccache | bin | 0 -> 2188 bytes | |||
| -rw-r--r-- | bin/tests/system/tsiggss/prereq.sh | 22 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/setup.sh | 22 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/tests.sh | 105 |
15 files changed, 872 insertions, 0 deletions
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh new file mode 100644 index 0000000..576ec70 --- /dev/null +++ b/bin/tests/system/tsig/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after tsig tests. +# + +rm -f dig.out.* +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f Kexample.net.+163+* +rm -f keygen.out? diff --git a/bin/tests/system/tsig/ns1/example.db b/bin/tests/system/tsig/ns1/example.db new file mode 100644 index 0000000..05d8dd8 --- /dev/null +++ b/bin/tests/system/tsig/ns1/example.db @@ -0,0 +1,161 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.nil IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.nil. NS ns1.example.nil. +ns1.example.nil. A 10.53.0.1 +example.nil. NS ns2.example.nil. +ns2.example.nil. A 10.53.0.2 + +$ORIGIN example.nil. +* MX 10 mail +a TXT "foo foo foo" + PTR foo.net. +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example.nil. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example.nil. +ns A 73.80.65.49 +$ORIGIN example.nil. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example.nil. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example.nil. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" +large TXT ( 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 ) diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in new file mode 100644 index 0000000..fbf30c6 --- /dev/null +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -0,0 +1,87 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; +}; + +key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; + algorithm hmac-sha1; +}; + +key "sha224" { + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; + algorithm hmac-sha224; +}; + +key "sha256" { + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; + algorithm hmac-sha256; +}; + +key "sha384" { + secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; + algorithm hmac-sha384; +}; + +key "sha512" { + secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; + algorithm hmac-sha512; +}; + +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; +}; + +key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; + algorithm hmac-sha1-80; +}; + +key "sha224-trunc" { + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; + algorithm hmac-sha224-112; +}; + +key "sha256-trunc" { + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; + algorithm hmac-sha256-128; +}; + +key "sha384-trunc" { + secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; + algorithm hmac-sha384-192; +}; + +key "sha512-trunc" { + secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; + algorithm hmac-sha512-256; +}; + +zone "example.nil" { + type master; + file "example.db"; +}; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh new file mode 100644 index 0000000..656e9bb --- /dev/null +++ b/bin/tests/system/tsig/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh new file mode 100644 index 0000000..f731fa6 --- /dev/null +++ b/bin/tests/system/tsig/tests.sh @@ -0,0 +1,222 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" + +# +# Shared secrets. +# +md5="97rnFx24Tfna4mHPfgnerA==" +sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" +sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" +sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" +sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h" +sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==" + +status=0 + +echo_i "fetching using hmac-md5 (old form)" +ret=0 +$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-md5 (new form)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha1" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +# +# +# Truncated TSIG +# +# +echo_i "fetching using hmac-md5 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha1 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1 +grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1 +grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1 +grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512-256 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1 +grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + + +# +# +# Check for bad truncation. +# +# +echo_i "fetching using hmac-md5-80 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1 +grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224-112 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1 +grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256-128 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1 +grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384-192 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1 +grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512-256 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1 +grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "attempting fetch with bad tsig algorithm" +ret=0 +$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1 +grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "checking both OPT and TSIG records are returned when TC=1" +ret=0 +$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1 +grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1 +grep "status: NOERROR" dig.out.large > /dev/null || ret=1 +grep "EDNS:" dig.out.large > /dev/null || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo "I:check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning" +ret=0 +$KEYGEN -r $RANDFILE -a hmac-sha256 -b 128 -n host example.net > keygen.out1 2>&1 || ret=1 +grep dns_dnssec_findmatchingkeys keygen.out1 > /dev/null && ret=1 +$KEYGEN -r $RANDFILE -a hmac-sha256 -b 128 -n host example.net > keygen.out2 2>&1 || ret=1 +grep dns_dnssec_findmatchingkeys keygen.out2 > /dev/null && ret=1 +if [ $ret -eq 1 ] ; then + echo "I: failed"; status=1 +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl new file mode 100644 index 0000000..57a72b2 --- /dev/null +++ b/bin/tests/system/tsiggss/authsock.pl @@ -0,0 +1,89 @@ +#!/usr/bin/env perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# test the update-policy external protocol + +require 5.6.0; + +use IO::Socket::UNIX; +use Getopt::Long; + +my $path; +my $typeallowed = "A"; +my $pidfile = "authsock.pid"; +my $timeout = 0; + +GetOptions("path=s" => \$path, + "type=s" => \$typeallowed, + "pidfile=s" => \$pidfile, + "timeout=i" => \$timeout); + +if (!defined($path)) { + print("Usage: authsock.pl --path=<sockpath> --type=type --pidfile=pidfile\n"); + exit(1); +} + +unlink($path); +my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or + die "unable to create socket $path"; +chmod 0777, $path; + +# setup our pidfile +open(my $pid,">",$pidfile) + or die "unable to open pidfile $pidfile"; +print $pid "$$\n"; +close($pid); + +if ($timeout != 0) { + # die after the given timeout + alarm($timeout); +} + +while (my $client = $server->accept()) { + $client->recv(my $buf, 8, 0); + my ($version, $req_len) = unpack('N N', $buf); + + if ($version != 1 || $req_len < 17) { + printf("Badly formatted request\n"); + $client->send(pack('N', 2)); + next; + } + + $client->recv(my $buf, $req_len - 8, 0); + + my ($signer, + $name, + $addr, + $type, + $key, + $key_data) = unpack('Z* Z* Z* Z* Z* N/a', $buf); + + if ($req_len != length($buf)+8) { + printf("Length mismatch %u %u\n", $req_len, length($buf)+8); + $client->send(pack('N', 2)); + next; + } + + printf("version=%u signer=%s name=%s addr=%s type=%s key=%s key_data_len=%u\n", + $version, $signer, $name, $addr, $type, $key, length($key_data)); + + my $result; + if ($typeallowed eq $type) { + $result = 1; + printf("allowed type %s == %s\n", $type, $typeallowed); + } else { + printf("disallowed type %s != %s\n", $type, $typeallowed); + $result = 0; + } + + $reply = pack('N', $result); + $client->send($reply); +} diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh new file mode 100644 index 0000000..c97ade7 --- /dev/null +++ b/bin/tests/system/tsiggss/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after tsiggss tests. +# + +rm -f ns1/*.jnl ns1/update.txt ns1/auth.sock +rm -f ns1/*.db ns1/K*.key ns1/K*.private +rm -f ns1/_default.tsigkeys +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f authsock.pid +rm -f ns1/core +rm -f nsupdate.out +rm -f ns*/named.lock diff --git a/bin/tests/system/tsiggss/ns1/administrator.ccache b/bin/tests/system/tsiggss/ns1/administrator.ccache Binary files differnew file mode 100644 index 0000000..e6c2e74 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/administrator.ccache diff --git a/bin/tests/system/tsiggss/ns1/dns.keytab b/bin/tests/system/tsiggss/ns1/dns.keytab Binary files differnew file mode 100644 index 0000000..dcb863b --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/dns.keytab diff --git a/bin/tests/system/tsiggss/ns1/example.nil.db.in b/bin/tests/system/tsiggss/ns1/example.nil.db.in new file mode 100644 index 0000000..001bb29 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/example.nil.db.in @@ -0,0 +1,51 @@ +; -*- zone -*- +; this was generated by a Samba4 provision, and is typical +; of a AD DNS zone +$ORIGIN example.nil. +$TTL 1W +@ IN SOA blu hostmaster ( + 2010113027 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + IN NS blu + + IN A 10.53.0.1 +; + +blu IN A 10.53.0.1 +gc._msdcs IN A 10.53.0.1 + +fb33eb58-5d58-4100-a114-256e0a97ffc1._msdcs IN CNAME blu +; +; global catalog servers +_gc._tcp IN SRV 0 100 3268 blu +_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 blu +_ldap._tcp.gc._msdcs IN SRV 0 100 3268 blu +_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 blu +; +; ldap servers +_ldap._tcp IN SRV 0 100 389 blu +_ldap._tcp.dc._msdcs IN SRV 0 100 389 blu +_ldap._tcp.pdc._msdcs IN SRV 0 100 389 blu +_ldap._tcp.d86745b4-f3e0-4af3-be03-2130d1534be8.domains._msdcs IN SRV 0 100 389 blu +_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 blu +_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 blu +; +; krb5 servers +_kerberos._tcp IN SRV 0 100 88 blu +_kerberos._tcp.dc._msdcs IN SRV 0 100 88 blu +_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 blu +_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 blu +_kerberos._udp IN SRV 0 100 88 blu +; MIT kpasswd likes to lookup this name on password change +_kerberos-master._tcp IN SRV 0 100 88 blu +_kerberos-master._udp IN SRV 0 100 88 blu +; +; kpasswd +_kpasswd._tcp IN SRV 0 100 464 blu +_kpasswd._udp IN SRV 0 100 464 blu +; +; heimdal 'find realm for host' hack +_kerberos IN TXT EXAMPLE.NIL diff --git a/bin/tests/system/tsiggss/ns1/named.conf.in b/bin/tests/system/tsiggss/ns1/named.conf.in new file mode 100644 index 0000000..583cb37 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/named.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + tkey-gssapi-keytab "dns.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example.nil." IN { + type master; + file "example.nil.db"; + + update-policy { + grant Administrator@EXAMPLE.NIL wildcard * A AAAA SRV CNAME; + grant testdenied@EXAMPLE.NIL wildcard * TXT; + grant "local:auth.sock" external * CNAME; + }; + + /* we need to use check-names ignore so _msdcs A records can be created */ + check-names ignore; +}; diff --git a/bin/tests/system/tsiggss/ns1/testdenied.ccache b/bin/tests/system/tsiggss/ns1/testdenied.ccache Binary files differnew file mode 100644 index 0000000..070e85b --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/testdenied.ccache diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh new file mode 100644 index 0000000..8fbe016 --- /dev/null +++ b/bin/tests/system/tsiggss/prereq.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# enable the tsiggss test only if gssapi was enabled +$FEATURETEST --gssapi || { + echo_i "gssapi and krb5 not supported - skipping tsiggss test" + exit 255 +} + +# ... and crypto +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh new file mode 100644 index 0000000..5da33cf --- /dev/null +++ b/bin/tests/system/tsiggss/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf + +key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` +cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh new file mode 100644 index 0000000..b489d7b --- /dev/null +++ b/bin/tests/system/tsiggss/tests.sh @@ -0,0 +1,105 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# tests for TSIG-GSS updates + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +DIGOPTS="@10.53.0.1 -p ${PORT}" + +test_update() { + host="$1" + type="$2" + cmd="$3" + digout="$4" + + cat <<EOF > ns1/update.txt +server 10.53.0.1 ${PORT} +update add $host $cmd +send +EOF + echo "I:testing update for $host $type $cmd" + $NSUPDATE -g -d ns1/update.txt > nsupdate.out 2>&1 || { + echo "I:update failed for $host $type $cmd" + sed "s/^/I:/" nsupdate.out + return 1 + } + + out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"` + lines=`echo "$out" | grep "$digout" | wc -l` + [ $lines -eq 1 ] || { + echo "I:dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 +} + +echo "I:testing updates as administrator" +KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache +export KRB5CCNAME + +test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || status=1 +test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || status=1 +test_update denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && status=1 + +echo "I:testing updates as a user" +KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache +export KRB5CCNAME + +test_update testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && status=1 +test_update testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || status=1 + +echo "I:testing external update policy" +test_update testcname.example.nil. TXT "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && status=1 +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & +sleep 1 +test_update testcname.example.nil. TXT "86400 CNAME testdenied.example.nil" "testdenied" || status=1 +test_update testcname.example.nil. TXT "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && status=1 + +echo "I:testing external policy with SIG(0) key" +ret=0 +$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1 +server 10.53.0.1 ${PORT} +zone example.nil +update add fred.example.nil 120 cname foo.bar. +send +END +output=`$DIG $DIGOPTS +short cname fred.example.nil.` +[ -n "$output" ] || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:ensure too long realm name is fatal in non-interactive mode" +ret=0 +$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 + realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename +END +grep "realm is too long" nsupdate.out > /dev/null || ret=1 +grep "syntax error" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + +echo "I:ensure too long realm name is not fatal in interactive mode" +ret=0 +$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 + realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename +END +grep "realm is too long" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + +[ $status -eq 0 ] && echo "I:tsiggss tests all OK" + +kill `cat authsock.pid` + +echo "I:exit status: $status" +[ $status -eq 0 ] || exit 1 |