diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:28 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:28 +0000 |
commit | 14509ce60103dab695cef4d4f31321bab27ab967 (patch) | |
tree | 5959cfb9832b3af242a1ca45d4a1227acae67d87 /bin/tests/system/tsiggss | |
parent | Adding debian version 1:9.18.19-1~deb12u1. (diff) | |
download | bind9-14509ce60103dab695cef4d4f31321bab27ab967.tar.xz bind9-14509ce60103dab695cef4d4f31321bab27ab967.zip |
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/tsiggss')
-rw-r--r-- | bin/tests/system/tsiggss/prereq.sh | 6 | ||||
-rw-r--r-- | bin/tests/system/tsiggss/setup.sh | 2 | ||||
-rw-r--r-- | bin/tests/system/tsiggss/tests.sh | 145 |
3 files changed, 77 insertions, 76 deletions
diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh index 0f8e2d6..1abaf8e 100644 --- a/bin/tests/system/tsiggss/prereq.sh +++ b/bin/tests/system/tsiggss/prereq.sh @@ -14,9 +14,9 @@ . ../conf.sh # enable the tsiggss test only if gssapi was enabled -$FEATURETEST --gssapi || { - echo_i "gssapi and krb5 not supported - skipping tsiggss test" - exit 255 +$FEATURETEST --gssapi || { + echo_i "gssapi and krb5 not supported - skipping tsiggss test" + exit 255 } exit 0 diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh index 37b80fd..0353cb5 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh @@ -18,4 +18,4 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf key=$($KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.) -cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db +cat ns1/example.nil.db.in ns1/${key}.key >ns1/example.nil.db diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh index 97cc7bb..c37f32e 100644 --- a/bin/tests/system/tsiggss/tests.sh +++ b/bin/tests/system/tsiggss/tests.sh @@ -22,50 +22,49 @@ n=1 DIGOPTS="@10.53.0.1 -p ${PORT}" -test_update () { - num="$1" - host="$2" - type="$3" - cmd="$4" - digout="$5" - - cat <<EOF > ns1/update.txt +test_update() { + num="$1" + host="$2" + type="$3" + cmd="$4" + digout="$5" + + cat <<EOF >ns1/update.txt server 10.53.0.1 ${PORT} update add $host $cmd send answer EOF - echo_i "testing update for $host $type $cmd" - $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || { - echo_i "update failed for $host $type $cmd" - sed "s/^/I:/" nsupdate.out${num} - return 1 - } - - # Verify that TKEY response is signed. - tkeyout=$(awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}) - pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" - echo $tkeyout | grep "$pattern" > /dev/null || { - echo_i "bad tkey response (not tsig signed)" - return 1 - } - - # Weak verification that TKEY response is signed. - grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { - echo_i "bad tkey response (not tsig signed)" - return 1 - } - - out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^${host}") - lines=$(echo "$out" | grep "$digout" | wc -l) - [ $lines -eq 1 ] || { - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - return 0 + echo_i "testing update for $host $type $cmd" + $NSUPDATE -g -d ns1/update.txt >nsupdate.out${num} 2>&1 || { + echo_i "update failed for $host $type $cmd" + sed "s/^/I:/" nsupdate.out${num} + return 1 + } + + # Verify that TKEY response is signed. + tkeyout=$(awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}) + pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" + echo $tkeyout | grep "$pattern" >/dev/null || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + # Weak verification that TKEY response is signed. + grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^${host}") + lines=$(echo "$out" | grep "$digout" | wc -l) + [ $lines -eq 1 ] || { + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 } - # Testing updates with good credentials. KRB5CCNAME="FILE:"$(pwd)/ns1/administrator.ccache export KRB5CCNAME @@ -73,24 +72,23 @@ export KRB5CCNAME echo_i "testing updates to testdc1 as administrator ($n)" ret=0 test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to testdc2 as administrator ($n)" ret=0 test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to denied as administrator ($n)" ret=0 -test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1 -n=$((n+1)) +test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) # Testing denied updates. KRB5CCNAME="FILE:"$(pwd)/ns1/testdenied.ccache @@ -98,44 +96,44 @@ export KRB5CCNAME echo_i "testing updates to denied (A) as a user ($n)" ret=0 -test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to denied (TXT) as a user ($n)" ret=0 test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (CNAME) ($n)" ret=0 -test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (CNAME) with auth sock ($n)" ret=0 -$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 & sleep 1 test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (A) ($n)" ret=0 -test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external policy with SIG(0) key ($n)" ret=0 -$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1 +$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END >/dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil update add fred.example.nil 120 cname foo.bar. @@ -144,31 +142,34 @@ END output=$($DIG $DIGOPTS +short cname fred.example.nil.) [ -n "$output" ] || ret=1 [ $ret -eq 0 ] || echo_i "failed" -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "ensure too long realm name is fatal in non-interactive mode ($n)" ret=0 -$NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out${n} 2>&1 && ret=1 realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename END -grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 -grep "syntax error" nsupdate.out${n} > /dev/null || ret=1 -n=$((n+1)) +grep "realm is too long" nsupdate.out${n} >/dev/null || ret=1 +grep "syntax error" nsupdate.out${n} >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "ensure too long realm name is not fatal in interactive mode ($n)" ret=0 -$NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1 +$NSUPDATE -i <<END >nsupdate.out${n} 2>&1 || ret=1 realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename END -grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } -n=$((n+1)) +grep "realm is too long" nsupdate.out${n} >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) [ $status -eq 0 ] && echo_i "tsiggss tests all OK" |