Blame SOURCES/bind-9.11-fips-tests.patch

cf16a9
From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001
cf16a9
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
cf16a9
Date: Thu, 2 Aug 2018 23:46:45 +0200
cf16a9
Subject: [PATCH] FIPS tests changes
cf16a9
MIME-Version: 1.0
cf16a9
Content-Type: text/plain; charset=UTF-8
cf16a9
Content-Transfer-Encoding: 8bit
cf16a9
cf16a9
Squashed commit of the following:
cf16a9
cf16a9
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 20:35:13 2018 +0100
cf16a9
cf16a9
    Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
cf16a9
cf16a9
commit ab303db70082db76ecf36493d0b82ef3e8750cad
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 18:11:10 2018 +0100
cf16a9
cf16a9
    Changed root key to be RSASHA256
cf16a9
cf16a9
    Change bad trusted key to be the same algorithm.
cf16a9
cf16a9
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 16:56:17 2018 +0100
cf16a9
cf16a9
    Change used key to not use hmac-md5
cf16a9
cf16a9
    Fix upforwd test, do not use hmac-md5
cf16a9
cf16a9
commit aec891571626f053acfb4d0a247240cbc21a84e9
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 15:54:11 2018 +0100
cf16a9
cf16a9
    Increase bitsize of DSA key to pass FIPS 140-2 mode.
cf16a9
cf16a9
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 15:41:08 2018 +0100
cf16a9
cf16a9
    Fix tsig and rndc tests for disabled md5
cf16a9
cf16a9
    Use hmac-sha256 instead of hmac-md5.
cf16a9
cf16a9
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 13:21:00 2018 +0100
cf16a9
cf16a9
    Add md5 availability detection to featuretest
cf16a9
cf16a9
commit f389a918803e2853e4b55fed62765dc4a492e34f
cf16a9
Author: Petr Menšík <pemensik@redhat.com>
cf16a9
Date:   Wed Mar 7 10:44:23 2018 +0100
cf16a9
cf16a9
    Change tests to not use hmac-md5 algorithms if not required
cf16a9
cf16a9
    Use hmac-sha256 instead of default hmac-md5 for allow-query
cf16a9
---
cf16a9
 bin/tests/system/acl/ns2/named1.conf.in       |  4 +-
cf16a9
 bin/tests/system/acl/ns2/named2.conf.in       |  4 +-
cf16a9
 bin/tests/system/acl/ns2/named3.conf.in       |  6 +-
cf16a9
 bin/tests/system/acl/ns2/named4.conf.in       |  4 +-
cf16a9
 bin/tests/system/acl/ns2/named5.conf.in       |  4 +-
cf16a9
 bin/tests/system/acl/tests.sh                 | 32 ++++-----
cf16a9
 .../system/allow-query/ns2/named10.conf.in    |  2 +-
cf16a9
 .../system/allow-query/ns2/named11.conf.in    |  4 +-
cf16a9
 .../system/allow-query/ns2/named12.conf.in    |  2 +-
cf16a9
 .../system/allow-query/ns2/named30.conf.in    |  2 +-
cf16a9
 .../system/allow-query/ns2/named31.conf.in    |  4 +-
cf16a9
 .../system/allow-query/ns2/named32.conf.in    |  2 +-
cf16a9
 .../system/allow-query/ns2/named40.conf.in    |  4 +-
cf16a9
 bin/tests/system/allow-query/tests.sh         | 18 ++---
cf16a9
 bin/tests/system/catz/ns1/named.conf.in       |  2 +-
cf16a9
 bin/tests/system/catz/ns2/named.conf.in       |  2 +-
cf16a9
 bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
cf16a9
 bin/tests/system/checkconf/good.conf          |  2 +-
cf16a9
 bin/tests/system/feature-test.c               | 14 ++++
cf16a9
 bin/tests/system/notify/ns5/named.conf.in     |  6 +-
cf16a9
 bin/tests/system/notify/tests.sh              |  6 +-
cf16a9
 bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
cf16a9
 bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
cf16a9
 bin/tests/system/nsupdate/setup.sh            |  6 +-
cf16a9
 bin/tests/system/nsupdate/tests.sh            | 15 +++--
cf16a9
 bin/tests/system/rndc/setup.sh                |  2 +-
cf16a9
 bin/tests/system/rndc/tests.sh                | 23 ++++---
cf16a9
 bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
cf16a9
 bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++
cf16a9
 bin/tests/system/tsig/setup.sh                |  5 ++
cf16a9
 bin/tests/system/tsig/tests.sh                | 65 ++++++++++++-------
cf16a9
 bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
cf16a9
 bin/tests/system/upforwd/tests.sh             |  2 +-
cf16a9
 33 files changed, 162 insertions(+), 108 deletions(-)
cf16a9
 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
cf16a9
cf16a9
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
cf16a9
index 60f22e1..249f672 100644
cf16a9
--- a/bin/tests/system/acl/ns2/named1.conf.in
cf16a9
+++ b/bin/tests/system/acl/ns2/named1.conf.in
cf16a9
@@ -33,12 +33,12 @@ options {
cf16a9
 };
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
cf16a9
index ada97bc..f82d858 100644
cf16a9
--- a/bin/tests/system/acl/ns2/named2.conf.in
cf16a9
+++ b/bin/tests/system/acl/ns2/named2.conf.in
cf16a9
@@ -33,12 +33,12 @@ options {
cf16a9
 };
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
cf16a9
index 97684e4..de6a2e9 100644
cf16a9
--- a/bin/tests/system/acl/ns2/named3.conf.in
cf16a9
+++ b/bin/tests/system/acl/ns2/named3.conf.in
cf16a9
@@ -33,17 +33,17 @@ options {
cf16a9
 };
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key three {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
cf16a9
index 462b3fa..994b35c 100644
cf16a9
--- a/bin/tests/system/acl/ns2/named4.conf.in
cf16a9
+++ b/bin/tests/system/acl/ns2/named4.conf.in
cf16a9
@@ -33,12 +33,12 @@ options {
cf16a9
 };
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
cf16a9
index 728da58..8f00d09 100644
cf16a9
--- a/bin/tests/system/acl/ns2/named5.conf.in
cf16a9
+++ b/bin/tests/system/acl/ns2/named5.conf.in
cf16a9
@@ -35,12 +35,12 @@ options {
cf16a9
 };
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
cf16a9
index be59d64..13d5bdc 100644
cf16a9
--- a/bin/tests/system/acl/tests.sh
cf16a9
+++ b/bin/tests/system/acl/tests.sh
cf16a9
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
cf16a9
 # key "one" should fail
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 
cf16a9
 # any other key should be fine
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 copy_setports ns2/named2.conf.in ns2/named.conf
cf16a9
@@ -39,18 +39,18 @@ sleep 5
cf16a9
 # prefix 10/8 should fail
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # any other address should work, as long as it sends key "one"
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 echo_i "testing nested ACL processing"
cf16a9
@@ -62,31 +62,31 @@ sleep 5
cf16a9
 # should succeed
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should succeed
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should succeed
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should succeed
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # but only one or the other should fail
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 t=`expr $t + 1`
cf16a9
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
cf16a9
 # and other values? right out
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
cf16a9
@@ -108,31 +108,31 @@ sleep 5
cf16a9
 # should succeed
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should succeed
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should fail
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should fail
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 # should fail
cf16a9
 t=`expr $t + 1`
cf16a9
 $DIG $DIGOPTS tsigzone. \
cf16a9
-	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
cf16a9
+	@10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
cf16a9
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
cf16a9
 
cf16a9
 echo_i "testing allow-query-on ACL processing"
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
cf16a9
index 7d43e36..f7b25f9 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
cf16a9
@@ -10,7 +10,7 @@
cf16a9
  */
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
cf16a9
index 2952518..121557e 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
cf16a9
@@ -10,12 +10,12 @@
cf16a9
  */
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234efgh8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
cf16a9
index 0c01071..ceabbb5 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
cf16a9
@@ -10,7 +10,7 @@
cf16a9
  */
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
cf16a9
index 4c17292..9cd9d1f 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
cf16a9
@@ -10,7 +10,7 @@
cf16a9
  */
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
cf16a9
index a2690a4..f488730 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
cf16a9
@@ -10,12 +10,12 @@
cf16a9
  */
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234efgh8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
cf16a9
index a0708c8..51fa457 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
cf16a9
@@ -10,7 +10,7 @@
cf16a9
  */
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
cf16a9
index 687768e..d24d6d2 100644
cf16a9
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
cf16a9
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
cf16a9
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
cf16a9
 acl badaccept { 10.53.0.1; };
cf16a9
 
cf16a9
 key one {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
 key two {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "1234efgh8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
cf16a9
index fe40635..543c663 100644
cf16a9
--- a/bin/tests/system/allow-query/tests.sh
cf16a9
+++ b/bin/tests/system/allow-query/tests.sh
cf16a9
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
cf16a9
 
cf16a9
 echo_i "test $n: key allowed - query allowed"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
cf16a9
 
cf16a9
 echo_i "test $n: key not allowed - query refused"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
cf16a9
 
cf16a9
 echo_i "test $n: key disallowed - query refused"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
cf16a9
 
cf16a9
 echo_i "test $n: views key allowed - query allowed"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
cf16a9
 
cf16a9
 echo_i "test $n: views key not allowed - query refused"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
cf16a9
 
cf16a9
 echo_i "test $n: views key disallowed - query refused"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
cf16a9
 n=`expr $n + 1`
cf16a9
 echo_i "test $n: zone key allowed - query allowed"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
cf16a9
 n=`expr $n + 1`
cf16a9
 echo_i "test $n: zone key not allowed - query refused"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
cf16a9
 n=`expr $n + 1`
cf16a9
 echo_i "test $n: zone key disallowed - query refused"
cf16a9
 ret=0
cf16a9
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
cf16a9
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
cf16a9
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
cf16a9
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
cf16a9
 if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
cf16a9
index 1218669..e62715e 100644
cf16a9
--- a/bin/tests/system/catz/ns1/named.conf.in
cf16a9
+++ b/bin/tests/system/catz/ns1/named.conf.in
cf16a9
@@ -61,5 +61,5 @@ zone "catalog4.example" {
cf16a9
 
cf16a9
 key tsig_key. {
cf16a9
 	secret "LSAnCU+Z";
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 };
cf16a9
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
cf16a9
index 30333e6..4005152 100644
cf16a9
--- a/bin/tests/system/catz/ns2/named.conf.in
cf16a9
+++ b/bin/tests/system/catz/ns2/named.conf.in
cf16a9
@@ -70,5 +70,5 @@ zone "catalog4.example" {
cf16a9
 
cf16a9
 key tsig_key. {
cf16a9
 	secret "LSAnCU+Z";
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 };
cf16a9
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
cf16a9
index 21be03e..e57c308 100644
cf16a9
--- a/bin/tests/system/checkconf/bad-tsig.conf
cf16a9
+++ b/bin/tests/system/checkconf/bad-tsig.conf
cf16a9
@@ -11,7 +11,7 @@
cf16a9
 
cf16a9
 /* Bad secret */
cf16a9
 key "badtsig" {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha256;
cf16a9
 	secret "jEdD+BPKg==";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
cf16a9
index e09b9e8..2e824b3 100644
cf16a9
--- a/bin/tests/system/checkconf/good.conf
cf16a9
+++ b/bin/tests/system/checkconf/good.conf
cf16a9
@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
cf16a9
 	system;
cf16a9
 };
cf16a9
 key "mykey" {
cf16a9
-	algorithm "hmac-md5";
cf16a9
+	algorithm "hmac-sha256";
cf16a9
 	secret "qwertyuiopasdfgh";
cf16a9
 };
cf16a9
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
cf16a9
index 877504f..577660a 100644
cf16a9
--- a/bin/tests/system/feature-test.c
cf16a9
+++ b/bin/tests/system/feature-test.c
cf16a9
@@ -14,6 +14,7 @@
cf16a9
 #include <string.h>
cf16a9
 #include <unistd.h>
cf16a9
 
cf16a9
+#include <isc/md.h>
cf16a9
 #include <isc/net.h>
cf16a9
 #include <isc/print.h>
cf16a9
 #include <isc/util.h>
cf16a9
@@ -186,6 +187,19 @@ main(int argc, char **argv) {
cf16a9
 #endif /* ifdef DLZ_FILESYSTEM */
cf16a9
 	}
cf16a9
 
cf16a9
+	if (strcmp(argv[1], "--md5") == 0) {
cf16a9
+		unsigned char digest[ISC_MAX_MD_SIZE];
cf16a9
+		const unsigned char test[] = "test";
cf16a9
+		unsigned int size = sizeof(digest);
cf16a9
+
cf16a9
+		if (isc_md(ISC_MD_MD5, test, sizeof(test),
cf16a9
+		           digest, &size) == ISC_R_SUCCESS) {
cf16a9
+			return (0);
cf16a9
+		} else {
cf16a9
+			return (1);
cf16a9
+		}
cf16a9
+	}
cf16a9
+
cf16a9
 	if (strcmp(argv[1], "--with-idn") == 0) {
cf16a9
 #ifdef HAVE_LIBIDN2
cf16a9
 		return (0);
cf16a9
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
cf16a9
index 1ee8df4..2b75d9a 100644
cf16a9
--- a/bin/tests/system/notify/ns5/named.conf.in
cf16a9
+++ b/bin/tests/system/notify/ns5/named.conf.in
cf16a9
@@ -10,17 +10,17 @@
cf16a9
  */
cf16a9
 
cf16a9
 key "a" {
cf16a9
-	algorithm "hmac-md5";
cf16a9
+	algorithm "hmac-sha256";
cf16a9
 	secret "aaaaaaaaaaaaaaaaaaaa";
cf16a9
 };
cf16a9
 
cf16a9
 key "b" {
cf16a9
-	algorithm "hmac-md5";
cf16a9
+	algorithm "hmac-sha256";
cf16a9
 	secret "bbbbbbbbbbbbbbbbbbbb";
cf16a9
 };
cf16a9
 
cf16a9
 key "c" {
cf16a9
-	algorithm "hmac-md5";
cf16a9
+	algorithm "hmac-sha256";
cf16a9
 	secret "cccccccccccccccccccc";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
cf16a9
index 3d7e0b7..ec4d9a7 100644
cf16a9
--- a/bin/tests/system/notify/tests.sh
cf16a9
+++ b/bin/tests/system/notify/tests.sh
cf16a9
@@ -212,16 +212,16 @@ ret=0
cf16a9
 $NSUPDATE << EOF
cf16a9
 server 10.53.0.5 ${PORT}
cf16a9
 zone x21
cf16a9
-key a aaaaaaaaaaaaaaaaaaaa
cf16a9
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
cf16a9
 update add added.x21 0 in txt "test string"
cf16a9
 send
cf16a9
 EOF
cf16a9
 
cf16a9
 for i in 1 2 3 4 5 6 7 8 9
cf16a9
 do
cf16a9
-	$DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
cf16a9
+	$DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
cf16a9
 		txt > dig.out.b.ns5.test$n || ret=1
cf16a9
-	$DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
cf16a9
+	$DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
cf16a9
 		txt > dig.out.c.ns5.test$n || ret=1
cf16a9
 	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
cf16a9
 	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
cf16a9
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
cf16a9
index b51e700..436c97d 100644
cf16a9
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
cf16a9
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
cf16a9
@@ -37,7 +37,7 @@ controls {
cf16a9
 };
cf16a9
 
cf16a9
 key altkey {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha512;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
cf16a9
index da6b3b4..c547e47 100644
cf16a9
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
cf16a9
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
cf16a9
@@ -32,7 +32,7 @@ controls {
cf16a9
 };
cf16a9
 
cf16a9
 key altkey {
cf16a9
-	algorithm hmac-md5;
cf16a9
+	algorithm hmac-sha512;
cf16a9
 	secret "1234abcd8765";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
cf16a9
index c055da3..4e1242b 100644
cf16a9
--- a/bin/tests/system/nsupdate/setup.sh
cf16a9
+++ b/bin/tests/system/nsupdate/setup.sh
cf16a9
@@ -56,7 +56,11 @@ EOF
cf16a9
 
cf16a9
 $DDNSCONFGEN -q -z example.nil > ns1/ddns.key
cf16a9
 
cf16a9
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
cf16a9
+if $FEATURETEST --md5; then
cf16a9
+	$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
cf16a9
+else
cf16a9
+	echo -n > ns1/md5.key
cf16a9
+fi
cf16a9
 $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
cf16a9
 $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
cf16a9
 $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
cf16a9
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
cf16a9
index b35d797..41c128e 100755
cf16a9
--- a/bin/tests/system/nsupdate/tests.sh
cf16a9
+++ b/bin/tests/system/nsupdate/tests.sh
cf16a9
@@ -797,7 +797,14 @@ fi
cf16a9
 n=`expr $n + 1`
cf16a9
 ret=0
cf16a9
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
cf16a9
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
cf16a9
+if $FEATURETEST --md5
cf16a9
+then
cf16a9
+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
cf16a9
+else
cf16a9
+	ALGS="sha1 sha224 sha256 sha384 sha512"
cf16a9
+	echo_i "skipping disabled md5 algorithm"
cf16a9
+fi
cf16a9
+for alg in $ALGS; do
cf16a9
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
cf16a9
 server 10.53.0.1 ${PORT}
cf16a9
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
cf16a9
@@ -805,7 +812,7 @@ send
cf16a9
 END
cf16a9
 done
cf16a9
 sleep 2
cf16a9
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
cf16a9
+for alg in $ALGS; do
cf16a9
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
cf16a9
 done
cf16a9
 if [ $ret -ne 0 ]; then
cf16a9
@@ -816,7 +823,7 @@ fi
cf16a9
 n=`expr $n + 1`
cf16a9
 ret=0
cf16a9
 echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
cf16a9
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
cf16a9
+for alg in $ALGS; do
cf16a9
     secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
cf16a9
     $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
cf16a9
 server 10.53.0.1 ${PORT}
cf16a9
@@ -825,7 +832,7 @@ send
cf16a9
 END
cf16a9
 done
cf16a9
 sleep 2
cf16a9
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
cf16a9
+for alg in $ALGS; do
cf16a9
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
cf16a9
 done
cf16a9
 if [ $ret -ne 0 ]; then
cf16a9
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
cf16a9
index b59e7a7..04d5f5a 100644
cf16a9
--- a/bin/tests/system/rndc/setup.sh
cf16a9
+++ b/bin/tests/system/rndc/setup.sh
cf16a9
@@ -33,7 +33,7 @@ make_key () {
cf16a9
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
cf16a9
 }
cf16a9
 
cf16a9
-make_key 1 ${EXTRAPORT1} hmac-md5
cf16a9
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
cf16a9
 make_key 2 ${EXTRAPORT2} hmac-sha1
cf16a9
 make_key 3 ${EXTRAPORT3} hmac-sha224
cf16a9
 make_key 4 ${EXTRAPORT4} hmac-sha256
cf16a9
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
cf16a9
index 9fd84ed..d0b188f 100644
cf16a9
--- a/bin/tests/system/rndc/tests.sh
cf16a9
+++ b/bin/tests/system/rndc/tests.sh
cf16a9
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
 status=`expr $status + $ret`
cf16a9
 
cf16a9
 n=`expr $n + 1`
cf16a9
-echo_i "testing rndc with hmac-md5 ($n)"
cf16a9
-ret=0
cf16a9
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
cf16a9
-for i in 2 3 4 5 6
cf16a9
-do
cf16a9
-        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
cf16a9
-done
cf16a9
-if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
-status=`expr $status + $ret`
cf16a9
+if $FEATURETEST --md5
cf16a9
+then
cf16a9
+	echo_i "testing rndc with hmac-md5 ($n)"
cf16a9
+	ret=0
cf16a9
+	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
cf16a9
+	for i in 2 3 4 5 6
cf16a9
+	do
cf16a9
+		$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
cf16a9
+	done
cf16a9
+	if [ $ret != 0 ]; then echo_i "failed"; fi
cf16a9
+	status=`expr $status + $ret`
cf16a9
+else
cf16a9
+	echo_i "skipping rndc with hmac-md5 ($n)"
cf16a9
+fi
cf16a9
 
cf16a9
 n=`expr $n + 1`
cf16a9
 echo_i "testing rndc with hmac-sha1 ($n)"
cf16a9
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
cf16a9
index 3470c4f..cf539cd 100644
cf16a9
--- a/bin/tests/system/tsig/ns1/named.conf.in
cf16a9
+++ b/bin/tests/system/tsig/ns1/named.conf.in
cf16a9
@@ -21,10 +21,7 @@ options {
cf16a9
 	notify no;
cf16a9
 };
cf16a9
 
cf16a9
-key "md5" {
cf16a9
-	secret "97rnFx24Tfna4mHPfgnerA==";
cf16a9
-	algorithm hmac-md5;
cf16a9
-};
cf16a9
+# md5 key appended by setup.sh at the end
cf16a9
 
cf16a9
 key "sha1" {
cf16a9
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
cf16a9
@@ -51,10 +48,7 @@ key "sha512" {
cf16a9
 	algorithm hmac-sha512;
cf16a9
 };
cf16a9
 
cf16a9
-key "md5-trunc" {
cf16a9
-	secret "97rnFx24Tfna4mHPfgnerA==";
cf16a9
-	algorithm hmac-md5-80;
cf16a9
-};
cf16a9
+# md5-trunc key appended by setup.sh at the end
cf16a9
 
cf16a9
 key "sha1-trunc" {
cf16a9
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
cf16a9
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
cf16a9
new file mode 100644
cf16a9
index 0000000..0682194
cf16a9
--- /dev/null
cf16a9
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
cf16a9
@@ -0,0 +1,10 @@
cf16a9
+# Conditionally included when support for MD5 is available
cf16a9
+key "md5" {
cf16a9
+	secret "97rnFx24Tfna4mHPfgnerA==";
cf16a9
+	algorithm hmac-md5;
cf16a9
+};
cf16a9
+
cf16a9
+key "md5-trunc" {
cf16a9
+	secret "97rnFx24Tfna4mHPfgnerA==";
cf16a9
+	algorithm hmac-md5-80;
cf16a9
+};
cf16a9
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
cf16a9
index e3b4a45..ae21d04 100644
cf16a9
--- a/bin/tests/system/tsig/setup.sh
cf16a9
+++ b/bin/tests/system/tsig/setup.sh
cf16a9
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
cf16a9
 $SHELL clean.sh
cf16a9
 
cf16a9
 copy_setports ns1/named.conf.in ns1/named.conf
cf16a9
+
cf16a9
+if $FEATURETEST --md5
cf16a9
+then
cf16a9
+	cat ns1/rndc5.conf.in >> ns1/named.conf
cf16a9
+fi
cf16a9
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
cf16a9
index 38d842a..668aa6f 100644
cf16a9
--- a/bin/tests/system/tsig/tests.sh
cf16a9
+++ b/bin/tests/system/tsig/tests.sh
cf16a9
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
cf16a9
 
cf16a9
 status=0
cf16a9
 
cf16a9
-echo_i "fetching using hmac-md5 (old form)"
cf16a9
-ret=0
cf16a9
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
cf16a9
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
cf16a9
-if [ $ret -eq 1 ] ; then
cf16a9
-	echo_i "failed"; status=1
cf16a9
-fi
cf16a9
+if $FEATURETEST --md5
cf16a9
+then
cf16a9
+	echo_i "fetching using hmac-md5 (old form)"
cf16a9
+	ret=0
cf16a9
+	$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
cf16a9
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
cf16a9
+	if [ $ret -eq 1 ] ; then
cf16a9
+		echo_i "failed"; status=1
cf16a9
+	fi
cf16a9
 
cf16a9
-echo_i "fetching using hmac-md5 (new form)"
cf16a9
-ret=0
cf16a9
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
cf16a9
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
cf16a9
-if [ $ret -eq 1 ] ; then
cf16a9
-	echo_i "failed"; status=1
cf16a9
+	echo_i "fetching using hmac-md5 (new form)"
cf16a9
+	ret=0
cf16a9
+	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
cf16a9
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
cf16a9
+	if [ $ret -eq 1 ] ; then
cf16a9
+		echo_i "failed"; status=1
cf16a9
+	fi
cf16a9
+else
cf16a9
+	echo_i "skipping using hmac-md5"
cf16a9
 fi
cf16a9
 
cf16a9
 echo_i "fetching using hmac-sha1"
cf16a9
@@ -87,12 +92,17 @@ fi
cf16a9
 #	Truncated TSIG
cf16a9
 #
cf16a9
 #
cf16a9
-echo_i "fetching using hmac-md5 (trunc)"
cf16a9
-ret=0
cf16a9
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
cf16a9
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
cf16a9
-if [ $ret -eq 1 ] ; then
cf16a9
-	echo_i "failed"; status=1
cf16a9
+if $FEATURETEST --md5
cf16a9
+then
cf16a9
+	echo_i "fetching using hmac-md5 (trunc)"
cf16a9
+	ret=0
cf16a9
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
cf16a9
+	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
cf16a9
+	if [ $ret -eq 1 ] ; then
cf16a9
+		echo_i "failed"; status=1
cf16a9
+	fi
cf16a9
+else
cf16a9
+	echo_i "skipping using hmac-md5 (trunc)"
cf16a9
 fi
cf16a9
 
cf16a9
 echo_i "fetching using hmac-sha1 (trunc)"
cf16a9
@@ -141,12 +151,17 @@ fi
cf16a9
 #	Check for bad truncation.
cf16a9
 #
cf16a9
 #
cf16a9
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
cf16a9
-ret=0
cf16a9
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
cf16a9
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
cf16a9
-if [ $ret -eq 1 ] ; then
cf16a9
-	echo_i "failed"; status=1
cf16a9
+if $FEATURETEST --md5
cf16a9
+then
cf16a9
+	echo_i "fetching using hmac-md5-80 (BADTRUNC)" 
cf16a9
+	ret=0
cf16a9
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
cf16a9
+	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
cf16a9
+	if [ $ret -eq 1 ] ; then
cf16a9
+		echo_i "failed"; status=1
cf16a9
+	fi
cf16a9
+else
cf16a9
+	echo_i "skipping using hmac-md5-80 (BADTRUNC)" 
cf16a9
 fi
cf16a9
 
cf16a9
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
cf16a9
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
cf16a9
index 3873c7c..b359a5a 100644
cf16a9
--- a/bin/tests/system/upforwd/ns1/named.conf.in
cf16a9
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
cf16a9
@@ -10,7 +10,7 @@
cf16a9
  */
cf16a9
 
cf16a9
 key "update.example." {
cf16a9
-	algorithm "hmac-md5";
cf16a9
+	algorithm "hmac-sha256";
cf16a9
 	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
cf16a9
 };
cf16a9
 
cf16a9
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
cf16a9
index a50c896..8062d68 100644
cf16a9
--- a/bin/tests/system/upforwd/tests.sh
cf16a9
+++ b/bin/tests/system/upforwd/tests.sh
cf16a9
@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
cf16a9
 
cf16a9
 echo_i "updating zone (signed) ($n)"
cf16a9
 ret=0
cf16a9
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
cf16a9
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <
cf16a9
 server 10.53.0.3 ${PORT}
cf16a9
 update add updated.example. 600 A 10.10.10.1
cf16a9
 update add updated.example. 600 TXT Foo
cf16a9
-- 
cf16a9
2.26.2
cf16a9