forward: Check if TLS is working in FIPS mode

Skip test that depend on TLS working in FIPS mode

bin/tests/system/forward/clean.sh

@@ -14,14 +14,18 @@
 #
 # Clean up after forward tests.
 #
-rm -f ./dig.out.*
 rm -f ./*/named.conf
 rm -f ./*/named.memstats
 rm -f ./*/named.run ./*/named.run.prev ./*/ans.run
 rm -f ./*/named_dump.db
 rm -f ./ans*/query.log
-rm -f ./ns*/named.lock
+rm -f ./dig.out.*
 rm -f ./ns*/managed-keys.bind*
-rm -f ./ns1/root.db ./ns1/root.db.signed
+rm -f ./ns*/named.lock
 rm -f ./ns*/trusted.conf
 rm -f ./ns1/K* ./ns1/dsset-*
+rm -f ./ns1/root.db ./ns1/root.db.signed
+rm -f ns2/named-tls.conf
+rm -f ns2/options-tls.conf
+rm -f ns4/named-tls.conf
+rm -f ns4/options-tls.conf

bin/tests/system/forward/ns2/named-tls.conf.in

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls tls-forward-secrecy {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt01.example.nil.key";
+    cert-file "../CA/certs/srv02.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt01.example.nil.key";
+    cert-file "../CA/certs/srv02.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt02-expired.example.nil.key";
+    cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};

bin/tests/system/forward/ns2/named.conf.in

@@ -11,33 +11,7 @@
  * information regarding copyright ownership.
  */
 
-tls tls-forward-secrecy {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv02.crt01.example.nil.key";
-    cert-file "../CA/certs/srv02.crt01.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-};
-
-tls tls-forward-secrecy-mutual-tls {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv02.crt01.example.nil.key";
-    cert-file "../CA/certs/srv02.crt01.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-tls tls-expired {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    key-file "../CA/certs/srv02.crt02-expired.example.nil.key";
-    cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-};
+include "named-tls.conf";
 
 options {
 	query-source address 10.53.0.2;
@@ -47,13 +21,9 @@ options {
 	transfer-source 10.53.0.2;
 	transfer-source-v6 fd92:7065:b8e:ffff::2;
 	port @PORT@;
-	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.2; };
-	listen-on tls ephemeral { 10.53.0.2; };
-	listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
-	listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
-	listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; };
+	include "options-tls.conf";
 	listen-on-v6 { fd92:7065:b8e:ffff::2; };
 	recursion no;
 	dnssec-validation no;

bin/tests/system/forward/ns2/options-tls.conf.in

@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+        tls-port @TLSPORT@;
+        listen-on tls ephemeral { 10.53.0.2; };
+        listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+        listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
+        listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; };

bin/tests/system/forward/ns4/named-tls.conf.in

@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls tls-forward-secrecy {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-forward-secrecy-remote-hostname {
+    protocols { TLSv1.2; };
+    ca-file "../CA/CA.pem";
+    remote-hostname "srv02.crt01.example.nil";
+};
+
+tls tls-forward-secrecy-bad-remote-hostname {
+    protocols { TLSv1.2; };
+    ca-file "../CA/CA.pem";
+    remote-hostname "srv02-bad.crt01.example.nil";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    key-file "../CA/certs/srv04.crt01.example.nil.key";
+    cert-file "../CA/certs/srv04.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+zone "example1." {
+	type forward;
+	forward first;
+	forwarders { 10.53.0.2 tls ephemeral; };
+};
+
+zone "example3." {
+	type forward;
+	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+};
+
+zone "example4." {
+	type forward;
+	forward only;
+	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; };
+};
+
+zone "example8." {
+	type forward;
+	forward only;
+	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; };
+};
+
+zone "example9." {
+	type forward;
+	forward only;
+	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; };
+};
+
+zone "1.0.10.in-addr.arpa" {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; };
+};

bin/tests/system/forward/ns4/named.conf.in

@@ -11,12 +11,14 @@
  * information regarding copyright ownership.
  */
 
+include "named-tls.conf";
+
 options {
 	query-source address 10.53.0.4;
 	notify-source 10.53.0.4;
 	transfer-source 10.53.0.4;
 	port @PORT@;
-	tls-port @TLSPORT@;
+	include "options-tls.conf";
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
@@ -30,83 +32,12 @@ zone "." {
 	file "root.db";
 };
 
-tls tls-forward-secrecy {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-tls tls-forward-secrecy-remote-hostname {
-    protocols { TLSv1.2; };
-    ca-file "../CA/CA.pem";
-    remote-hostname "srv02.crt01.example.nil";
-};
-
-tls tls-forward-secrecy-bad-remote-hostname {
-    protocols { TLSv1.2; };
-    ca-file "../CA/CA.pem";
-    remote-hostname "srv02-bad.crt01.example.nil";
-};
-
-tls tls-forward-secrecy-mutual-tls {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    key-file "../CA/certs/srv04.crt01.example.nil.key";
-    cert-file "../CA/certs/srv04.crt01.example.nil.pem";
-    dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-tls tls-expired {
-    protocols { TLSv1.2; };
-    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
-    prefer-server-ciphers yes;
-    dhparam-file "../dhparam3072.pem";
-    ca-file "../CA/CA.pem";
-};
-
-zone "example1." {
-	type forward;
-	forward first;
-	forwarders { 10.53.0.2 tls ephemeral; };
-};
-
-zone "example3." {
-	type forward;
-	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
-};
-
-zone "example4." {
-	type forward;
-	forward only;
-	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; };
-};
-
 zone "example5." {
 	type forward;
 	forward only;
 	forwarders { 10.53.0.2; };
 };
 
-zone "example8." {
-	type forward;
-	forward only;
-	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; };
-};
-
-zone "example9." {
-	type forward;
-	forward only;
-	forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; };
-};
-
-zone "1.0.10.in-addr.arpa" {
-	type forward;
-	forward only;
-	forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; };
-};
-
 zone "grafted" {
 	type forward;
 	forward only;

bin/tests/system/forward/ns4/options-tls.conf.in

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+	tls-port @TLSPORT@;

bin/tests/system/forward/setup.sh

@@ -15,9 +15,31 @@
 
 $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
+
+if $FEATURETEST --have-fips-dh
+then
+    copy_setports ns2/named-tls.conf.in ns2/named-tls.conf
+    copy_setports ns2/options-tls.conf.in ns2/options-tls.conf
+    copy_setports ns2/named.conf.in ns2/named.conf
+else
+    cp /dev/null ns2/named-tls.conf
+    cp /dev/null ns2/options-tls.conf
+    copy_setports ns2/named.conf.in ns2/named.conf
+fi
+
 copy_setports ns3/named1.conf.in ns3/named.conf
-copy_setports ns4/named.conf.in ns4/named.conf
+
+if $FEATURETEST --have-fips-dh
+then
+    copy_setports ns4/named-tls.conf.in ns4/named-tls.conf
+    copy_setports ns4/options-tls.conf.in ns4/options-tls.conf
+    copy_setports ns4/named.conf.in ns4/named.conf
+else
+    cp /dev/null ns4/named-tls.conf
+    cp /dev/null ns4/options-tls.conf
+    copy_setports ns4/named.conf.in ns4/named.conf
+fi
+
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf

bin/tests/system/forward/tests.sh

@@ -72,25 +72,35 @@ status=$((status+ret))
 
 n=$((n+1))
 echo_i "checking that DoT expired certificate does not work ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
-wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+   ret=0
+   nextpart ns4/named.run >/dev/null
+   dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
+   dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
+   digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
+   wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
+   if [ $ret != 0 ]; then echo_i "failed"; fi
+   status=$((status+ret))
+else
+   echo_i "skipped."
+fi
 
 n=$((n+1))
 echo_i "checking that a forward zone works (DoT insecure) ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
-wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+    ret=0
+    nextpart ns4/named.run >/dev/null
+    dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
+    dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
+    digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+    wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+   echo_i "skipped."
+fi
 
 n=$((n+1))
 echo_i "checking that forwarding doesn't spontaneously happen ($n)"
@@ -103,36 +113,52 @@ status=$((status+ret))
 
 n=$((n+1))
 echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
-wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+    ret=0
+    nextpart ns4/named.run >/dev/null
+    dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
+    dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
+    digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+    wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+   echo_i "skipped."
+fi
+
 
 n=$((n+1))
 echo_i "checking that DoT remote-hostname works ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
-wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+    ret=0
+    nextpart ns4/named.run >/dev/null
+    dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
+    dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
+    digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
+    wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+   echo_i "skipped."
+fi
 
 n=$((n+1))
 echo_i "checking that DoT bad remote-hostname does not work ($n)"
-ret=0
-nextpart ns4/named.run >/dev/null
-dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
-dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
-digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
-wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+    ret=0
+    nextpart ns4/named.run >/dev/null
+    dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
+    dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
+    digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
+    wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+   echo_i "skipped."
+fi
 
 n=$((n+1))
 echo_i "checking that a forward only doesn't recurse ($n)"
@@ -165,11 +191,16 @@ check_override() (
 
 n=$((n+1))
 echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)"
-ret=0
-# retry loop in case the server restart above causes transient failure
-retry_quiet 10 check_override || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --have-fips-dh
+then
+    ret=0
+    # retry loop in case the server restart above causes transient failure
+    retry_quiet 10 check_override || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+else
+    echo_t "skipped."
+fi
 
 n=$((n+1))
 echo_i "checking that DS lookups for grafting forward zones are isolated ($n)"