From ff7e73db6aa7f7f0e6b40587d76d2f3292729ec4 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 20 Dec 2021 19:28:36 +1100
Subject: [PATCH] nsupdate: use FIPS compatible algorithms

HMACMD5 is not permitted in FIPS mode, use HMACSHA256 instead.
---
 bin/tests/system/nsupdate/setup.sh | 2 +-
 bin/tests/system/nsupdate/tests.sh | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 25c4cb4d8b..9c78bc55cd 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -76,7 +76,7 @@ $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
 if $FEATURETEST --md5; then
 	$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
 else
-	echo -n > ns1/md5.key
+	echo "/* MD5 NOT SUPPORTED */" > ns1/md5.key
 fi
 $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 6489542348..452a1d8ef8 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -985,7 +985,7 @@ fi
 n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
     secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
     $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
@@ -994,7 +994,7 @@ send
 END
 done
 sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
 done
 if [ $ret -ne 0 ]; then