# and other values? right out
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
#include <string.h>
#include <unistd.h>
+#include <isc/md.h>
#include <isc/net.h>
#include <isc/print.h>
#include <isc/util.h>
fprintf(stderr, "\t--have-json-c\n");
fprintf(stderr, "\t--have-libxml2\n");
fprintf(stderr, "\t--ipv6only=no\n");
+ fprintf(stderr, "\t--md5\n");
fprintf(stderr, "\t--tsan\n");
fprintf(stderr, "\t--with-dlz-filesystem\n");
fprintf(stderr, "\t--with-libidn2\n");
#endif
}
+ if (strcmp(argv[1], "--md5") == 0) {
+ unsigned char digest[ISC_MAX_MD_SIZE];
+ const unsigned char test[] = "test";
+ unsigned int size = sizeof(digest);
+
+ if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
+ ISC_R_SUCCESS)
+ {
+ return (0);
+ } else {
+ return (1);
+ }
+ }
+
if (strcmp(argv[1], "--ipv6only=no") == 0) {
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
int s;
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
+if $FEATURETEST --md5; then
+ $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
+else
+ echo -n > ns1/md5.key
+fi
$TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
n=$((n + 1))
ret=0
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+if $FEATURETEST --md5
+then
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
+else
+ ALGS="sha1 sha224 sha256 sha384 sha512"
+ echo_i "skipping disabled md5 algorithm"
+fi
+for alg in $ALGS; do
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
END
done
sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
}
-make_key 1 ${EXTRAPORT1} hmac-md5
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
make_key 2 ${EXTRAPORT2} hmac-sha1
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
status=$((status+ret))
n=$((n+1))
-echo_i "testing rndc with hmac-md5 ($n)"
-ret=0
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
-for i in 2 3 4 5 6
-do
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-done
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --md5; then
+ echo_i "testing rndc with hmac-md5 ($n)"
+ ret=0
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+ for i in 2 3 4 5 6
+ do
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+else
+ echo_i "skipping rndc with hmac-md5 ($n)"
+fi
n=$((n+1))
echo_i "testing rndc with hmac-sha1 ($n)"
notify no;
};
-key "md5" {
- secret "97rnFx24Tfna4mHPfgnerA==";
- algorithm hmac-md5;
-};
+# md5 key appended by setup.sh at the end
key "sha1" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
algorithm hmac-sha512;
};
-key "md5-trunc" {
- secret "97rnFx24Tfna4mHPfgnerA==";
- algorithm hmac-md5-80;
-};
+# md5-trunc key appended by setup.sh at the end
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
+
+if $FEATURETEST --md5
+then
+ cat >> ns1/named.conf << EOF
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
+EOF
+fi
status=0
-echo_i "fetching using hmac-md5 (old form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
-fi
-
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (old form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+
+ echo_i "fetching using hmac-md5 (new form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5"
fi
echo_i "fetching using hmac-sha1"
# Truncated TSIG
#
#
-echo_i "fetching using hmac-md5 (trunc)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (trunc)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5 (trunc)"
fi
echo_i "fetching using hmac-sha1 (trunc)"
# Check for bad truncation.
#
#
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
fi
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
projects / thirdparty / bind9.git / commitdiff
