mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-23 15:17:01 -04:00
Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for the "verify" argument in dns.query.tls().
This commit is contained in:
Michal Nowak
parent
b2964cc922
commit
100b759863
4 changed files with 86 additions and 120 deletions
|
|
@ -13,7 +13,13 @@
|
|||
|
||||
. ../conf.sh
|
||||
|
||||
$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 >ns1/example.db
|
||||
# Drop unusual RR sets dnspython can't handle. For more information
|
||||
# see https://github.com/rthalley/dnspython/issues/1034#issuecomment-1896541899.
|
||||
$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 \
|
||||
| sed \
|
||||
-e '/AMTRELAY.*\# 2 0004/d' \
|
||||
-e '/GPOS.*"" "" ""/d' \
|
||||
-e '/URI.*30 40 ""/d' >ns1/example.db
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
|
|
|
|||
|
|
@ -1,96 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
set -e
|
||||
|
||||
# shellcheck disable=SC1091
|
||||
. ../conf.sh
|
||||
|
||||
testing="testing zone transfer over TLS (XoT): "
|
||||
|
||||
common_dig_options="+noadd +nosea +nostat +noquest +nocmd"
|
||||
|
||||
status=0
|
||||
n=0
|
||||
|
||||
dig_with_tls_opts() {
|
||||
# shellcheck disable=SC2086
|
||||
"$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
|
||||
}
|
||||
|
||||
wait_for_tls_xfer() (
|
||||
srv_number="$1"
|
||||
shift
|
||||
zone_name="$1"
|
||||
shift
|
||||
# Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
|
||||
dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
|
||||
grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
|
||||
return 0
|
||||
)
|
||||
|
||||
tls_xfer_expect_success() {
|
||||
test_message="$1"
|
||||
shift
|
||||
n=$((n + 1))
|
||||
echo_i "$test_message - zone \"$2\" at \"ns$1\" ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 wait_for_tls_xfer "$@" || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
tls_xfer_expect_failure() {
|
||||
test_message="$1"
|
||||
shift
|
||||
n=$((n + 1))
|
||||
echo_i "$test_message - zone \"$2\" at \"ns$1\", failure expected ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 wait_for_tls_xfer "$@" && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
tls_xfer_expect_success "$testing" 2 example
|
||||
tls_xfer_expect_success "$testing" 3 example
|
||||
tls_xfer_expect_success "$testing" 4 example
|
||||
|
||||
tls_xfer_expect_success "$testing" 2 example-aes-128
|
||||
tls_xfer_expect_success "$testing" 3 example-aes-256
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_success "$testing" 4 example-chacha-20
|
||||
fi
|
||||
|
||||
tls_xfer_expect_failure "$testing" 2 example-aes-256
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_failure "$testing" 2 example-chacha-20
|
||||
fi
|
||||
|
||||
tls_xfer_expect_failure "$testing" 3 example-aes-128
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_failure "$testing" 3 example-chacha-20
|
||||
fi
|
||||
|
||||
tls_xfer_expect_failure "$testing" 4 example-aes-128
|
||||
tls_xfer_expect_failure "$testing" 4 example-aes-256
|
||||
|
||||
# NS5 tries to download the zone over TLSv1.2
|
||||
tls_xfer_expect_failure "$testing" 5 example
|
||||
tls_xfer_expect_failure "$testing" 5 example-aes-128
|
||||
tls_xfer_expect_failure "$testing" 5 example-aes-256
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_failure "$testing" 5 example-chacha-20
|
||||
fi
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
79
bin/tests/system/cipher-suites/tests_cipher_suites.py
Normal file
79
bin/tests/system/cipher-suites/tests_cipher_suites.py
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
import pytest
|
||||
|
||||
pytest.importorskip("dns", minversion="2.5.0")
|
||||
|
||||
import dns.message
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
"ns*/example*.db",
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
@pytest.mark.requires_zones_loaded("ns1", "ns2", "ns3", "ns4", "ns5")
|
||||
@pytest.mark.parametrize(
|
||||
"qname,ns,rcode",
|
||||
[
|
||||
("example.", 2, dns.rcode.NOERROR),
|
||||
("example.", 3, dns.rcode.NOERROR),
|
||||
("example.", 4, dns.rcode.NOERROR),
|
||||
("example-aes-128.", 2, dns.rcode.NOERROR),
|
||||
("example-aes-256.", 3, dns.rcode.NOERROR),
|
||||
pytest.param(
|
||||
"example-chacha-20.",
|
||||
4,
|
||||
dns.rcode.NOERROR,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
("example-aes-256", 2, dns.rcode.SERVFAIL),
|
||||
pytest.param(
|
||||
"example-chacha-20",
|
||||
2,
|
||||
dns.rcode.SERVFAIL,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
("example-aes-128", 3, dns.rcode.SERVFAIL),
|
||||
pytest.param(
|
||||
"example-chacha-20",
|
||||
3,
|
||||
dns.rcode.SERVFAIL,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
("example-aes-128", 4, dns.rcode.SERVFAIL),
|
||||
("example-aes-256", 4, dns.rcode.SERVFAIL),
|
||||
# NS5 tries to download the zone over TLSv1.2
|
||||
("example", 5, dns.rcode.SERVFAIL),
|
||||
("example-aes-128", 5, dns.rcode.SERVFAIL),
|
||||
("example-aes-256", 5, dns.rcode.SERVFAIL),
|
||||
pytest.param(
|
||||
"example-chacha-20",
|
||||
5,
|
||||
dns.rcode.SERVFAIL,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
],
|
||||
)
|
||||
def test_cipher_suites_tls_xfer(qname, ns, rcode):
|
||||
msg = dns.message.make_query(qname, "AXFR")
|
||||
ans = isctest.query.tls(msg, f"10.53.0.{ns}")
|
||||
assert ans.rcode() == rcode
|
||||
if rcode == dns.rcode.NOERROR:
|
||||
assert ans.answer != []
|
||||
elif rcode == dns.rcode.SERVFAIL:
|
||||
assert ans.answer == []
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
import pytest
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
"dig.out.*",
|
||||
"ns*/example*.db",
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
def test_cipher_suites(run_tests_sh):
|
||||
run_tests_sh()
|
||||
Loading…
Reference in a new issue