xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/tsig/tests.sh (revision 867d70fc718005c0918b8b8b2f9d7f2d52d0a0db) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14SYSTEMTESTTOP=..
15. $SYSTEMTESTTOP/conf.sh
16
17DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
18
19#
20# Shared secrets.
21#
22md5="97rnFx24Tfna4mHPfgnerA=="
23sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
24sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
25sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
26sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"
27sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="
28
29status=0
30
31echo_i "fetching using hmac-md5 (old form)"
32ret=0
33$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
34grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
35if [ $ret -eq 1 ] ; then
36	echo_i "failed"; status=1
37fi
38
39echo_i "fetching using hmac-md5 (new form)"
40ret=0
41$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
42grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
43if [ $ret -eq 1 ] ; then
44	echo_i "failed"; status=1
45fi
46
47echo_i "fetching using hmac-sha1"
48ret=0
49$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1
50grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
51if [ $ret -eq 1 ] ; then
52	echo_i "failed"; status=1
53fi
54
55echo_i "fetching using hmac-sha224"
56ret=0
57$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1
58grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
59if [ $ret -eq 1 ] ; then
60	echo_i "failed"; status=1
61fi
62
63echo_i "fetching using hmac-sha256"
64ret=0
65$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1
66grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
67if [ $ret -eq 1 ] ; then
68	echo_i "failed"; status=1
69fi
70
71echo_i "fetching using hmac-sha384"
72ret=0
73$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1
74grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
75if [ $ret -eq 1 ] ; then
76	echo_i "failed"; status=1
77fi
78
79echo_i "fetching using hmac-sha512"
80ret=0
81$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1
82grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
83if [ $ret -eq 1 ] ; then
84	echo_i "failed"; status=1
85fi
86
87#
88#
89#	Truncated TSIG
90#
91#
92echo_i "fetching using hmac-md5 (trunc)"
93ret=0
94$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
95grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
96if [ $ret -eq 1 ] ; then
97	echo_i "failed"; status=1
98fi
99
100echo_i "fetching using hmac-sha1 (trunc)"
101ret=0
102$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1
103grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1
104if [ $ret -eq 1 ] ; then
105	echo_i "failed"; status=1
106fi
107
108echo_i "fetching using hmac-sha224 (trunc)"
109ret=0
110$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1
111grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1
112if [ $ret -eq 1 ] ; then
113	echo_i "failed"; status=1
114fi
115
116echo_i "fetching using hmac-sha256 (trunc)"
117ret=0
118$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1
119grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1
120if [ $ret -eq 1 ] ; then
121	echo_i "failed"; status=1
122fi
123
124echo_i "fetching using hmac-sha384 (trunc)"
125ret=0
126$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1
127grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1
128if [ $ret -eq 1 ] ; then
129	echo_i "failed"; status=1
130fi
131
132echo_i "fetching using hmac-sha512-256 (trunc)"
133ret=0
134$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1
135grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1
136if [ $ret -eq 1 ] ; then
137	echo_i "failed"; status=1
138fi
139
140
141#
142#
143#	Check for bad truncation.
144#
145#
146echo_i "fetching using hmac-md5-80 (BADTRUNC)"
147ret=0
148$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
149grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
150if [ $ret -eq 1 ] ; then
151	echo_i "failed"; status=1
152fi
153
154echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
155ret=0
156$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1
157grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1
158if [ $ret -eq 1 ] ; then
159	echo_i "failed"; status=1
160fi
161
162echo_i "fetching using hmac-sha224-112 (BADTRUNC)"
163ret=0
164$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1
165grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1
166if [ $ret -eq 1 ] ; then
167	echo_i "failed"; status=1
168fi
169
170echo_i "fetching using hmac-sha256-128 (BADTRUNC)"
171ret=0
172$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1
173grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1
174if [ $ret -eq 1 ] ; then
175	echo_i "failed"; status=1
176fi
177
178echo_i "fetching using hmac-sha384-192 (BADTRUNC)"
179ret=0
180$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1
181grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1
182if [ $ret -eq 1 ] ; then
183	echo_i "failed"; status=1
184fi
185
186echo_i "fetching using hmac-sha512-256 (BADTRUNC)"
187ret=0
188$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1
189grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1
190if [ $ret -eq 1 ] ; then
191	echo_i "failed"; status=1
192fi
193
194echo_i "attempting fetch with bad tsig algorithm"
195ret=0
196$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1
197grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1
198if [ $ret -eq 1 ] ; then
199	echo_i "failed"; status=1
200fi
201
202echo_i "checking both OPT and TSIG records are returned when TC=1"
203ret=0
204$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1
205grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1
206grep "status: NOERROR" dig.out.large > /dev/null || ret=1
207grep "EDNS:" dig.out.large > /dev/null || ret=1
208grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1
209if [ $ret -eq 1 ] ; then
210	echo_i "failed"; status=1
211fi
212
213echo_i "check that dnssec-keygen won't generate TSIG keys"
214ret=0
215$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
216grep "unknown algorithm" keygen.out3 > /dev/null || ret=1
217
218echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
219ret=0
220$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1
221$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
222grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
223if [ $ret -eq 1 ] ; then
224    echo_i "failed"; status=1
225fi
226
227if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1
228then
229  echo_i "check that TSIG in the wrong place returns FORMERR"
230  ret=0
231  $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out
232  grep "rcode  = FORMERR" packet.out > /dev/null || ret=1
233  if [ $ret -eq 1 ] ; then
234    echo_i "failed"; status=1
235  fi
236fi
237
238echo_i "check that a malformed truncated response to a TSIG query is handled"
239ret=0
240$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1
241grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1
242if [ $ret -eq 1 ] ; then
243    echo_i "failed"; status=1
244fi
245
246echo_i "exit status: $status"
247[ $status -eq 0 ] || exit 1
248