1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12SYSTEMTESTTOP=.. 13. $SYSTEMTESTTOP/conf.sh 14 15DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" 16 17# 18# Shared secrets. 19# 20md5="97rnFx24Tfna4mHPfgnerA==" 21sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" 22sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" 23sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" 24sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h" 25sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==" 26 27status=0 28 29echo_i "fetching using hmac-md5 (old form)" 30ret=0 31$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 32grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 33if [ $ret -eq 1 ] ; then 34 echo_i "failed"; status=1 35fi 36 37echo_i "fetching using hmac-md5 (new form)" 38ret=0 39$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 40grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 41if [ $ret -eq 1 ] ; then 42 echo_i "failed"; status=1 43fi 44 45echo_i "fetching using hmac-sha1" 46ret=0 47$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1 48grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 49if [ $ret -eq 1 ] ; then 50 echo_i "failed"; status=1 51fi 52 53echo_i "fetching using hmac-sha224" 54ret=0 55$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1 56grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 57if [ $ret -eq 1 ] ; then 58 echo_i "failed"; status=1 59fi 60 61echo_i "fetching using hmac-sha256" 62ret=0 63$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1 64grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 65if [ $ret -eq 1 ] ; then 66 echo_i "failed"; status=1 67fi 68 69echo_i "fetching using hmac-sha384" 70ret=0 71$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1 72grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 73if [ $ret -eq 1 ] ; then 74 echo_i "failed"; status=1 75fi 76 77echo_i "fetching using hmac-sha512" 78ret=0 79$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1 80grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 81if [ $ret -eq 1 ] ; then 82 echo_i "failed"; status=1 83fi 84 85# 86# 87# Truncated TSIG 88# 89# 90echo_i "fetching using hmac-md5 (trunc)" 91ret=0 92$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 93grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 94if [ $ret -eq 1 ] ; then 95 echo_i "failed"; status=1 96fi 97 98echo_i "fetching using hmac-sha1 (trunc)" 99ret=0 100$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1 101grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 102if [ $ret -eq 1 ] ; then 103 echo_i "failed"; status=1 104fi 105 106echo_i "fetching using hmac-sha224 (trunc)" 107ret=0 108$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1 109grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 110if [ $ret -eq 1 ] ; then 111 echo_i "failed"; status=1 112fi 113 114echo_i "fetching using hmac-sha256 (trunc)" 115ret=0 116$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1 117grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 118if [ $ret -eq 1 ] ; then 119 echo_i "failed"; status=1 120fi 121 122echo_i "fetching using hmac-sha384 (trunc)" 123ret=0 124$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1 125grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 126if [ $ret -eq 1 ] ; then 127 echo_i "failed"; status=1 128fi 129 130echo_i "fetching using hmac-sha512-256 (trunc)" 131ret=0 132$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1 133grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 134if [ $ret -eq 1 ] ; then 135 echo_i "failed"; status=1 136fi 137 138 139# 140# 141# Check for bad truncation. 142# 143# 144echo_i "fetching using hmac-md5-80 (BADTRUNC)" 145ret=0 146$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 147grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 148if [ $ret -eq 1 ] ; then 149 echo_i "failed"; status=1 150fi 151 152echo_i "fetching using hmac-sha1-80 (BADTRUNC)" 153ret=0 154$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1 155grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 156if [ $ret -eq 1 ] ; then 157 echo_i "failed"; status=1 158fi 159 160echo_i "fetching using hmac-sha224-112 (BADTRUNC)" 161ret=0 162$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1 163grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 164if [ $ret -eq 1 ] ; then 165 echo_i "failed"; status=1 166fi 167 168echo_i "fetching using hmac-sha256-128 (BADTRUNC)" 169ret=0 170$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1 171grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 172if [ $ret -eq 1 ] ; then 173 echo_i "failed"; status=1 174fi 175 176echo_i "fetching using hmac-sha384-192 (BADTRUNC)" 177ret=0 178$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1 179grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 180if [ $ret -eq 1 ] ; then 181 echo_i "failed"; status=1 182fi 183 184echo_i "fetching using hmac-sha512-256 (BADTRUNC)" 185ret=0 186$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1 187grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 188if [ $ret -eq 1 ] ; then 189 echo_i "failed"; status=1 190fi 191 192echo_i "attempting fetch with bad tsig algorithm" 193ret=0 194$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1 195grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1 196if [ $ret -eq 1 ] ; then 197 echo_i "failed"; status=1 198fi 199 200echo_i "checking both OPT and TSIG records are returned when TC=1" 201ret=0 202$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1 203grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1 204grep "status: NOERROR" dig.out.large > /dev/null || ret=1 205grep "EDNS:" dig.out.large > /dev/null || ret=1 206grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 207if [ $ret -eq 1 ] ; then 208 echo_i "failed"; status=1 209fi 210 211echo_i "check that dnssec-keygen won't generate TSIG keys" 212ret=0 213$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 214grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 215 216echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" 217ret=0 218$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1 219$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 220grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 221if [ $ret -eq 1 ] ; then 222 echo_i "failed"; status=1 223fi 224 225if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1 226then 227 echo_i "check that TSIG in the wrong place returns FORMERR" 228 ret=0 229 $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out 230 grep "rcode = FORMERR" packet.out > /dev/null || ret=1 231 if [ $ret -eq 1 ] ; then 232 echo_i "failed"; status=1 233 fi 234fi 235 236echo_i "check that a malformed truncated response to a TSIG query is handled" 237ret=0 238$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1 239grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1 240if [ $ret -eq 1 ] ; then 241 echo_i "failed"; status=1 242fi 243 244echo_i "exit status: $status" 245[ $status -eq 0 ] || exit 1 246