mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 06:19:59 -04:00
Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().
(cherry picked from commit 100b759863)
This commit is contained in:
Michal Nowak
parent
3047cc9a25
commit
f3f7667fc7
4 changed files with 86 additions and 120 deletions
|
|
@ -13,7 +13,13 @@
|
|||
|
||||
. ../conf.sh
|
||||
|
||||
$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 >ns1/example.db
|
||||
# Drop unusual RR sets dnspython can't handle. For more information
|
||||
# see https://github.com/rthalley/dnspython/issues/1034#issuecomment-1896541899.
|
||||
$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 \
|
||||
| sed \
|
||||
-e '/AMTRELAY.*\# 2 0004/d' \
|
||||
-e '/GPOS.*"" "" ""/d' \
|
||||
-e '/URI.*30 40 ""/d' >ns1/example.db
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
|
|
|
|||
|
|
@ -1,96 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
set -e
|
||||
|
||||
# shellcheck disable=SC1091
|
||||
. ../conf.sh
|
||||
|
||||
testing="testing zone transfer over TLS (XoT): "
|
||||
|
||||
common_dig_options="+noadd +nosea +nostat +noquest +nocmd"
|
||||
|
||||
status=0
|
||||
n=0
|
||||
|
||||
dig_with_tls_opts() {
|
||||
# shellcheck disable=SC2086
|
||||
"$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
|
||||
}
|
||||
|
||||
wait_for_tls_xfer() (
|
||||
srv_number="$1"
|
||||
shift
|
||||
zone_name="$1"
|
||||
shift
|
||||
# Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
|
||||
dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
|
||||
grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
|
||||
return 0
|
||||
)
|
||||
|
||||
tls_xfer_expect_success() {
|
||||
test_message="$1"
|
||||
shift
|
||||
n=$((n + 1))
|
||||
echo_i "$test_message - zone \"$2\" at \"ns$1\" ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 wait_for_tls_xfer "$@" || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
tls_xfer_expect_failure() {
|
||||
test_message="$1"
|
||||
shift
|
||||
n=$((n + 1))
|
||||
echo_i "$test_message - zone \"$2\" at \"ns$1\", failure expected ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 wait_for_tls_xfer "$@" && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
tls_xfer_expect_success "$testing" 2 example
|
||||
tls_xfer_expect_success "$testing" 3 example
|
||||
tls_xfer_expect_success "$testing" 4 example
|
||||
|
||||
tls_xfer_expect_success "$testing" 2 example-aes-128
|
||||
tls_xfer_expect_success "$testing" 3 example-aes-256
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_success "$testing" 4 example-chacha-20
|
||||
fi
|
||||
|
||||
tls_xfer_expect_failure "$testing" 2 example-aes-256
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_failure "$testing" 2 example-chacha-20
|
||||
fi
|
||||
|
||||
tls_xfer_expect_failure "$testing" 3 example-aes-128
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_failure "$testing" 3 example-chacha-20
|
||||
fi
|
||||
|
||||
tls_xfer_expect_failure "$testing" 4 example-aes-128
|
||||
tls_xfer_expect_failure "$testing" 4 example-aes-256
|
||||
|
||||
# NS5 tries to download the zone over TLSv1.2
|
||||
tls_xfer_expect_failure "$testing" 5 example
|
||||
tls_xfer_expect_failure "$testing" 5 example-aes-128
|
||||
tls_xfer_expect_failure "$testing" 5 example-aes-256
|
||||
if ! $FEATURETEST --have-fips-mode; then
|
||||
tls_xfer_expect_failure "$testing" 5 example-chacha-20
|
||||
fi
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
79
bin/tests/system/cipher-suites/tests_cipher_suites.py
Normal file
79
bin/tests/system/cipher-suites/tests_cipher_suites.py
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
import pytest
|
||||
|
||||
pytest.importorskip("dns", minversion="2.5.0")
|
||||
|
||||
import dns.message
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
"ns*/example*.db",
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
@pytest.mark.requires_zones_loaded("ns1", "ns2", "ns3", "ns4", "ns5")
|
||||
@pytest.mark.parametrize(
|
||||
"qname,ns,rcode",
|
||||
[
|
||||
("example.", 2, dns.rcode.NOERROR),
|
||||
("example.", 3, dns.rcode.NOERROR),
|
||||
("example.", 4, dns.rcode.NOERROR),
|
||||
("example-aes-128.", 2, dns.rcode.NOERROR),
|
||||
("example-aes-256.", 3, dns.rcode.NOERROR),
|
||||
pytest.param(
|
||||
"example-chacha-20.",
|
||||
4,
|
||||
dns.rcode.NOERROR,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
("example-aes-256", 2, dns.rcode.SERVFAIL),
|
||||
pytest.param(
|
||||
"example-chacha-20",
|
||||
2,
|
||||
dns.rcode.SERVFAIL,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
("example-aes-128", 3, dns.rcode.SERVFAIL),
|
||||
pytest.param(
|
||||
"example-chacha-20",
|
||||
3,
|
||||
dns.rcode.SERVFAIL,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
("example-aes-128", 4, dns.rcode.SERVFAIL),
|
||||
("example-aes-256", 4, dns.rcode.SERVFAIL),
|
||||
# NS5 tries to download the zone over TLSv1.2
|
||||
("example", 5, dns.rcode.SERVFAIL),
|
||||
("example-aes-128", 5, dns.rcode.SERVFAIL),
|
||||
("example-aes-256", 5, dns.rcode.SERVFAIL),
|
||||
pytest.param(
|
||||
"example-chacha-20",
|
||||
5,
|
||||
dns.rcode.SERVFAIL,
|
||||
marks=isctest.mark.without_fips,
|
||||
),
|
||||
],
|
||||
)
|
||||
def test_cipher_suites_tls_xfer(qname, ns, rcode):
|
||||
msg = dns.message.make_query(qname, "AXFR")
|
||||
ans = isctest.query.tls(msg, f"10.53.0.{ns}")
|
||||
assert ans.rcode() == rcode
|
||||
if rcode == dns.rcode.NOERROR:
|
||||
assert ans.answer != []
|
||||
elif rcode == dns.rcode.SERVFAIL:
|
||||
assert ans.answer == []
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
import pytest
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
"dig.out.*",
|
||||
"ns*/example*.db",
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
def test_cipher_suites(run_tests_sh):
|
||||
run_tests_sh()
|
||||
Loading…
Reference in a new issue