diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch new file mode 100644 index 0000000..2dccdea --- /dev/null +++ b/bind-9.11-fips-code.patch @@ -0,0 +1,1516 @@ +From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:34:45 +0200 +Subject: [PATCH 1/2] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b +Author: Petr Menšík +Date: Mon Jan 22 14:12:37 2018 +0100 + + Update system tests to detect MD5 disabled at runtime + +commit 80ceffee4860c24baf70bc9a8653d92731eda2e4 +Author: Petr Menšík +Date: Thu Aug 2 14:53:54 2018 +0200 + + Avoid warning about undefined parameters + +commit e4ad4363e3d1acaac58456117579f02761f38fdc +Author: Petr Menšík +Date: Wed Jun 20 19:31:19 2018 +0200 + + Fix rndc-confgen default algorithm, report true algorithm in usage. + +commit 7e629a351010cb75e0589ec361f720085675998c +Author: Petr Menšík +Date: Fri Feb 23 21:21:30 2018 +0100 + + Cleanup only if initialization was successful + +commit 2101b948c77cbcbe07eb4a1e60f3e693b2245ec6 +Author: Petr Menšík +Date: Mon Feb 5 12:19:28 2018 +0100 + + Ensure dst backend is initialized first even before hmac algorithms. + +commit 7567c7edde7519115a9ae7e20818c835d3eb1ffe +Author: Petr Menšík +Date: Mon Feb 5 12:17:54 2018 +0100 + + Skip initialization of MD5 based algorithms if not available. + +commit 5782137df6b45a6d900d5a1c250c1257227e917a +Author: Petr Menšík +Date: Mon Feb 5 10:21:27 2018 +0100 + + Change secalgs skipping to be more safe + +commit f2d78729898182d2d19d5064de1bec9b66817159 +Author: Petr Menšík +Date: Wed Jan 31 18:26:11 2018 +0100 + + Skip MD5 algorithm also in case of NULL name + +commit 32a2ad4abc7aaca1c257730319ad3c27405d3407 +Author: Petr Menšík +Date: Wed Jan 31 11:38:12 2018 +0100 + + Make MD5 behave like unknown algorithm in TSIG. + +commit 13cd3f704dce568fdf24a567be5802b58ac6007b +Author: Petr Menšík +Date: Tue Nov 28 20:14:37 2017 +0100 + + Select token with most supported functions, instead of demanding it must support all functions + + Initialize PKCS#11 always until successfully initialized + +commit a71df74abdca4fe63bcdf542b81a109cf1f495b4 +Author: Petr Menšík +Date: Mon Jan 22 16:17:44 2018 +0100 + + Handle MD5 unavailability from DST + +commit dd82cb263efa2753d3ee772972726ea08bcc639b +Author: Petr Menšík +Date: Mon Jan 22 14:11:16 2018 +0100 + + Check runtime flag from library and applications, fail gracefully. + +commit c7b2f87f07ecae75b821a908e29f08a42371e32e +Author: Petr Menšík +Date: Mon Jan 22 08:39:08 2018 +0100 + + Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not + defined. + TODO: pk11.c should accept slot without MD5 support. + +commit 0b8e470ec636b9e350b5ec3203eb2b4091415fde +Author: Petr Menšík +Date: Mon Jan 22 07:21:04 2018 +0100 + + Add runtime detection whether MD5 is useable. +--- + bin/confgen/keygen.c | 10 ++++- + bin/confgen/rndc-confgen.c | 36 +++++------------- + bin/dig/dig.c | 7 ++-- + bin/dig/dighost.c | 14 +++++-- + bin/dnssec/dnssec-keygen.c | 14 +++++++ + bin/named/config.c | 25 ++++++++++++- + bin/nsupdate/nsupdate.c | 24 +++++++----- + bin/rndc/rndc.c | 3 +- + bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- + bin/tests/system/tkey/keycreate.c | 3 ++ + bin/tests/system/tkey/keydelete.c | 18 ++++++--- + lib/bind9/check.c | 10 +++++ + lib/dns/dst_api.c | 23 ++++++++---- + lib/dns/dst_internal.h | 3 +- + lib/dns/dst_parse.c | 18 +++++++-- + lib/dns/hmac_link.c | 20 +++------- + lib/dns/opensslrsa_link.c | 6 +++ + lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- + lib/dns/rcode.c | 21 ++++++++++- + lib/dns/tests/rsa_test.c | 29 ++++++++------- + lib/dns/tests/tsig_test.c | 1 + + lib/dns/tkey.c | 9 +++++ + lib/dns/tsec.c | 8 +++- + lib/dns/tsig.c | 17 +++++---- + lib/isc/include/isc/md5.h | 3 ++ + lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ + lib/isc/pk11.c | 58 ++++++++++++++++++++--------- + lib/isc/tests/hash_test.c | 9 +++-- + lib/isccc/cc.c | 42 +++++++++++++-------- + 29 files changed, 424 insertions(+), 177 deletions(-) + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index 453c641dba..11cc54dd46 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,7 +74,7 @@ alg_fromtext(const char *name) { + p = &name[5]; + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(p, "md5") == 0) ++ if (strcasecmp(p, "md5") == 0 && isc_md5_available()) + return DST_ALG_HMACMD5; + #endif + if (strcasecmp(p, "sha1") == 0) +@@ -132,6 +133,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + switch (alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: ++ if (isc_md5_available() == ISC_FALSE) { ++ fatal("unsupported algorithm %d\n", alg); ++ } else if (keysize < 1 || keysize > 512) { ++ fatal("keysize %d out of range (must be 1-512)\n", ++ keysize); ++ } ++ break; + #endif + case DST_ALG_HMACSHA1: + case DST_ALG_HMACSHA224: +diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c +index 2925baf32f..d7d8418073 100644 +--- a/bin/confgen/rndc-confgen.c ++++ b/bin/confgen/rndc-confgen.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -62,7 +63,7 @@ const char *progname; + + isc_boolean_t verbose = ISC_FALSE; + +-const char *keyfile, *keydef; ++const char *keyfile, *keydef, *algdef; + + ISC_PLATFORM_NORETURN_PRE static void + usage(int status) ISC_PLATFORM_NORETURN_POST; +@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; + static void + usage(int status) { + +-#ifndef PK11_MD5_DISABLE + fprintf(stderr, "\ + Usage:\n\ + %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ + [-s addr] [-t chrootdir] [-u user]\n\ + -a: generate just the key clause and write it to keyfile (%s)\n\ +- -A alg: algorithm (default hmac-md5)\n\ ++ -A alg: algorithm (default %s)\n\ + -b bits: from 1 through 512, default 256; total length of the secret\n\ + -c keyfile: specify an alternate key file (requires -a)\n\ + -k keyname: the name as it will be used in named.conf and rndc.conf\n\ +@@ -85,24 +85,7 @@ Usage:\n\ + -s addr: the address to which rndc should connect\n\ + -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ + -u user: set the keyfile owner to \"user\" (requires -a)\n", +- progname, keydef); +-#else +- fprintf(stderr, "\ +-Usage:\n\ +- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ +-[-s addr] [-t chrootdir] [-u user]\n\ +- -a: generate just the key clause and write it to keyfile (%s)\n\ +- -A alg: algorithm (default hmac-sha256)\n\ +- -b bits: from 1 through 512, default 256; total length of the secret\n\ +- -c keyfile: specify an alternate key file (requires -a)\n\ +- -k keyname: the name as it will be used in named.conf and rndc.conf\n\ +- -p port: the port named will listen on and rndc will connect to\n\ +- -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ +- -s addr: the address to which rndc should connect\n\ +- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ +- -u user: set the keyfile owner to \"user\" (requires -a)\n", +- progname, keydef); +-#endif ++ progname, keydef, algdef); + + exit (status); + } +@@ -138,13 +121,14 @@ main(int argc, char **argv) { + progname = program; + + keyname = DEFAULT_KEYNAME; +-#ifndef PK11_MD5_DISABLE +- alg = DST_ALG_HMACMD5; +-#else +- alg = DST_ALG_HMACSHA256; +-#endif + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT; ++ alg = DST_ALG_HMACSHA256; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ alg = DST_ALG_HMACMD5; ++#endif ++ algdef = alg_totext(alg); + + isc_commandline_errprint = ISC_FALSE; + +diff --git a/bin/dig/dig.c b/bin/dig/dig.c +index d4808ada67..9dff7c8ecd 100644 +--- a/bin/dig/dig.c ++++ b/bin/dig/dig.c +@@ -17,6 +17,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, + ptr = ptr2; + ptr2 = ptr3; + } else { +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif + digestbits = 0; + } +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index ecefc98453..94c428ed30 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -77,6 +77,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { + digestbits = 0; + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(buf, "hmac-md5") == 0) { ++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { + hmacname = DNS_TSIG_HMACMD5_NAME; +- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { ++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && ++ isc_md5_available()) { + hmacname = DNS_TSIG_HMACMD5_NAME; + digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); + } else +@@ -1365,7 +1367,13 @@ setup_file_key(void) { + switch (dst_key_alg(dstkey)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- hmacname = DNS_TSIG_HMACMD5_NAME; ++ if (isc_md5_available()) { ++ hmacname = DNS_TSIG_HMACMD5_NAME; ++ } else { ++ printf(";; Couldn't create key %s: bad algorithm\n", ++ keynametext); ++ goto failure; ++ } + break; + #endif + case DST_ALG_HMACSHA1: +diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c +index 6fc3ab0979..fc04356ed4 100644 +--- a/bin/dnssec/dnssec-keygen.c ++++ b/bin/dnssec/dnssec-keygen.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -560,6 +561,19 @@ main(int argc, char **argv) { + "\"-a RSAMD5\"\n"); + INSIST(freeit == NULL); + return (1); ++ } else if (strcasecmp(algname, "HMAC-MD5") == 0) { ++ if (isc_md5_available()) { ++ alg = DST_ALG_HMACMD5; ++ } else { ++ fprintf(stderr, ++ "The use of HMAC-MD5 was disabled\n"); ++ return (1); ++ } ++ } else if (strcasecmp(algname, "RSAMD5") == 0 && ++ isc_md5_available() == ISC_FALSE) { ++ fprintf(stderr, "The use of RSAMD5 was disabled\n"); ++ INSIST(freeit == NULL); ++ return (1); + } else if (strcasecmp(algname, "HMAC-MD5") == 0) { + alg = DST_ALG_HMACMD5; + #else +diff --git a/bin/named/config.c b/bin/named/config.c +index 54bc37fff7..c50f759ddd 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); + } + ++static inline int ++algorithms_start() { ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ int i = 0; ++ while (algorithms[i].str != NULL && ++ algorithms[i].hmac == hmacmd5) { ++ i++; ++ } ++ return i; ++ } ++#endif ++ return 0; ++} ++ + isc_result_t + ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + unsigned int *typep, isc_uint16_t *digestbits) +@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + isc_uint16_t bits; + isc_result_t result; + +- for (i = 0; algorithms[i].str != NULL; i++) { ++ for (i = algorithms_start(); algorithms[i].str != NULL; i++) { + len = strlen(algorithms[i].str); + if (strncasecmp(algorithms[i].str, str, len) == 0 && + (str[len] == '\0' || +@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + if (name != NULL) { + switch (algorithms[i].hmac) { + #ifndef PK11_MD5_DISABLE +- case hmacmd5: *name = dns_tsig_hmacmd5_name; break; ++ case hmacmd5: ++ if (isc_md5_available()) { ++ *name = dns_tsig_hmacmd5_name; break; ++ } else { ++ return (ISC_R_NOTFOUND); ++ } + #endif + case hmacsha1: *name = dns_tsig_hmacsha1_name; break; + case hmacsha224: *name = dns_tsig_hmacsha224_name; break; +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 6967b49754..bb5d50038f 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, + strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(buf, "hmac-md5") == 0) { ++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { + *hmac = DNS_TSIG_HMACMD5_NAME; +- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { ++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && ++ isc_md5_available()) { + *hmac = DNS_TSIG_HMACMD5_NAME; + result = isc_parse_uint16(&digestbits, &buf[9], 10); + if (result != ISC_R_SUCCESS || digestbits > 128) { +@@ -589,10 +591,10 @@ setup_keystr(void) { + exit(1); + } + } else { +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif + name = keystr; + n = s; +@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { + switch (dst_key_alg(dstkey)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- hmacname = DNS_TSIG_HMACMD5_NAME; ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + break; + #endif + case DST_ALG_HMACSHA1: +@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { + return (STATUS_SYNTAX); + } + namestr = n + 1; +- } else +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else ++ } else { + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif ++ } + + isc_buffer_init(&b, namestr, strlen(namestr)); + isc_buffer_add(&b, strlen(namestr)); +diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c +index 5c29caf86b..617b06b4a1 100644 +--- a/bin/rndc/rndc.c ++++ b/bin/rndc/rndc.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, + algorithmstr = cfg_obj_asstring(algorithmobj); + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(algorithmstr, "hmac-md5") == 0) ++ if (strcasecmp(algorithmstr, "hmac-md5") == 0 && isc_md5_available()) + algorithm = ISCCC_ALG_HMACMD5; + else + #endif +diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c +index bf2891ad4c..b5f0a1c5f5 100644 +--- a/bin/tests/optional/hash_test.c ++++ b/bin/tests/optional/hash_test.c +@@ -90,43 +90,47 @@ main(int argc, char **argv) { + print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + #ifndef PK11_MD5_DISABLE +- s = "abc"; +- isc_md5_init(&md5); +- memmove(buffer, s, strlen(s)); +- isc_md5_update(&md5, buffer, strlen(s)); +- isc_md5_final(&md5, digest); +- print_digest(s, "md5", digest, 4); +- +- /* +- * The 3 HMAC-MD5 examples from RFC2104 +- */ +- s = "Hi There"; +- memset(key, 0x0b, 16); +- isc_hmacmd5_init(&hmacmd5, key, 16); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); +- +- s = "what do ya want for nothing?"; +- strlcpy((char *)key, "Jefe", sizeof(key)); +- isc_hmacmd5_init(&hmacmd5, key, 4); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); +- +- s = "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335"; +- memset(key, 0xaa, 16); +- isc_hmacmd5_init(&hmacmd5, key, 16); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); ++ if (isc_md5_available()) { ++ s = "abc"; ++ isc_md5_init(&md5); ++ memmove(buffer, s, strlen(s)); ++ isc_md5_update(&md5, buffer, strlen(s)); ++ isc_md5_final(&md5, digest); ++ print_digest(s, "md5", digest, 4); ++ ++ /* ++ * The 3 HMAC-MD5 examples from RFC2104 ++ */ ++ s = "Hi There"; ++ memset(key, 0x0b, 16); ++ isc_hmacmd5_init(&hmacmd5, key, 16); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ ++ s = "what do ya want for nothing?"; ++ strlcpy((char *)key, "Jefe", sizeof(key)); ++ isc_hmacmd5_init(&hmacmd5, key, 4); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ ++ s = "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335"; ++ memset(key, 0xaa, 16); ++ isc_hmacmd5_init(&hmacmd5, key, 16); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ } else { ++ fprintf(stderr, "Skipping disabled MD5 algorithm\n"); ++ } + #endif + + /* +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 2a0ee94888..489f4390dc 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -142,6 +143,8 @@ sendquery(isc_task_t *task, isc_event_t *event) { + static char keystr[] = "0123456789ab"; + + isc_event_free(&event); ++ if (isc_md5_available() == ISC_FALSE) ++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 7057c318e4..36ee6c7d21 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -225,12 +225,18 @@ main(int argc, char **argv) { + result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); + CHECK("dst_key_fromnamedfile", result); + #ifndef PK11_MD5_DISABLE +- result = dns_tsigkey_createfromkey(dst_key_name(dstkey), +- DNS_TSIG_HMACMD5_NAME, +- dstkey, ISC_TRUE, NULL, 0, 0, +- mctx, ring, &tsigkey); +- dst_key_free(&dstkey); +- CHECK("dns_tsigkey_createfromkey", result); ++ if (isc_md5_available()) { ++ result = dns_tsigkey_createfromkey(dst_key_name(dstkey), ++ DNS_TSIG_HMACMD5_NAME, ++ dstkey, ISC_TRUE, ++ NULL, 0, 0, ++ mctx, ring, &tsigkey); ++ dst_key_free(&dstkey); ++ CHECK("dns_tsigkey_createfromkey", result); ++ } else { ++ dst_key_free(&dstkey); ++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); ++ } + #else + dst_key_free(&dstkey); + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 3da83a7ae2..1a3d534799 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { + } + + algorithm = cfg_obj_asstring(algobj); ++#ifndef PK11_MD5_DISABLE ++ /* Skip hmac-md5* algorithms */ ++ if (isc_md5_available() == ISC_FALSE && ++ strncasecmp(algorithm, "hmac-md5", 8) == 0) { ++ cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, ++ "disabled algorithm '%s'", algorithm); ++ return (ISC_R_DISABLED); ++ } ++#endif + for (i = 0; algorithms[i].name != NULL; i++) { + len = strlen(algorithms[i].name); + if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 4f3d6ac55c..dbece0ac56 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + dst_result_register(); + + memset(dst_t_func, 0, sizeof(dst_t_func)); ++ ++#ifdef OPENSSL ++ RETERR(dst__openssl_init(engine)); ++#elif PKCS11CRYPTO ++ RETERR(dst__pkcs11_init(mctx, engine)); ++#endif + #ifndef PK11_MD5_DISABLE + RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); + #endif +@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); + RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); + #ifdef OPENSSL +- RETERR(dst__openssl_init(engine)); + #ifndef PK11_MD5_DISABLE + RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], + DST_ALG_RSAMD5)); +@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); + #endif + #elif PKCS11CRYPTO +- RETERR(dst__pkcs11_init(mctx, engine)); + #ifndef PK11_MD5_DISABLE +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5], ++ DST_ALG_RSAMD5)); + #endif +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1], ++ DST_ALG_RSASHA1)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], ++ DST_ALG_NSEC3RSASHA1)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256], ++ DST_ALG_RSASHA256)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512], ++ DST_ALG_RSASHA512)); + #ifndef PK11_DSA_DISABLE + RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); + RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 640519a5ba..deb7ed4e13 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); + isc_result_t dst__hmacsha512_init(struct dst_func **funcp); + isc_result_t dst__opensslrsa_init(struct dst_func **funcp, + unsigned char algorithm); +-isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); ++isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp, ++ unsigned char algorithm); + #ifndef PK11_DSA_DISABLE + isc_result_t dst__openssldsa_init(struct dst_func **funcp); + isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); +diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c +index b0e5c895c6..03f2b8ace8 100644 +--- a/lib/dns/dst_parse.c ++++ b/lib/dns/dst_parse.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, + switch (alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ return (check_rsa(priv, external)); ++ else ++ return (DST_R_UNSUPPORTEDALG); + #endif + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: +@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, + return (check_eddsa(priv, external)); + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- return (check_hmac_md5(priv, old)); ++ if (isc_md5_available()) ++ return (check_hmac_md5(priv, old)); ++ else ++ return (DST_R_UNSUPPORTEDALG); + #endif + case DST_ALG_HMACSHA1: + return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); +@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, + } + + #ifdef PK11_MD5_DISABLE +- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, +- ISC_TRUE, external); ++ if (alg == DST_ALG_RSA) ++ alg = DST_ALG_RSASHA1; + #else +- check = check_data(priv, alg, ISC_TRUE, external); ++ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) ++ alg = DST_ALG_RSASHA1; + #endif ++ check = check_data(priv, alg, ISC_TRUE, external); + if (check < 0) { + ret = DST_R_INVALIDPRIVATEKEY; + goto fail; +diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c +index 59aa4705e5..21bfa44450 100644 +--- a/lib/dns/hmac_link.c ++++ b/lib/dns/hmac_link.c +@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { + + isc_result_t + dst__hmacmd5_init(dst_func_t **funcp) { +-#ifdef HAVE_FIPS_MODE + /* +- * Problems from OpenSSL are likely from FIPS mode ++ * Prevent use of incorrect crypto + */ +- int fips_mode = FIPS_mode(); +- +- if (fips_mode != 0) { +- UNEXPECTED_ERROR(__FILE__, __LINE__, +- "FIPS mode is %d: MD5 is only supported " +- "if the value is 0.\n" +- "Please disable either FIPS mode or MD5.", +- fips_mode); ++ ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ /* Intentionally skip initialization */ ++ return (ISC_R_SUCCESS); + } + #endif + +- /* +- * Prevent use of incorrect crypto +- */ +- + RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); + RUNTIME_CHECK(isc_hmacmd5_check(0)); + +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index f4847bbe74..126cebca19 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { + + if (*funcp == NULL) { + switch (algorithm) { ++#ifndef PK11_MD5_DISABLE ++ case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ *funcp = &opensslrsa_functions; ++ break; ++#endif + case DST_ALG_RSASHA256: + #if defined(HAVE_EVP_SHA256) || !USE_EVP + *funcp = &opensslrsa_functions; +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index 56955203e9..af6008d4dd 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { + #endif + + /* +- * Reject incorrect RSA key lengths. ++ * Reject incorrect RSA key lengths or disabled algorithms. + */ + switch (dctx->key->key_alg) { + case DST_ALG_RSAMD5: ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++#endif ++ /* FALLTHROUGH */ + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + /* From RFC 3110 */ +@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + mech.mechanism = CKM_MD5; + break; + #endif +@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + der = md5_der; + derlen = sizeof(md5_der); + hashlen = ISC_MD5_DIGESTLENGTH; +@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + der = md5_der; + derlen = sizeof(md5_der); + hashlen = ISC_MD5_DIGESTLENGTH; +@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { + }; + + isc_result_t +-dst__pkcs11rsa_init(dst_func_t **funcp) { ++dst__pkcs11rsa_init(dst_func_t **funcp, unsigned char algorithm) { + REQUIRE(funcp != NULL); + +- if (*funcp == NULL) +- *funcp = &pkcs11rsa_functions; ++ if (*funcp == NULL) { ++ switch (algorithm) { ++#ifndef PK11_MD5_DISABLE ++ case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ *funcp = &pkcs11rsa_functions; ++ break; ++#endif ++ default: ++ *funcp = &pkcs11rsa_functions; ++ break; ++ } ++ } + return (ISC_R_SUCCESS); + } + +diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c +index 937d8fc1ec..d1fa8d5870 100644 +--- a/lib/dns/rcode.c ++++ b/lib/dns/rcode.c +@@ -14,6 +14,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { + return (dns_mnemonic_totext(cert, target, certs)); + } + ++static inline struct tbl * ++secalgs_tbl_start() { ++ struct tbl *algs = secalgs; ++ ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ while (algs->name != NULL && ++ algs->value == DNS_KEYALG_RSAMD5) ++ ++algs; ++ } ++#endif ++ return algs; ++} ++ + isc_result_t + dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { + unsigned int value; +- RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); ++ ++ RETERR(dns_mnemonic_fromtext(&value, source, ++ secalgs_tbl_start(), 0xff)); + *secalgp = value; + return (ISC_R_SUCCESS); + } + + isc_result_t + dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { +- return (dns_mnemonic_totext(secalg, target, secalgs)); ++ return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); + } + + void +diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c +index 224cf5b475..44040dd8b7 100644 +--- a/lib/dns/tests/rsa_test.c ++++ b/lib/dns/tests/rsa_test.c +@@ -19,6 +19,7 @@ + #include + #include + ++#include + #include + #include + +@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) { + /* RSAMD5 */ + + #ifndef PK11_MD5_DISABLE +- key->key_alg = DST_ALG_RSAMD5; ++ if (isc_md5_available()) { ++ key->key_alg = DST_ALG_RSAMD5; + +- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, +- ISC_FALSE, &ctx); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, ++ ISC_FALSE, &ctx); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- r.base = d; +- r.length = 10; +- ret = dst_context_adddata(ctx, &r); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ r.base = d; ++ r.length = 10; ++ ret = dst_context_adddata(ctx, &r); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- r.base = sigmd5; +- r.length = 256; +- ret = dst_context_verify(ctx, &r); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ r.base = sigmd5; ++ r.length = 256; ++ ret = dst_context_verify(ctx, &r); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- dst_context_destroy(&ctx); ++ dst_context_destroy(&ctx); ++ } + #endif + + /* RSASHA256 */ +diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c +index ee025c2387..c403d9954d 100644 +--- a/lib/dns/tests/tsig_test.c ++++ b/lib/dns/tests/tsig_test.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include + #include + #include + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index d9f68e50b1..a8edde47b5 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, + unsigned char digests[32]; + unsigned int i; + ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_NOTIMPLEMENTED); ++ + isc_buffer_usedregion(shared, &r); + + /* +@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, + } + + #ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ tkey_log("process_dhtkey: MD5 was disabled"); ++ tkeyout->error = dns_tsigerror_badalg; ++ return (ISC_R_SUCCESS); ++ } ++ + if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { + tkey_log("process_dhtkey: algorithms other than " + "hmac-md5 are not supported"); +diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c +index a367291f23..37baad7437 100644 +--- a/lib/dns/tsec.c ++++ b/lib/dns/tsec.c +@@ -11,6 +11,7 @@ + + #include + ++#include + #include + #include + +@@ -63,7 +64,12 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, + switch (dst_key_alg(key)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- algname = dns_tsig_hmacmd5_name; ++ if (isc_md5_available()) { ++ algname = dns_tsig_hmacmd5_name; ++ } else { ++ isc_mem_put(mctx, tsec, sizeof(*tsec)); ++ return (DNS_R_BADALG); ++ } + break; + #endif + case DST_ALG_HMACSHA1: +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index bdcc581bc3..70805bb709 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, + (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); + + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + tkey->algorithm = DNS_TSIG_HMACMD5_NAME; + if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { + ret = DNS_R_BADALG; +@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { + static unsigned int + dst_alg_fromname(dns_name_t *algorithm) { + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + return (DST_ALG_HMACMD5); + } else + #endif +@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, + REQUIRE(secret != NULL); + + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + if (secret != NULL) { + isc_buffer_t b; + +@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + return (ret); + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + goto cleanup_querystruct; + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || +@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + goto cleanup_context; + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || +diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h +index e5f46dd9c7..9d11f9f8b6 100644 +--- a/lib/isc/include/isc/md5.h ++++ b/lib/isc/include/isc/md5.h +@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); + isc_boolean_t + isc_md5_check(isc_boolean_t testing); + ++isc_boolean_t ++isc_md5_available(void); ++ + ISC_LANG_ENDDECLS + + #endif /* !PK11_MD5_DISABLE */ +diff --git a/lib/isc/md5.c b/lib/isc/md5.c +index 740d863b1b..aefd16478f 100644 +--- a/lib/isc/md5.c ++++ b/lib/isc/md5.c +@@ -35,6 +35,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -53,6 +54,9 @@ + #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) + #endif + ++static isc_once_t available_once = ISC_ONCE_INIT; ++static isc_boolean_t available = ISC_FALSE; ++ + void + isc_md5_init(isc_md5_t *ctx) { + ctx->ctx = EVP_MD_CTX_new(); +@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + ctx->ctx = NULL; + } + ++static void ++do_detect_available() { ++ isc_md5_t local; ++ isc_md5_t *ctx = &local; ++ unsigned char digest[ISC_MD5_DIGESTLENGTH]; ++ ++ ctx->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); ++ if (available) ++ (void)EVP_DigestFinal(ctx->ctx, digest, NULL); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; ++} ++ ++isc_boolean_t ++isc_md5_available() { ++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) ++ == ISC_R_SUCCESS); ++ return available; ++} ++ + #elif PKCS11CRYPTO + ++static isc_once_t available_once = ISC_ONCE_INIT; ++static isc_boolean_t available = ISC_FALSE; ++ + void + isc_md5_init(isc_md5_t *ctx) { + CK_RV rv; +@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + pk11_return_session(ctx); + } + ++static void ++do_detect_available() { ++ isc_md5_t local; ++ isc_md5_t *ctx = &local; ++ CK_RV rv; ++ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; ++ ++ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, ++ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) ++ { ++ rv = pkcs_C_DigestInit(ctx->session, &mech); ++ isc_md5_invalidate(ctx); ++ available = (ISC_TF(rv == CKR_OK)); ++ } else { ++ available = ISC_FALSE; ++ } ++} ++ ++isc_boolean_t ++isc_md5_available() { ++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) ++ == ISC_R_SUCCESS); ++ return available; ++} ++ + #else + + static void +@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + memmove(digest, ctx->buf, 16); + isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ + } ++ ++isc_boolean_t ++isc_md5_available() { ++ return ISC_TRUE; ++} + #endif + + /* +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index fc75a46154..48e1031974 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + LOCK(&alloclock); + if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) + isc_mem_attach(mctx, &pk11_mctx); ++ UNLOCK(&alloclock); ++ ++ LOCK(&sessionlock); + if (initialized) { +- UNLOCK(&alloclock); +- return (ISC_R_SUCCESS); +- } else { +- LOCK(&sessionlock); +- initialized = ISC_TRUE; +- UNLOCK(&alloclock); ++ result = ISC_R_SUCCESS; ++ goto unlock; + } + + ISC_LIST_INIT(tokens); +@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + } + #endif + #endif /* PKCS11CRYPTO */ ++ initialized = ISC_TRUE; + result = ISC_R_SUCCESS; + unlock: + UNLOCK(&sessionlock); +@@ -273,9 +273,14 @@ pk11_finalize(void) { + pk11_mem_put(token, sizeof(*token)); + token = next; + } ++ LOCK(&alloclock); + if (pk11_mctx != NULL) + isc_mem_detach(&pk11_mctx); ++ UNLOCK(&alloclock); ++ ++ LOCK(&sessionlock); + initialized = ISC_FALSE; ++ UNLOCK(&sessionlock); + return (ret); + } + +@@ -589,6 +594,8 @@ scan_slots(void) { + pk11_token_t *token; + unsigned int i; + isc_boolean_t bad; ++ unsigned int best_rsa_algorithms = 0; ++ unsigned int best_digest_algorithms = 0; + + slotCount = 0; + PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); +@@ -601,6 +608,8 @@ scan_slots(void) { + PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); + + for (i = 0; i < slotCount; i++) { ++ unsigned int rsa_algorithms = 0; ++ unsigned int digest_algorithms = 0; + slot = slotList[i]; + PK11_TRACE2("slot#%u=0x%lx\n", i, slot); + +@@ -640,11 +649,12 @@ scan_slots(void) { + if ((rv != CKR_OK) || + ((mechInfo.flags & CKF_SIGN) == 0) || + ((mechInfo.flags & CKF_VERIFY) == 0)) { +-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5_RSA_PKCS); + } ++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) ++ else ++ ++rsa_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, + &mechInfo); + if ((rv != CKR_OK) || +@@ -687,8 +697,14 @@ scan_slots(void) { + if (bad) + goto try_dsa; + token->operations |= 1 << OP_RSA; +- if (best_rsa_token == NULL) ++ if (best_rsa_token == NULL) { ++ best_rsa_token = token; ++ best_rsa_algorithms = rsa_algorithms; ++ } else if (rsa_algorithms > best_rsa_algorithms) { ++ pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); + best_rsa_token = token; ++ best_rsa_algorithms = rsa_algorithms; ++ } + + try_dsa: + bad = ISC_FALSE; +@@ -756,11 +772,12 @@ scan_slots(void) { + bad = ISC_FALSE; + rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { +-#ifndef PK11_MD5_DISABLE +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5); + } ++#ifndef PK11_MD5_DISABLE ++ else ++ ++digest_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { + bad = ISC_TRUE; +@@ -788,11 +805,12 @@ scan_slots(void) { + } + rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { +-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5_HMAC); + } ++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) ++ else ++ ++digest_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { + #ifndef PK11_SHA_1_HMAC_REPLACE +@@ -830,8 +848,14 @@ scan_slots(void) { + } + if (!bad) { + token->operations |= 1 << OP_DIGEST; +- if (digest_token == NULL) ++ if (digest_token == NULL) { ++ digest_token = token; ++ best_digest_algorithms = digest_algorithms; ++ } else if (digest_algorithms > best_digest_algorithms) { ++ pk11_mem_put(digest_token, sizeof(*digest_token)); + digest_token = token; ++ best_digest_algorithms = digest_algorithms; ++ } + } + + /* ECDSA requires digest */ +diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c +index 18759903be..6bc45b1ad3 100644 +--- a/lib/isc/tests/hash_test.c ++++ b/lib/isc/tests/hash_test.c +@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { + * various cryptographic hashes. + */ + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, md5_check); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, md5_check); + #endif + ATF_TP_ADD_TC(tp, sha1_check); + +@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_hash_function_reverse); + ATF_TP_ADD_TC(tp, isc_hash_initializer); + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, isc_hmacmd5); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, isc_hmacmd5); + #endif + ATF_TP_ADD_TC(tp, isc_hmacsha1); + ATF_TP_ADD_TC(tp, isc_hmacsha224); +@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_hmacsha384); + ATF_TP_ADD_TC(tp, isc_hmacsha512); + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, isc_md5); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, isc_md5); + #endif + ATF_TP_ADD_TC(tp, isc_sha1); + ATF_TP_ADD_TC(tp, isc_sha224); +diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c +index 7225ab4a37..42b30466be 100644 +--- a/lib/isccc/cc.c ++++ b/lib/isccc/cc.c +@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, + switch (algorithm) { + #ifndef PK11_MD5_DISABLE + case ISCCC_ALG_HMACMD5: +- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, +- REGION_SIZE(*secret)); +- isc_hmacmd5_update(&ctx.hmd5, data, length); +- isc_hmacmd5_sign(&ctx.hmd5, digest); +- source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ if (isc_md5_available()) { ++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, ++ REGION_SIZE(*secret)); ++ isc_hmacmd5_update(&ctx.hmd5, data, length); ++ isc_hmacmd5_sign(&ctx.hmd5, digest); ++ source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ } else { ++ return (ISC_R_FAILURE); ++ } + break; + #endif + +@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, + { + unsigned int hmac_base, signed_base; + isc_result_t result; ++ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); + + #ifndef PK11_MD5_DISABLE ++ if (md5 && isc_md5_available() == ISC_FALSE) ++ return (ISC_R_NOTIMPLEMENTED); ++ + result = isc_buffer_reserve(buffer, +- 4 + ((algorithm == ISCCC_ALG_HMACMD5) ? ++ 4 + ((md5) ? + sizeof(auth_hmd5) : + sizeof(auth_hsha))); + #else +- if (algorithm == ISCCC_ALG_HMACMD5) ++ if (md5) + return (ISC_R_NOTIMPLEMENTED); + result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); + #endif +@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, + * we know what it is. + */ + #ifndef PK11_MD5_DISABLE +- if (algorithm == ISCCC_ALG_HMACMD5) { ++ if (md5) { + hmac_base = (*buffer)->used + HMD5_OFFSET; + isc_buffer_putmem(*buffer, + auth_hmd5, sizeof(auth_hmd5)); +@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + if (!isccc_alist_alistp(_auth)) + return (ISC_R_FAILURE); + #ifndef PK11_MD5_DISABLE +- if (algorithm == ISCCC_ALG_HMACMD5) ++ if (algorithm == ISCCC_ALG_HMACMD5 && isc_md5_available()) + hmac = isccc_alist_lookup(_auth, "hmd5"); + else + #endif +@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + switch (algorithm) { + #ifndef PK11_MD5_DISABLE + case ISCCC_ALG_HMACMD5: +- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, +- REGION_SIZE(*secret)); +- isc_hmacmd5_update(&ctx.hmd5, data, length); +- isc_hmacmd5_sign(&ctx.hmd5, digest); +- source.rend = digest + ISC_MD5_DIGESTLENGTH; +- break; ++ if (isc_md5_available()) { ++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, ++ REGION_SIZE(*secret)); ++ isc_hmacmd5_update(&ctx.hmd5, data, length); ++ isc_hmacmd5_sign(&ctx.hmd5, digest); ++ source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ break; ++ } else { ++ return (ISC_R_FAILURE); ++ } + #endif + + case ISCCC_ALG_HMACSHA1: +-- +2.14.4 + diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch new file mode 100644 index 0000000..f7a998d --- /dev/null +++ b/bind-9.11-fips-tests.patch @@ -0,0 +1,1781 @@ +From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH 2/2] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +-- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 +++++------ + bin/tests/system/allow-query/ns2/named10.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named11.conf.in | 4 +- + bin/tests/system/allow-query/ns2/named12.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named30.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named31.conf.in | 4 +- + bin/tests/system/allow-query/ns2/named32.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 +++---- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/digdelv/ns2/example.db | 15 +++--- + bin/tests/system/digdelv/tests.sh | 28 +++++----- + bin/tests/system/dlv/ns1/sign.sh | 4 +- + bin/tests/system/dlv/ns2/sign.sh | 4 +- + bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------ + bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++----------- + bin/tests/system/dnssec/ns1/sign.sh | 4 +- + bin/tests/system/dnssec/ns2/sign.sh | 12 ++--- + bin/tests/system/dnssec/ns3/sign.sh | 20 +++---- + bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- + bin/tests/system/dnssec/tests.sh | 8 +-- + bin/tests/system/feature-test.c | 14 +++++ + bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- + bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- + bin/tests/system/notify/ns5/named.conf.in | 6 +-- + bin/tests/system/notify/tests.sh | 6 +-- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 7 ++- + bin/tests/system/nsupdate/tests.sh | 11 +++- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++---- + bin/tests/system/tsig/clean.sh | 1 + + bin/tests/system/tsig/ns1/named.conf.in | 10 +--- + bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++ + bin/tests/system/tsig/setup.sh | 4 ++ + bin/tests/system/tsig/tests.sh | 67 ++++++++++++++--------- + bin/tests/system/tsiggss/setup.sh | 2 +- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 48 files changed, 287 insertions(+), 225 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 0ea6502708..026db3f134 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index b877880554..d8f50be255 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 0a950622a2..aa54088138 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 7cdcb6e341..606a3452d8 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 4b4e05027a..0e679a821d 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -34,12 +34,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index 09f31f2bb9..f88f0d4430 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 1569913b37..e9c5c2d574 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 18ac91c6e7..2b1c8739d8 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -12,12 +12,12 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index b8248444dd..dd48945bf8 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index aeb1540e95..bfce58bddd 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index d4b743281a..e0f52526ba 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -12,12 +12,12 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index c0259387e7..87afb3fa3a 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index d83b376cfd..d726b9480b 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fb6059d5b8..f9601564a2 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -190,7 +190,7 @@ rndc_reload + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -203,7 +203,7 @@ rndc_reload + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -216,7 +216,7 @@ rndc_reload + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -349,7 +349,7 @@ rndc_reload + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -362,7 +362,7 @@ rndc_reload + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -375,7 +375,7 @@ rndc_reload + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -508,7 +508,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -518,7 +518,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -528,7 +528,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 74b7d371b7..c35376640d 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index ee83efbee4..35ced08842 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e9d2..e57c30875c 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index 9ab35b38a5..486551ae64 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -153,6 +153,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db +index f4e30f51e5..9f53e31c97 100644 +--- a/bin/tests/system/digdelv/ns2/example.db ++++ b/bin/tests/system/digdelv/ns2/example.db +@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 + ;; + ;; we are not testing DNSSEC behavior, so we don't care about the semantics + ;; of the following records. +-dnskey 300 DNSKEY 256 3 1 ( +- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg +- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD +- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R +- b9VIE5x7KNHAYTvTO5d4S8M= +- ) ++dnskey 300 DNSKEY 256 3 8 ( ++ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo ++ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba ++ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R ++ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/ ++ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld ++ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG ++ /idCeeQlaLU= ++ ) + + ; TTL of 3 weeks + weeks 1814400 A 10.53.0.2 +diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh +index 1b25c4ddfc..5dbf20a3e1 100644 +--- a/bin/tests/system/digdelv/tests.sh ++++ b/bin/tests/system/digdelv/tests.sh +@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +rrcomments works for DNSKEY($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +nosplit works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +rrcomments works for DNSKEY($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +rrcomments works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +nosplit works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1 + if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi + f=`awk '{print NF}' < delv.out.test$n` + test "${f:-0}" -eq 14 || ret=1 +@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +nosplit +norrcomments works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1 + if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi + f=`awk '{print NF}' < delv.out.test$n` + test "${f:-0}" -eq 4 || ret=1 +diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh +index b8151620cc..2a62e583b8 100755 +--- a/bin/tests/system/dlv/ns1/sign.sh ++++ b/bin/tests/system/dlv/ns1/sign.sh +@@ -23,8 +23,8 @@ infile=root.db.in + zonefile=root.db + outfile=root.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh +index 6f84d7a525..e128303a22 100755 +--- a/bin/tests/system/dlv/ns2/sign.sh ++++ b/bin/tests/system/dlv/ns2/sign.sh +@@ -24,8 +24,8 @@ zonefile=druz.db + outfile=druz.pre + dlvzone=utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh +index bcc9922e26..846dbcc0df 100755 +--- a/bin/tests/system/dlv/ns3/sign.sh ++++ b/bin/tests/system/dlv/ns3/sign.sh +@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" + dlvzone=dlv.utld. + dlvsets= + dssets= ++bits=1024 + + zone=child1.utld. + infile=child.db.in +@@ -26,8 +27,8 @@ zonefile=child1.utld.db + outfile=child1.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -42,8 +43,8 @@ zonefile=child3.utld.db + outfile=child3.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -58,8 +59,8 @@ zonefile=child4.utld.db + outfile=child4.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -73,8 +74,8 @@ zonefile=child5.utld.db + outfile=child5.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -88,8 +89,8 @@ infile=child.db.in + zonefile=child7.utld.db + outfile=child7.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -103,8 +104,8 @@ infile=child.db.in + zonefile=child8.utld.db + outfile=child8.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -118,8 +119,8 @@ zonefile=child9.utld.db + outfile=child9.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -132,8 +133,8 @@ zonefile=child10.utld.db + outfile=child10.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -147,8 +148,8 @@ outfile=child1.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -164,8 +165,8 @@ outfile=child3.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -181,8 +182,8 @@ outfile=child4.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -197,8 +198,8 @@ outfile=child5.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -213,8 +214,8 @@ zonefile=child7.druz.db + outfile=child7.druz.signed + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -228,8 +229,8 @@ infile=child.db.in + zonefile=child8.druz.db + outfile=child8.druz.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -243,8 +244,8 @@ zonefile=child9.druz.db + outfile=child9.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -258,8 +259,8 @@ outfile=child10.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -272,8 +273,8 @@ infile=dlv.db.in + zonefile=dlv.utld.db + outfile=dlv.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh +index 1e398625f1..4ed19acd1f 100755 +--- a/bin/tests/system/dlv/ns6/sign.sh ++++ b/bin/tests/system/dlv/ns6/sign.sh +@@ -16,13 +16,15 @@ SYSTESTDIR=dlv + + echo_i "dlv/ns6/sign.sh" + ++bits=1024 ++ + zone=grand.child1.utld. + infile=child.db.in + zonefile=grand.child1.utld.db + outfile=grand.child1.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db + outfile=grand.child3.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db + outfile=grand.child4.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db + outfile=grand.child5.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db + outfile=grand.child7.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db + outfile=grand.child8.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db + outfile=grand.child9.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db + outfile=grand.child10.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -138,8 +140,8 @@ infile=child.db.in + zonefile=grand.child1.druz.db + outfile=grand.child1.druz.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db + outfile=grand.child3.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db + outfile=grand.child4.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db + outfile=grand.child5.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db + outfile=grand.child7.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db + outfile=grand.child8.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db + outfile=grand.child9.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db + outfile=grand.child10.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh +index 198d60ae15..d89a539ffd 100644 +--- a/bin/tests/system/dnssec/ns1/sign.sh ++++ b/bin/tests/system/dnssec/ns1/sign.sh +@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . + grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP + cp ../ns6/dsset-optout-tld$TP . + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + + cat $infile $keyname.key > $zonefile + +@@ -48,6 +48,6 @@ cp managed.conf ../ns4/managed.conf + # + # Save keyid for managed key id test. + # +-keyid=`expr $keyname : 'K.+001+\(.*\)'` ++keyid=`expr $keyname : 'K.+008+\([0-9]*\)'` + keyid=`expr $keyid + 0` + echo "$keyid" > managed.key.id +diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh +index 9078459ac8..9dcd028eb5 100644 +--- a/bin/tests/system/dnssec/ns2/sign.sh ++++ b/bin/tests/system/dnssec/ns2/sign.sh +@@ -29,8 +29,8 @@ do + cp ../ns3/dsset-$subdomain.example$TP . + done + +-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -89,8 +89,8 @@ zone=in-addr.arpa. + infile=in-addr.arpa.db.in + zonefile=in-addr.arpa.db + +-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +@@ -101,7 +101,7 @@ privzone=private.secure.example. + privinfile=private.secure.example.db.in + privzonefile=private.secure.example.db + +-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` ++privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone` + + cat $privinfile $privkeyname.key >$privzonefile + +@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in + dlvzonefile=dlv.db + dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP + +-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` ++dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone` + + cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile + +diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh +index 330abf7feb..f95a6b7ea8 100644 +--- a/bin/tests/system/dnssec/ns3/sign.sh ++++ b/bin/tests/system/dnssec/ns3/sign.sh +@@ -28,7 +28,7 @@ zone=bogus.example. + infile=bogus.example.db.in + zonefile=bogus.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -38,8 +38,8 @@ zone=dynamic.example. + infile=dynamic.example.db.in + zonefile=dynamic.example.db + +-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -49,7 +49,7 @@ zone=keyless.example. + infile=generic.example.db.in + zonefile=keyless.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -69,7 +69,7 @@ zone=secure.nsec3.example. + infile=secure.nsec3.example.db.in + zonefile=secure.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -82,7 +82,7 @@ zone=nsec3.nsec3.example. + infile=nsec3.nsec3.example.db.in + zonefile=nsec3.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -95,7 +95,7 @@ zone=optout.nsec3.example. + infile=optout.nsec3.example.db.in + zonefile=optout.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -108,7 +108,7 @@ zone=nsec3.example. + infile=nsec3.example.db.in + zonefile=nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -121,7 +121,7 @@ zone=secure.optout.example. + infile=secure.optout.example.db.in + zonefile=secure.optout.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -498,7 +498,7 @@ zone=badds.example. + infile=bogus.example.db.in + zonefile=badds.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad +index ed30460bda..e6b112630e 100644 +--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad ++++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad +@@ -10,5 +10,5 @@ + */ + + trusted-keys { +- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; ++ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; + }; +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index bb2315fbf3..315666825e 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -1690,7 +1690,7 @@ ret=0 + $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i + keyid=`cat ns1/managed.key.id` + cp ns4/named.secroots named.secroots.test$n +-linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` ++linecount=`grep "./RSASHA256/$keyid ; trusted" named.secroots.test$n | wc -l` + [ "$linecount" -eq 1 ] || ret=1 + linecount=`cat named.secroots.test$n | wc -l` + [ "$linecount" -eq 10 ] || ret=1 +@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)" + ret=0 + $DIG $DIGOPTS +norec +nocrypto DNSKEY . \ + @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 +-grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 ++grep '256 3 8 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +norec +nocrypto DS example \ + @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 +@@ -3130,8 +3130,8 @@ do + alg=`expr $alg + 1` + continue;; + 3) size="-b 512";; +- 5) size="-b 512";; +- 6) size="-b 512";; ++ 5) size="-b 1024";; ++ 6) size="-b 1024";; + 7) size="-b 512";; + 8) size="-b 512";; + 10) size="-b 1024";; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 9612450ab4..5eee6aa4f8 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + + #ifdef WIN32 +@@ -45,6 +46,7 @@ usage() { + fprintf(stderr, " --have-geoip\n"); + fprintf(stderr, " --have-libxml2\n"); + fprintf(stderr, " --ipv6only=no\n"); ++ fprintf(stderr, " --md5\n"); + fprintf(stderr, " --rpz-nsdname\n"); + fprintf(stderr, " --rpz-nsip\n"); + fprintf(stderr, " --with-idn\n"); +@@ -136,6 +138,18 @@ main(int argc, char **argv) { + #endif + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++#ifdef PK11_MD5_DISABLE ++ return (1); ++#else ++ if (isc_md5_available()) { ++ return (0); ++ } else { ++ return (1); ++ } ++#endif ++ } ++ + if (strcmp(argv[1], "--rpz-nsip") == 0) { + #ifdef ENABLE_RPZ_NSIP + return (0); +diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh +index f7555810a0..4a7d89004a 100755 +--- a/bin/tests/system/filter-aaaa/ns1/sign.sh ++++ b/bin/tests/system/filter-aaaa/ns1/sign.sh +@@ -21,8 +21,8 @@ infile=signed.db.in + zonefile=signed.db.signed + outfile=signed.db.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh +index f7555810a0..4a7d89004a 100755 +--- a/bin/tests/system/filter-aaaa/ns4/sign.sh ++++ b/bin/tests/system/filter-aaaa/ns4/sign.sh +@@ -21,8 +21,8 @@ infile=signed.db.in + zonefile=signed.db.signed + outfile=signed.db.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index cfcfe8fa2f..0a1614d527 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index ad20e3eaca..5a9ce4688a 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -186,16 +186,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 1d999adc39..26b6b7c9ab 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index b4ecf96668..1adb33eb0b 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -24,7 +24,7 @@ options { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index 32674eb382..2331b30b00 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -59,7 +59,12 @@ EOF + + $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi ++ + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index 2a01d1e46d..e8659587c3 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -680,7 +680,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -688,7 +695,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index 850c4d2744..09a3e0f9ad 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -37,7 +37,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index d364e6fea0..dbf3bc6780 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh +index 576ec70f76..cb7a852189 100644 +--- a/bin/tests/system/tsig/clean.sh ++++ b/bin/tests/system/tsig/clean.sh +@@ -20,3 +20,4 @@ rm -f */named.run + rm -f ns*/named.lock + rm -f Kexample.net.+163+* + rm -f keygen.out? ++rm -f ns1/named.conf +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index fbf30c6dc4..f61657d7cf 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000000..4117830adb +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,11 @@ ++ ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; ++ +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index 656e9bbcd8..628c5bbac1 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -17,3 +17,7 @@ $SHELL clean.sh + copy_setports ns1/named.conf.in ns1/named.conf + + test -r $RANDFILE || $GENRANDOM 400 $RANDFILE ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index f731fa604c..cade35bc1d 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi +- +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++ ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh +index 5da33cfde0..fb108b02bd 100644 +--- a/bin/tests/system/tsiggss/setup.sh ++++ b/bin/tests/system/tsiggss/setup.sh +@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + + copy_setports ns1/named.conf.in ns1/named.conf + +-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` ++key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` + cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index e0a30cda15..6a77b1ce52 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index b0694bbd5c..9adae8228e 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < - 32:9.11.4-4 +- Support unavailable MD5 in FIPS mode + * Thu Aug 02 2018 Petr Menšík - 32:9.11.4-3 - Use OpenSSL for digest operations (#1611537)