summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/tsig
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/tsig')
-rw-r--r--bin/tests/system/tsig/ans2/ans.pl52
-rw-r--r--bin/tests/system/tsig/badlocation37
-rw-r--r--bin/tests/system/tsig/badtime37
-rw-r--r--bin/tests/system/tsig/clean.sh26
-rw-r--r--bin/tests/system/tsig/ns1/example.db163
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key1
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private7
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key1
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private7
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key1
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private7
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key1
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private7
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key1
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private7
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key1
-rw-r--r--bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private7
-rw-r--r--bin/tests/system/tsig/ns1/named.conf.in120
-rw-r--r--bin/tests/system/tsig/setup.sh39
-rw-r--r--bin/tests/system/tsig/tests.sh322
-rw-r--r--bin/tests/system/tsig/tests_sh_tsig.py14
21 files changed, 858 insertions, 0 deletions
diff --git a/bin/tests/system/tsig/ans2/ans.pl b/bin/tests/system/tsig/ans2/ans.pl
new file mode 100644
index 0000000..09ab29b
--- /dev/null
+++ b/bin/tests/system/tsig/ans2/ans.pl
@@ -0,0 +1,52 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# An adhoc server that returns a TC=1 response with the final byte
+# removed to generate UNEXPECTEDEND form dns_message_parse.
+#
+
+use IO::File;
+use IO::Socket;
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+printf "localport %u\n", $localport;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2",
+ LocalPort => $localport, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+sub arraystring {
+ my $string = join("", @_);
+ return $string;
+}
+
+for (;;) {
+ $from = $sock->recv($buf, 512);
+ ($port, $ip_address) = unpack_sockaddr_in($from);
+ $l = length($buf);
+ printf "received %u bytes from %s#%u\n", $l, inet_ntoa($ip_address), $port;
+ @up = unpack("C[$l]", $buf);
+ $up[2] |= 0x80; # QR
+ $up[2] |= 0x02; # TC
+ $up[3] |= 0x80; # RA
+ $l -= 1; # truncate the response 1 byte
+ $replydata = pack("C[$l]", @up);
+ printf "sent %u bytes\n", $sock->send($replydata);
+}
diff --git a/bin/tests/system/tsig/badlocation b/bin/tests/system/tsig/badlocation
new file mode 100644
index 0000000..4477423
--- /dev/null
+++ b/bin/tests/system/tsig/badlocation
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0001 0000
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: no error
+0000
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
new file mode 100644
index 0000000..7926404
--- /dev/null
+++ b/bin/tests/system/tsig/badtime
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0001
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: BADSIG
+0010
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
new file mode 100644
index 0000000..b173ffe
--- /dev/null
+++ b/bin/tests/system/tsig/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after tsig tests.
+#
+
+rm -f dig.out.*
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f ns*/named.lock
+rm -f Kexample.net.*
+rm -f keygen.out?
+rm -f ns*/managed-keys.bind*
+rm -f packet.out
diff --git a/bin/tests/system/tsig/ns1/example.db b/bin/tests/system/tsig/ns1/example.db
new file mode 100644
index 0000000..7854613
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/example.db
@@ -0,0 +1,163 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300 ; 5 minutes
+example.nil IN SOA ns1.example.nil. hostmaster.example.nil. (
+ 1 ; serial
+ 2000 ; refresh (2000 seconds)
+ 2000 ; retry (2000 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+example.nil. NS ns1.example.nil.
+ns1.example.nil. A 10.53.0.1
+example.nil. NS ns2.example.nil.
+ns2.example.nil. A 10.53.0.2
+
+$ORIGIN example.nil.
+* MX 10 mail
+a TXT "foo foo foo"
+ PTR foo.net.
+$TTL 3600 ; 1 hour
+a01 A 0.0.0.0
+a02 A 255.255.255.255
+a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+afsdb01 AFSDB 0 hostname
+afsdb02 AFSDB 65535 .
+$TTL 300 ; 5 minutes
+b CNAME foo.net.
+c A 73.80.65.49
+$TTL 3600 ; 1 hour
+cert01 CERT 65534 65535 PRIVATEOID (
+ MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+ WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+ d80jEeC8aTrO+KKmCaY= )
+cname01 CNAME cname-target.
+cname02 CNAME cname-target
+cname03 CNAME .
+$TTL 300 ; 5 minutes
+d A 73.80.65.49
+$TTL 3600 ; 1 hour
+dname01 DNAME dname-target.
+dname02 DNAME dname-target
+dname03 DNAME .
+$TTL 300 ; 5 minutes
+e MX 10 mail
+ TXT "one"
+ TXT "three"
+ TXT "two"
+ A 73.80.65.49
+ A 73.80.65.50
+ A 73.80.65.52
+ A 73.80.65.51
+f A 73.80.65.52
+$TTL 3600 ; 1 hour
+gpos01 GPOS "-22.6882" "116.8652" "250.0"
+gpos02 GPOS "" "" ""
+hinfo01 HINFO "Generic PC clone" "NetBSD-1.4"
+hinfo02 HINFO "PC" "NetBSD"
+isdn01 ISDN "isdn-address"
+isdn02 ISDN "isdn-address" "subaddress"
+isdn03 ISDN "isdn-address"
+isdn04 ISDN "isdn-address" "subaddress"
+key01 KEY 512 255 1 (
+ AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+ yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+ GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+ jqf0BaqHT+8= )
+kx01 KX 10 kdc
+kx02 KX 10 .
+loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01 MG madname
+mb02 MG .
+mg01 MG mgmname
+mg02 MG .
+minfo01 MINFO rmailbx emailbx
+minfo02 MINFO . .
+mr01 MR mrname
+mr02 MR .
+mx01 MX 10 mail
+mx02 MX 10 .
+naptr01 NAPTR 0 0 "" "" "" .
+naptr02 NAPTR 65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo.
+nsap-ptr01 NSAP-PTR foo.
+ NSAP-PTR .
+nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100
+nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100
+nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02 NXT . ( NSAP-PTR NXT )
+nxt03 NXT . ( A )
+nxt04 NXT . ( 127 )
+ptr01 PTR example.nil.
+px01 PX 65535 foo. bar.
+px02 PX 65535 . .
+rp01 RP mbox-dname txt-dname
+rp02 RP . .
+rt01 RT 0 intermediate-host
+rt02 RT 65535 .
+$TTL 300 ; 5 minutes
+s NS ns.s
+$ORIGIN s.example.nil.
+ns A 73.80.65.49
+$ORIGIN example.nil.
+$TTL 3600 ; 1 hour
+sig01 SIG NXT 1 3 3600 20000102030405 (
+ 19961211100908 2143 foo
+ MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+ WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+ d80jEeC8aTrO+KKmCaY= )
+srv01 SRV 0 0 0 .
+srv02 SRV 65535 65535 65535 old-slow-box.example.com.
+$TTL 301 ; 5 minutes 1 second
+t A 73.80.65.49
+$TTL 3600 ; 1 hour
+txt01 TXT "foo"
+txt02 TXT "foo" "bar"
+txt03 TXT "foo"
+txt04 TXT "foo" "bar"
+txt05 TXT "foo bar"
+txt06 TXT "foo bar"
+txt07 TXT "foo bar"
+txt08 TXT "foo\010bar"
+txt09 TXT "foo\010bar"
+txt10 TXT "foo bar"
+txt11 TXT "\"foo\""
+txt12 TXT "\"foo\""
+$TTL 300 ; 5 minutes
+u TXT "txt-not-in-nxt"
+$ORIGIN u.example.nil.
+a A 73.80.65.49
+b A 73.80.65.49
+$ORIGIN example.nil.
+$TTL 3600 ; 1 hour
+wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 )
+wks02 WKS 10.0.0.1 17 ( 0 1 2 53 )
+wks03 WKS 10.0.0.2 6 ( 65535 )
+x2501 X25 "123456789"
+large TXT ( 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890
+ 1234567890 1234567890 1234567890 1234567890 )
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key
new file mode 100644
index 0000000..37ee8ae
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key
@@ -0,0 +1 @@
+hmac-md5-legacy. IN KEY 0 3 157 B7HCXJs0XnSPzypG5oHuGw==
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private
new file mode 100644
index 0000000..8b2f435
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 157 (HMAC_MD5)
+Key: B7HCXJs0XnSPzypG5oHuGw==
+Bits: AAA=
+Created: 20230619071002
+Publish: 20230619071002
+Activate: 20230619071002
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key
new file mode 100644
index 0000000..bd1445d
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key
@@ -0,0 +1 @@
+hmac-sha1-legacy. IN KEY 0 3 161 TxGx9XBp6Pp5yYAOKXdERA==
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private
new file mode 100644
index 0000000..fe3d7ec
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 161 (HMAC_SHA1)
+Key: TxGx9XBp6Pp5yYAOKXdERA==
+Bits: AAA=
+Created: 20230619071031
+Publish: 20230619071031
+Activate: 20230619071031
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key
new file mode 100644
index 0000000..c849be9
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key
@@ -0,0 +1 @@
+hmac-sha224-legacy. IN KEY 0 3 162 H8Hyw718rLqToQFRLAeFWQ==
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private
new file mode 100644
index 0000000..a2f31ec
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 162 (HMAC_SHA224)
+Key: H8Hyw718rLqToQFRLAeFWQ==
+Bits: AAA=
+Created: 20230619071136
+Publish: 20230619071136
+Activate: 20230619071136
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key
new file mode 100644
index 0000000..1bbb6f0
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key
@@ -0,0 +1 @@
+hmac-sha256-legacy. IN KEY 0 3 163 fdT9hiPov4ThMEfRv1FNmA==
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private
new file mode 100644
index 0000000..0b209c6
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 163 (HMAC_SHA256)
+Key: fdT9hiPov4ThMEfRv1FNmA==
+Bits: AAA=
+Created: 20230619071043
+Publish: 20230619071043
+Activate: 20230619071043
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key
new file mode 100644
index 0000000..46fae39
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key
@@ -0,0 +1 @@
+hmac-sha384-legacy. IN KEY 0 3 164 fnshFIjQTLFap6+j2JGBkA==
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private
new file mode 100644
index 0000000..be5aa12
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 164 (HMAC_SHA384)
+Key: fnshFIjQTLFap6+j2JGBkA==
+Bits: AAA=
+Created: 20230619071109
+Publish: 20230619071109
+Activate: 20230619071109
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key
new file mode 100644
index 0000000..0defc84
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key
@@ -0,0 +1 @@
+hmac-sha512-legacy. IN KEY 0 3 165 BZwNLICp2tj4hi6gil41eg==
diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private
new file mode 100644
index 0000000..21268e5
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 165 (HMAC_SHA512)
+Key: BZwNLICp2tj4hi6gil41eg==
+Bits: AAA=
+Created: 20230619071124
+Publish: 20230619071124
+Activate: 20230619071124
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
new file mode 100644
index 0000000..de16ccf
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify no;
+};
+
+# md5 key appended by setup.sh at the end
+
+key "sha1" {
+ secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+ algorithm hmac-sha1;
+};
+
+key "sha224" {
+ secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+ algorithm hmac-sha224;
+};
+
+key "sha256" {
+ secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+ algorithm hmac-sha256;
+};
+
+key "sha384" {
+ secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
+ algorithm hmac-sha384;
+};
+
+key "sha512" {
+ secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
+ algorithm hmac-sha512;
+};
+
+# hmac-md5-legacy key appended by setup.sh at the end
+
+key "hmac-sha1-legacy" {
+ algorithm "hmac-sha1";
+ secret "TxGx9XBp6Pp5yYAOKXdERA==";
+};
+
+key "hmac-sha224-legacy" {
+ algorithm "hmac-sha224";
+ secret "H8Hyw718rLqToQFRLAeFWQ==";
+};
+
+key "hmac-sha256-legacy" {
+ algorithm "hmac-sha256";
+ secret "fdT9hiPov4ThMEfRv1FNmA==";
+};
+
+key "hmac-sha384-legacy" {
+ algorithm "hmac-sha384";
+ secret "fnshFIjQTLFap6+j2JGBkA==";
+};
+
+key "hmac-sha512-legacy" {
+ algorithm "hmac-sha512";
+ secret "BZwNLICp2tj4hi6gil41eg==";
+};
+
+# md5-trunc key appended by setup.sh at the end
+
+key "sha1-trunc" {
+ secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+ algorithm hmac-sha1-80;
+};
+
+key "sha224-trunc" {
+ secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+ algorithm hmac-sha224-112;
+};
+
+key "sha256-trunc" {
+ secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+ algorithm hmac-sha256-128;
+};
+
+key "sha384-trunc" {
+ secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
+ algorithm hmac-sha384-192;
+};
+
+key "sha512-trunc" {
+ secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
+ algorithm hmac-sha512-256;
+};
+
+zone "example.nil" {
+ type primary;
+ file "example.db";
+};
+
+server 10.53.0.2 {
+ keys sha256;
+};
+
+zone "bad-tsig" {
+ type forward;
+ forwarders { 10.53.0.2; };
+ forward only;
+};
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
new file mode 100644
index 0000000..d8dbbe3
--- /dev/null
+++ b/bin/tests/system/tsig/setup.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$SHELL clean.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+if $FEATURETEST --md5
+then
+ cat >> ns1/named.conf << EOF
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "hmac-md5-legacy" {
+ algorithm "hmac-md5";
+ secret "B7HCXJs0XnSPzypG5oHuGw==";
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
+EOF
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
new file mode 100644
index 0000000..68c5b6d
--- /dev/null
+++ b/bin/tests/system/tsig/tests.sh
@@ -0,0 +1,322 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+. ../conf.sh
+
+DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+
+#
+# Shared secrets.
+#
+md5="97rnFx24Tfna4mHPfgnerA=="
+sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
+sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
+sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
+sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"
+sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="
+
+status=0
+
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (old form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+
+ echo_i "fetching using hmac-md5 (new form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5"
+fi
+
+echo_i "fetching using hmac-sha1"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1
+grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1
+grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1
+grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1
+grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+#
+#
+# Truncated TSIG
+#
+#
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (trunc)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5 (trunc)"
+fi
+
+echo_i "fetching using hmac-sha1 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1
+grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1
+grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1
+grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512-256 (trunc)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1
+grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+
+#
+#
+# Check for bad truncation.
+#
+#
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
+fi
+
+echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1
+grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224-112 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1
+grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256-128 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1
+grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384-192 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1
+grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512-256 (BADTRUNC)"
+ret=0
+$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1
+grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "attempting fetch with bad tsig algorithm"
+ret=0
+$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1
+grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "checking both OPT and TSIG records are returned when TC=1"
+ret=0
+$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1
+grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1
+grep "status: NOERROR" dig.out.large > /dev/null || ret=1
+grep "EDNS:" dig.out.large > /dev/null || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "check that dnssec-keygen won't generate TSIG keys"
+ret=0
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
+grep "unknown algorithm" keygen.out3 > /dev/null || ret=1
+
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
+ret=0
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1
+then
+ echo_i "check that TSIG in the wrong place returns FORMERR"
+ ret=0
+ $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out
+ grep "rcode = FORMERR" packet.out > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+fi
+
+echo_i "check that a malformed truncated response to a TSIG query is handled"
+ret=0
+$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1
+grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (legacy)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1
+ grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5"
+fi
+
+echo_i "fetching using hmac-sha1 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1
+grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1
+grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1
+grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1
+grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1
+grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/tsig/tests_sh_tsig.py b/bin/tests/system/tsig/tests_sh_tsig.py
new file mode 100644
index 0000000..b421852
--- /dev/null
+++ b/bin/tests/system/tsig/tests_sh_tsig.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_tsig(run_tests_sh):
+ run_tests_sh()