1#!/bin/sh 2# 3# Copyright (C) 2005-2007, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 4# 5# Permission to use, copy, modify, and/or distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15# PERFORMANCE OF THIS SOFTWARE. 16 17# Id: tests.sh,v 1.7 2011/11/06 23:46:40 tbox Exp 18 19SYSTEMTESTTOP=.. 20. $SYSTEMTESTTOP/conf.sh 21 22# 23# Shared secrets. 24# 25md5="97rnFx24Tfna4mHPfgnerA==" 26sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" 27sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" 28sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" 29sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h" 30sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==" 31 32status=0 33 34echo "I:fetching using hmac-md5 (old form)" 35ret=0 36$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 37 -y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1 38grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 39if [ $ret -eq 1 ] ; then 40 echo "I: failed"; status=1 41fi 42 43echo "I:fetching using hmac-md5 (new form)" 44ret=0 45$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 46 -y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1 47grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 48if [ $ret -eq 1 ] ; then 49 echo "I: failed"; status=1 50fi 51 52echo "I:fetching using hmac-sha1" 53ret=0 54$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 55 -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa -p 5300 > dig.out.sha1 || ret=1 56grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 57if [ $ret -eq 1 ] ; then 58 echo "I: failed"; status=1 59fi 60 61echo "I:fetching using hmac-sha224" 62ret=0 63$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 64 -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa -p 5300 > dig.out.sha224 || ret=1 65grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 66if [ $ret -eq 1 ] ; then 67 echo "I: failed"; status=1 68fi 69 70echo "I:fetching using hmac-sha256" 71ret=0 72$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 73 -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa -p 5300 > dig.out.sha256 || ret=1 74grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 75if [ $ret -eq 1 ] ; then 76 echo "I: failed"; status=1 77fi 78 79echo "I:fetching using hmac-sha384" 80ret=0 81$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 82 -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa -p 5300 > dig.out.sha384 || ret=1 83grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 84if [ $ret -eq 1 ] ; then 85 echo "I: failed"; status=1 86fi 87 88echo "I:fetching using hmac-sha512" 89ret=0 90$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 91 -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa -p 5300 > dig.out.sha512 || ret=1 92grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 93if [ $ret -eq 1 ] ; then 94 echo "I: failed"; status=1 95fi 96 97# 98# 99# Truncated TSIG 100# 101# 102echo "I:fetching using hmac-md5 (trunc)" 103ret=0 104$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 105 -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1 106grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 107if [ $ret -eq 1 ] ; then 108 echo "I: failed"; status=1 109fi 110 111echo "I:fetching using hmac-sha1 (trunc)" 112ret=0 113$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 114 -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa -p 5300 > dig.out.sha1.trunc || ret=1 115grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 116if [ $ret -eq 1 ] ; then 117 echo "I: failed"; status=1 118fi 119 120echo "I:fetching using hmac-sha224 (trunc)" 121ret=0 122$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 123 -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa -p 5300 > dig.out.sha224.trunc || ret=1 124grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 125if [ $ret -eq 1 ] ; then 126 echo "I: failed"; status=1 127fi 128 129echo "I:fetching using hmac-sha256 (trunc)" 130ret=0 131$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 132 -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa -p 5300 > dig.out.sha256.trunc || ret=1 133grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 134if [ $ret -eq 1 ] ; then 135 echo "I: failed"; status=1 136fi 137 138echo "I:fetching using hmac-sha384 (trunc)" 139ret=0 140$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 141 -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa -p 5300 > dig.out.sha384.trunc || ret=1 142grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 143if [ $ret -eq 1 ] ; then 144 echo "I: failed"; status=1 145fi 146 147echo "I:fetching using hmac-sha512-256 (trunc)" 148ret=0 149$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 150 -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa -p 5300 > dig.out.sha512.trunc || ret=1 151grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 152if [ $ret -eq 1 ] ; then 153 echo "I: failed"; status=1 154fi 155 156 157# 158# 159# Check for bad truncation. 160# 161# 162echo "I:fetching using hmac-md5-80 (BADTRUNC)" 163ret=0 164$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 165 -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1 166grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 167if [ $ret -eq 1 ] ; then 168 echo "I: failed"; status=1 169fi 170 171echo "I:fetching using hmac-sha1-80 (BADTRUNC)" 172ret=0 173$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 174 -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa -p 5300 > dig.out.sha1-80 || ret=1 175grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 176if [ $ret -eq 1 ] ; then 177 echo "I: failed"; status=1 178fi 179 180echo "I:fetching using hmac-sha224-112 (BADTRUNC)" 181ret=0 182$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 183 -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa -p 5300 > dig.out.sha224-112 || ret=1 184grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 185if [ $ret -eq 1 ] ; then 186 echo "I: failed"; status=1 187fi 188 189echo "I:fetching using hmac-sha256-128 (BADTRUNC)" 190ret=0 191$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 192 -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa -p 5300 > dig.out.sha256-128 || ret=1 193grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 194if [ $ret -eq 1 ] ; then 195 echo "I: failed"; status=1 196fi 197 198echo "I:fetching using hmac-sha384-192 (BADTRUNC)" 199ret=0 200$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 201 -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa -p 5300 > dig.out.sha384-192 || ret=1 202grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 203if [ $ret -eq 1 ] ; then 204 echo "I: failed"; status=1 205fi 206 207echo "I:fetching using hmac-sha512-256 (BADTRUNC)" 208ret=0 209$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 210 -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa -p 5300 > dig.out.sha512-256 || ret=1 211grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 212if [ $ret -eq 1 ] ; then 213 echo "I: failed"; status=1 214fi 215 216echo "I:attempting fetch with bad tsig algorithm" 217ret=0 218$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ 219 -y "badalgo:invalid:$sha512" @10.53.0.1 soa -p 5300 > dig.out.badalgo 2>&1 || ret=1 220grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1 221if [ $ret -eq 1 ] ; then 222 echo "I: failed"; status=1 223fi 224 225echo "I:checking both OPT and TSIG records are returned when TC=1" 226ret=0 227$DIG +ignore +bufsize=512 large.example.nil \ 228 -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt -p 5300 > dig.out.large 2>&1 || ret=1 229grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1 230grep "status: NOERROR" dig.out.large > /dev/null || ret=1 231grep "EDNS:" dig.out.large > /dev/null || ret=1 232grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 233if [ $ret -eq 1 ] ; then 234 echo "I: failed"; status=1 235fi 236exit $status 237 238 239