xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/tsig/tests.sh (revision 345cf9fb81bd0411c53e25d62cd93bdcaa865312) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14set -e
15
16. ../conf.sh
17
18DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
19
20#
21# Shared secrets.
22#
23md5="97rnFx24Tfna4mHPfgnerA=="
24sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
25sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
26sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
27sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"
28sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="
29
30status=0
31
32if $FEATURETEST --md5; then
33  echo_i "fetching using hmac-md5 (old form)"
34  ret=0
35  $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa >dig.out.md5.old || ret=1
36  grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old >/dev/null || ret=1
37  if [ $ret -eq 1 ]; then
38    echo_i "failed"
39    status=1
40  fi
41
42  echo_i "fetching using hmac-md5 (new form)"
43  ret=0
44  $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa >dig.out.md5.new || ret=1
45  grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new >/dev/null || ret=1
46  if [ $ret -eq 1 ]; then
47    echo_i "failed"
48    status=1
49  fi
50else
51  echo_i "skipping using hmac-md5"
52fi
53
54echo_i "fetching using hmac-sha1"
55ret=0
56$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1 || ret=1
57grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1
58if [ $ret -eq 1 ]; then
59  echo_i "failed"
60  status=1
61fi
62
63echo_i "fetching using hmac-sha224"
64ret=0
65$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224 || ret=1
66grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1
67if [ $ret -eq 1 ]; then
68  echo_i "failed"
69  status=1
70fi
71
72echo_i "fetching using hmac-sha256"
73ret=0
74$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256 || ret=1
75grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1
76if [ $ret -eq 1 ]; then
77  echo_i "failed"
78  status=1
79fi
80
81echo_i "fetching using hmac-sha384"
82ret=0
83$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384 || ret=1
84grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1
85if [ $ret -eq 1 ]; then
86  echo_i "failed"
87  status=1
88fi
89
90echo_i "fetching using hmac-sha512"
91ret=0
92$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512 || ret=1
93grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1
94if [ $ret -eq 1 ]; then
95  echo_i "failed"
96  status=1
97fi
98
99#
100#
101#	Truncated TSIG
102#
103#
104if $FEATURETEST --md5; then
105  echo_i "fetching using hmac-md5 (trunc)"
106  ret=0
107  $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa >dig.out.md5.trunc || ret=1
108  grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc >/dev/null || ret=1
109  if [ $ret -eq 1 ]; then
110    echo_i "failed"
111    status=1
112  fi
113else
114  echo_i "skipping using hmac-md5 (trunc)"
115fi
116
117echo_i "fetching using hmac-sha1 (trunc)"
118ret=0
119$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa >dig.out.sha1.trunc || ret=1
120grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc >/dev/null || ret=1
121if [ $ret -eq 1 ]; then
122  echo_i "failed"
123  status=1
124fi
125
126echo_i "fetching using hmac-sha224 (trunc)"
127ret=0
128$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa >dig.out.sha224.trunc || ret=1
129grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc >/dev/null || ret=1
130if [ $ret -eq 1 ]; then
131  echo_i "failed"
132  status=1
133fi
134
135echo_i "fetching using hmac-sha256 (trunc)"
136ret=0
137$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa >dig.out.sha256.trunc || ret=1
138grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc >/dev/null || ret=1
139if [ $ret -eq 1 ]; then
140  echo_i "failed"
141  status=1
142fi
143
144echo_i "fetching using hmac-sha384 (trunc)"
145ret=0
146$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa >dig.out.sha384.trunc || ret=1
147grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc >/dev/null || ret=1
148if [ $ret -eq 1 ]; then
149  echo_i "failed"
150  status=1
151fi
152
153echo_i "fetching using hmac-sha512-256 (trunc)"
154ret=0
155$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa >dig.out.sha512.trunc || ret=1
156grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc >/dev/null || ret=1
157if [ $ret -eq 1 ]; then
158  echo_i "failed"
159  status=1
160fi
161
162#
163#
164#	Check for bad truncation.
165#
166#
167if $FEATURETEST --md5; then
168  echo_i "fetching using hmac-md5-80 (BADTRUNC)"
169  ret=0
170  $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa >dig.out.md5-80 || ret=1
171  grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 >/dev/null || ret=1
172  if [ $ret -eq 1 ]; then
173    echo_i "failed"
174    status=1
175  fi
176else
177  echo_i "skipping using hmac-md5-80 (BADTRUNC)"
178fi
179
180echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
181ret=0
182$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1-80 || ret=1
183grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 >/dev/null || ret=1
184if [ $ret -eq 1 ]; then
185  echo_i "failed"
186  status=1
187fi
188
189echo_i "fetching using hmac-sha224-112 (BADTRUNC)"
190ret=0
191$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224-112 || ret=1
192grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 >/dev/null || ret=1
193if [ $ret -eq 1 ]; then
194  echo_i "failed"
195  status=1
196fi
197
198echo_i "fetching using hmac-sha256-128 (BADTRUNC)"
199ret=0
200$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256-128 || ret=1
201grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 >/dev/null || ret=1
202if [ $ret -eq 1 ]; then
203  echo_i "failed"
204  status=1
205fi
206
207echo_i "fetching using hmac-sha384-192 (BADTRUNC)"
208ret=0
209$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384-192 || ret=1
210grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 >/dev/null || ret=1
211if [ $ret -eq 1 ]; then
212  echo_i "failed"
213  status=1
214fi
215
216echo_i "fetching using hmac-sha512-256 (BADTRUNC)"
217ret=0
218$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512-256 || ret=1
219grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 >/dev/null || ret=1
220if [ $ret -eq 1 ]; then
221  echo_i "failed"
222  status=1
223fi
224
225echo_i "attempting fetch with bad tsig algorithm"
226ret=0
227$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa >dig.out.badalgo 2>&1 || ret=1
228grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo >/dev/null || ret=1
229if [ $ret -eq 1 ]; then
230  echo_i "failed"
231  status=1
232fi
233
234echo_i "checking both OPT and TSIG records are returned when TC=1"
235ret=0
236$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt >dig.out.large 2>&1 || ret=1
237grep "flags:.* tc[ ;]" dig.out.large >/dev/null || ret=1
238grep "status: NOERROR" dig.out.large >/dev/null || ret=1
239grep "EDNS:" dig.out.large >/dev/null || ret=1
240grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1
241if [ $ret -eq 1 ]; then
242  echo_i "failed"
243  status=1
244fi
245
246echo_i "check that dnssec-keygen won't generate TSIG keys"
247ret=0
248$KEYGEN -a hmac-sha256 -b 128 -n host example.net >keygen.out3 2>&1 && ret=1
249grep "unknown algorithm" keygen.out3 >/dev/null || ret=1
250
251echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
252ret=0
253$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp <badtime >/dev/null || ret=1
254$DIG -p ${PORT} @10.53.0.1 version.bind txt ch >dig.out.verify || ret=1
255grep "status: NOERROR" dig.out.verify >/dev/null || ret=1
256if [ $ret -eq 1 ]; then
257  echo_i "failed"
258  status=1
259fi
260
261if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' >/dev/null 2>&1; then
262  echo_i "check that TSIG in the wrong place returns FORMERR"
263  ret=0
264  $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d <badlocation >packet.out
265  grep "rcode  = FORMERR" packet.out >/dev/null || ret=1
266  if [ $ret -eq 1 ]; then
267    echo_i "failed"
268    status=1
269  fi
270fi
271
272echo_i "check that a malformed truncated response to a TSIG query is handled"
273ret=0
274$DIG -p $PORT @10.53.0.1 bad-tsig >dig.out.bad-tsig || ret=1
275grep "status: SERVFAIL" dig.out.bad-tsig >/dev/null || ret=1
276if [ $ret -eq 1 ]; then
277  echo_i "failed"
278  status=1
279fi
280
281if $FEATURETEST --md5; then
282  echo_i "fetching using hmac-md5 (legacy)"
283  ret=0
284  $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa >dig.out.md5.legacy 2>&1 || ret=1
285  grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy >/dev/null || ret=1
286  grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy >/dev/null || ret=1
287  if [ $ret -eq 1 ]; then
288    echo_i "failed"
289    status=1
290  fi
291else
292  echo_i "skipping using hmac-md5"
293fi
294
295echo_i "fetching using hmac-sha1 (legacy)"
296ret=0
297$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa >dig.out.sha1.legacy 2>&1 || ret=1
298grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy >/dev/null || ret=1
299grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy >/dev/null || ret=1
300if [ $ret -eq 1 ]; then
301  echo_i "failed"
302  status=1
303fi
304
305echo_i "fetching using hmac-sha224 (legacy)"
306ret=0
307$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa >dig.out.sha224 2>&1 || ret=1
308grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1
309grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 >/dev/null || ret=1
310if [ $ret -eq 1 ]; then
311  echo_i "failed"
312  status=1
313fi
314
315echo_i "fetching using hmac-sha256 (legacy)"
316ret=0
317$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa >dig.out.sha256 2>&1 || ret=1
318grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1
319grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 >/dev/null || ret=1
320if [ $ret -eq 1 ]; then
321  echo_i "failed"
322  status=1
323fi
324
325echo_i "fetching using hmac-sha384 (legacy)"
326ret=0
327$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa >dig.out.sha384 2>&1 || ret=1
328grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1
329grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 >/dev/null || ret=1
330if [ $ret -eq 1 ]; then
331  echo_i "failed"
332  status=1
333fi
334
335echo_i "fetching using hmac-sha512 (legacy)"
336ret=0
337$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa >dig.out.sha512 2>&1 || ret=1
338grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 >/dev/null || ret=1
339grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1
340if [ $ret -eq 1 ]; then
341  echo_i "failed"
342  status=1
343fi
344
345echo_i "exit status: $status"
346[ $status -eq 0 ] || exit 1
347