mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
FIPS tests changes for RHEL
Include MD5 feature detection in featuretest tool and use it in some
places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
algorithm is unavailable completely and even hmac-md5 algorithm usage
will always fail. Work that around by checking MD5 works and if not,
skipping its usage.
Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
in Fedora and RHEL.
(cherry picked from commit 6ad794a8cd)
This commit is contained in:
Petr Menšík
Mark Andrews
parent
d0920a91dc
commit
0915738c46
9 changed files with 103 additions and 47 deletions
|
|
@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
|||
# and other values? right out
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
||||
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <isc/md.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
|
|
@ -37,6 +38,7 @@ usage(void) {
|
|||
fprintf(stderr, "\t--have-json-c\n");
|
||||
fprintf(stderr, "\t--have-libxml2\n");
|
||||
fprintf(stderr, "\t--ipv6only=no\n");
|
||||
fprintf(stderr, "\t--md5\n");
|
||||
fprintf(stderr, "\t--tsan\n");
|
||||
fprintf(stderr, "\t--with-dlz-filesystem\n");
|
||||
fprintf(stderr, "\t--with-libidn2\n");
|
||||
|
|
@ -143,6 +145,20 @@ main(int argc, char **argv) {
|
|||
#endif
|
||||
}
|
||||
|
||||
if (strcmp(argv[1], "--md5") == 0) {
|
||||
unsigned char digest[ISC_MAX_MD_SIZE];
|
||||
const unsigned char test[] = "test";
|
||||
unsigned int size = sizeof(digest);
|
||||
|
||||
if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
|
||||
ISC_R_SUCCESS)
|
||||
{
|
||||
return (0);
|
||||
} else {
|
||||
return (1);
|
||||
}
|
||||
}
|
||||
|
||||
if (strcmp(argv[1], "--ipv6only=no") == 0) {
|
||||
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
|
||||
int s;
|
||||
|
|
|
|||
|
|
@ -72,7 +72,11 @@ EOF
|
|||
|
||||
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
|
||||
|
||||
$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
|
||||
if $FEATURETEST --md5; then
|
||||
$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
|
||||
else
|
||||
echo -n > ns1/md5.key
|
||||
fi
|
||||
$TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
|
||||
$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
|
||||
$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
|
||||
|
|
|
|||
|
|
@ -841,7 +841,14 @@ fi
|
|||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
||||
else
|
||||
ALGS="sha1 sha224 sha256 sha384 sha512"
|
||||
echo_i "skipping disabled md5 algorithm"
|
||||
fi
|
||||
for alg in $ALGS; do
|
||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
|
|
@ -849,7 +856,7 @@ send
|
|||
END
|
||||
done
|
||||
sleep 2
|
||||
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
for alg in $ALGS; do
|
||||
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ make_key () {
|
|||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
make_key 2 ${EXTRAPORT2} hmac-sha1
|
||||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
|
|
|
|||
|
|
@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
|||
status=$((status+ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "testing rndc with hmac-md5 ($n)"
|
||||
ret=0
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
for i in 2 3 4 5 6
|
||||
do
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
if $FEATURETEST --md5; then
|
||||
echo_i "testing rndc with hmac-md5 ($n)"
|
||||
ret=0
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
for i in 2 3 4 5 6
|
||||
do
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
else
|
||||
echo_i "skipping rndc with hmac-md5 ($n)"
|
||||
fi
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
|
|
|
|||
|
|
@ -23,10 +23,7 @@ options {
|
|||
notify no;
|
||||
};
|
||||
|
||||
key "md5" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5;
|
||||
};
|
||||
# md5 key appended by setup.sh at the end
|
||||
|
||||
key "sha1" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
|
|
@ -53,10 +50,7 @@ key "sha512" {
|
|||
algorithm hmac-sha512;
|
||||
};
|
||||
|
||||
key "md5-trunc" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5-80;
|
||||
};
|
||||
# md5-trunc key appended by setup.sh at the end
|
||||
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
|
|
|
|||
|
|
@ -16,3 +16,19 @@
|
|||
$SHELL clean.sh
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
cat >> ns1/named.conf << EOF
|
||||
# Conditionally included when support for MD5 is available
|
||||
key "md5" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5;
|
||||
};
|
||||
|
||||
key "md5-trunc" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5-80;
|
||||
};
|
||||
EOF
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
|||
|
||||
status=0
|
||||
|
||||
echo_i "fetching using hmac-md5 (old form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5 (old form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-md5 (new form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
echo_i "fetching using hmac-md5 (new form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1"
|
||||
|
|
@ -88,12 +93,17 @@ fi
|
|||
# Truncated TSIG
|
||||
#
|
||||
#
|
||||
echo_i "fetching using hmac-md5 (trunc)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5 (trunc)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5 (trunc)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1 (trunc)"
|
||||
|
|
@ -142,12 +152,17 @@ fi
|
|||
# Check for bad truncation.
|
||||
#
|
||||
#
|
||||
echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
|
|
|
|||
Loading…
Reference in a new issue