mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 08:20:01 -04:00
Merge branch '4154-restore-the-ability-to-read-old-hmac-md5-key-pair-files-bind-9.18' into 'bind-9.18'
[9.18] Resolve "Restore the ability to read old HMAC-MD5 key pair files." See merge request isc-projects/bind9!8069
This commit is contained in:
Mark Andrews
commit
1eed6e28c8
37 changed files with 273 additions and 5 deletions
3
CHANGES
3
CHANGES
|
|
@ -1,3 +1,6 @@
|
|||
6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs.
|
||||
[GL #4154]
|
||||
|
||||
6204. [bug] Use NS records for relaxed QNAME-minimization mode.
|
||||
This reduces the number of queries named makes when
|
||||
resolving, as it allows the non-existence of NS RRsets
|
||||
|
|
|
|||
|
|
@ -498,6 +498,9 @@ list_hmac_algorithms(isc_buffer_t *b) {
|
|||
for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST;
|
||||
i++)
|
||||
{
|
||||
if (i == DST_ALG_GSSAPI) {
|
||||
continue;
|
||||
}
|
||||
if (dst_algorithm_supported(i)) {
|
||||
isc_buffer_putstr(b, " ");
|
||||
isc_buffer_putstr(b, dst_hmac_algorithm_totext(i));
|
||||
|
|
|
|||
|
|
@ -3376,7 +3376,7 @@ do
|
|||
2) # Diffie Helman
|
||||
alg=$((alg+1))
|
||||
continue;;
|
||||
159|160|161|162|163|164|165) # private - non standard
|
||||
157|160|161|162|163|164|165) # private - non standard
|
||||
alg=$((alg+1))
|
||||
continue;;
|
||||
1|5|7|8|10) # RSA algorithms
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.d
|
|||
rm -f ns1/many.test.db
|
||||
rm -f ns1/maxjournal.db
|
||||
rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
|
||||
rm -f ns1/legacy157.key ns1/legacy161.key ns1/legacy162.key ns1/legacy163.key ns1/legacy164.key ns1/legacy165.key
|
||||
rm -f ns1/sample.db
|
||||
rm -f ns1/sha512.key ns1/ddns.key
|
||||
rm -f ns10/_default.tsigkeys
|
||||
|
|
@ -62,6 +63,7 @@ rm -f ns9/denyname.example.db
|
|||
rm -f ns9/example.com.db
|
||||
rm -f ns9/in-addr.db
|
||||
rm -f perl.update_test.out
|
||||
rm -f nsupdate.alg-*
|
||||
rm -f nsupdate.out*
|
||||
rm -f typelist.out.*
|
||||
rm -f update.out.*
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
legacy-157. IN KEY 0 3 157 mGcDSCx/fF121GOVJlITLg==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 157 (HMAC_MD5)
|
||||
Key: mGcDSCx/fF121GOVJlITLg==
|
||||
Bits: AAA=
|
||||
Created: 20230619042408
|
||||
Publish: 20230619042408
|
||||
Activate: 20230619042408
|
||||
|
|
@ -0,0 +1 @@
|
|||
legacy-161. IN KEY 0 3 161 N80fGvcr8JifzRUJ62R4rQ==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 161 (HMAC_SHA1)
|
||||
Key: N80fGvcr8JifzRUJ62R4rQ==
|
||||
Bits: AAA=
|
||||
Created: 20230619042427
|
||||
Publish: 20230619042427
|
||||
Activate: 20230619042427
|
||||
|
|
@ -0,0 +1 @@
|
|||
legacy-162. IN KEY 0 3 162 nSIKzFAGS7/tvBs8JteI+Q==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 162 (HMAC_SHA224)
|
||||
Key: nSIKzFAGS7/tvBs8JteI+Q==
|
||||
Bits: AAA=
|
||||
Created: 20230619042555
|
||||
Publish: 20230619042555
|
||||
Activate: 20230619042555
|
||||
|
|
@ -0,0 +1 @@
|
|||
legacy-163. IN KEY 0 3 163 CvaupxnDeES3HnlYhTq53w==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 163 (HMAC_SHA256)
|
||||
Key: CvaupxnDeES3HnlYhTq53w==
|
||||
Bits: AAA=
|
||||
Created: 20230619042525
|
||||
Publish: 20230619042525
|
||||
Activate: 20230619042525
|
||||
|
|
@ -0,0 +1 @@
|
|||
legacy-164. IN KEY 0 3 164 wDldBJwJrYfPoL1Pj4ucOQ==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 164 (HMAC_SHA384)
|
||||
Key: wDldBJwJrYfPoL1Pj4ucOQ==
|
||||
Bits: AAA=
|
||||
Created: 20230619042615
|
||||
Publish: 20230619042615
|
||||
Activate: 20230619042615
|
||||
|
|
@ -0,0 +1 @@
|
|||
legacy-165. IN KEY 0 3 165 OgZrTcEa8P76hVY+xyN7Wg==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 165 (HMAC_SHA512)
|
||||
Key: OgZrTcEa8P76hVY+xyN7Wg==
|
||||
Bits: AAA=
|
||||
Created: 20230619042627
|
||||
Publish: 20230619042627
|
||||
Activate: 20230619042627
|
||||
|
|
@ -129,6 +129,12 @@ include "sha224.key";
|
|||
include "sha256.key";
|
||||
include "sha384.key";
|
||||
include "sha512.key";
|
||||
include "legacy157.key";
|
||||
include "legacy161.key";
|
||||
include "legacy162.key";
|
||||
include "legacy163.key";
|
||||
include "legacy164.key";
|
||||
include "legacy165.key";
|
||||
|
||||
zone "keytests.nil" {
|
||||
type primary;
|
||||
|
|
@ -140,6 +146,12 @@ zone "keytests.nil" {
|
|||
grant sha256-key name sha256.keytests.nil. ANY;
|
||||
grant sha384-key name sha384.keytests.nil. ANY;
|
||||
grant sha512-key name sha512.keytests.nil. ANY;
|
||||
grant legacy-157 name 157.keytests.nil. ANY;
|
||||
grant legacy-161 name 161.keytests.nil. ANY;
|
||||
grant legacy-162 name 162.keytests.nil. ANY;
|
||||
grant legacy-163 name 163.keytests.nil. ANY;
|
||||
grant legacy-164 name 164.keytests.nil. ANY;
|
||||
grant legacy-165 name 165.keytests.nil. ANY;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -83,6 +83,17 @@ $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
|
|||
$TSIGKEYGEN -a hmac-sha384 sha384-key > ns1/sha384.key
|
||||
$TSIGKEYGEN -a hmac-sha512 sha512-key > ns1/sha512.key
|
||||
|
||||
if $FEATURETEST --md5; then
|
||||
echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' > ns1/legacy157.key
|
||||
else
|
||||
echo "/* MD5 NOT SUPPORTED */" > ns1/legacy157.key
|
||||
fi
|
||||
echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' > ns1/legacy161.key
|
||||
echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' > ns1/legacy162.key
|
||||
echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' > ns1/legacy163.key
|
||||
echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' > ns1/legacy164.key
|
||||
echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' > ns1/legacy165.key
|
||||
|
||||
(cd ns3; $SHELL -e sign.sh)
|
||||
|
||||
cp -f ns1/many.test.db.in ns1/many.test.db
|
||||
|
|
|
|||
|
|
@ -840,6 +840,37 @@ fi
|
|||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms using legacy K file pairs (nsupdate -k) ($n)"
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
ALGS="157 161 162 163 164 165"
|
||||
else
|
||||
ALGS="161 162 163 164 165"
|
||||
echo_i "skipping disabled md5 (157) algorithm"
|
||||
fi
|
||||
for alg in $ALGS; do
|
||||
$NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END > nsupdate.alg-$alg.out 2>&1 || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
for alg in $ALGS; do
|
||||
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
echo_i "failed"
|
||||
status=1
|
||||
fi
|
||||
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
|
||||
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
hmac-md5-legacy. IN KEY 0 3 157 B7HCXJs0XnSPzypG5oHuGw==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 157 (HMAC_MD5)
|
||||
Key: B7HCXJs0XnSPzypG5oHuGw==
|
||||
Bits: AAA=
|
||||
Created: 20230619071002
|
||||
Publish: 20230619071002
|
||||
Activate: 20230619071002
|
||||
|
|
@ -0,0 +1 @@
|
|||
hmac-sha1-legacy. IN KEY 0 3 161 TxGx9XBp6Pp5yYAOKXdERA==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 161 (HMAC_SHA1)
|
||||
Key: TxGx9XBp6Pp5yYAOKXdERA==
|
||||
Bits: AAA=
|
||||
Created: 20230619071031
|
||||
Publish: 20230619071031
|
||||
Activate: 20230619071031
|
||||
|
|
@ -0,0 +1 @@
|
|||
hmac-sha224-legacy. IN KEY 0 3 162 H8Hyw718rLqToQFRLAeFWQ==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 162 (HMAC_SHA224)
|
||||
Key: H8Hyw718rLqToQFRLAeFWQ==
|
||||
Bits: AAA=
|
||||
Created: 20230619071136
|
||||
Publish: 20230619071136
|
||||
Activate: 20230619071136
|
||||
|
|
@ -0,0 +1 @@
|
|||
hmac-sha256-legacy. IN KEY 0 3 163 fdT9hiPov4ThMEfRv1FNmA==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 163 (HMAC_SHA256)
|
||||
Key: fdT9hiPov4ThMEfRv1FNmA==
|
||||
Bits: AAA=
|
||||
Created: 20230619071043
|
||||
Publish: 20230619071043
|
||||
Activate: 20230619071043
|
||||
|
|
@ -0,0 +1 @@
|
|||
hmac-sha384-legacy. IN KEY 0 3 164 fnshFIjQTLFap6+j2JGBkA==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 164 (HMAC_SHA384)
|
||||
Key: fnshFIjQTLFap6+j2JGBkA==
|
||||
Bits: AAA=
|
||||
Created: 20230619071109
|
||||
Publish: 20230619071109
|
||||
Activate: 20230619071109
|
||||
|
|
@ -0,0 +1 @@
|
|||
hmac-sha512-legacy. IN KEY 0 3 165 BZwNLICp2tj4hi6gil41eg==
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 165 (HMAC_SHA512)
|
||||
Key: BZwNLICp2tj4hi6gil41eg==
|
||||
Bits: AAA=
|
||||
Created: 20230619071124
|
||||
Publish: 20230619071124
|
||||
Activate: 20230619071124
|
||||
|
|
@ -50,6 +50,33 @@ key "sha512" {
|
|||
algorithm hmac-sha512;
|
||||
};
|
||||
|
||||
# hmac-md5-legacy key appended by setup.sh at the end
|
||||
|
||||
key "hmac-sha1-legacy" {
|
||||
algorithm "hmac-sha1";
|
||||
secret "TxGx9XBp6Pp5yYAOKXdERA==";
|
||||
};
|
||||
|
||||
key "hmac-sha224-legacy" {
|
||||
algorithm "hmac-sha224";
|
||||
secret "H8Hyw718rLqToQFRLAeFWQ==";
|
||||
};
|
||||
|
||||
key "hmac-sha256-legacy" {
|
||||
algorithm "hmac-sha256";
|
||||
secret "fdT9hiPov4ThMEfRv1FNmA==";
|
||||
};
|
||||
|
||||
key "hmac-sha384-legacy" {
|
||||
algorithm "hmac-sha384";
|
||||
secret "fnshFIjQTLFap6+j2JGBkA==";
|
||||
};
|
||||
|
||||
key "hmac-sha512-legacy" {
|
||||
algorithm "hmac-sha512";
|
||||
secret "BZwNLICp2tj4hi6gil41eg==";
|
||||
};
|
||||
|
||||
# md5-trunc key appended by setup.sh at the end
|
||||
|
||||
key "sha1-trunc" {
|
||||
|
|
|
|||
|
|
@ -26,6 +26,11 @@ key "md5" {
|
|||
algorithm hmac-md5;
|
||||
};
|
||||
|
||||
key "hmac-md5-legacy" {
|
||||
algorithm "hmac-md5";
|
||||
secret "B7HCXJs0XnSPzypG5oHuGw==";
|
||||
};
|
||||
|
||||
key "md5-trunc" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5-80;
|
||||
|
|
|
|||
|
|
@ -257,5 +257,64 @@ if [ $ret -eq 1 ] ; then
|
|||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5 (legacy)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1 (legacy)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1
|
||||
grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha224 (legacy)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1
|
||||
grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha256 (legacy)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1
|
||||
grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha384 (legacy)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1
|
||||
grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha512 (legacy)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1
|
||||
grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1
|
||||
grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
|
|
|||
|
|
@ -43,7 +43,8 @@ Feature Changes
|
|||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- None.
|
||||
- Restored the abilty to read HMAC-MD5 K file pairs (K*.+157+*.{key,private})
|
||||
that was accidentally lost. :gl:`#4154`
|
||||
|
||||
Known Issues
|
||||
~~~~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@
|
|||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/hmac.h>
|
||||
#include <isc/lex.h>
|
||||
#include <isc/md.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/nonce.h>
|
||||
|
|
@ -102,7 +103,17 @@
|
|||
} \
|
||||
static isc_result_t hmac##alg##_parse( \
|
||||
dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { \
|
||||
return (hmac_parse(ISC_MD_##alg, key, lexer, pub)); \
|
||||
const char *file = isc_lex_getsourcename(lexer); \
|
||||
isc_result_t result; \
|
||||
result = hmac_parse(ISC_MD_##alg, key, lexer, pub); \
|
||||
if (result == ISC_R_SUCCESS && file != NULL) { \
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, \
|
||||
DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, \
|
||||
"%s: Use of K* file pairs for HMAC is " \
|
||||
"deprecated\n", \
|
||||
file); \
|
||||
} \
|
||||
return (result); \
|
||||
} \
|
||||
static dst_func_t hmac##alg##_functions = { \
|
||||
hmac##alg##_createctx, \
|
||||
|
|
|
|||
|
|
@ -95,15 +95,22 @@ typedef enum dst_algorithm {
|
|||
DST_ALG_ECDSA384 = 14,
|
||||
DST_ALG_ED25519 = 15,
|
||||
DST_ALG_ED448 = 16,
|
||||
DST_ALG_GSSAPI = 159,
|
||||
DST_ALG_HMACMD5 = 160,
|
||||
|
||||
/*
|
||||
* Do not renumber HMAC algorithms as they are used externally to named
|
||||
* in legacy K* key pair files.
|
||||
* Do not add non HMAC between DST_ALG_HMACMD5 and DST_ALG_HMACSHA512.
|
||||
*/
|
||||
DST_ALG_HMACMD5 = 157,
|
||||
DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5,
|
||||
DST_ALG_GSSAPI = 160, /* Internal use only. Exception. */
|
||||
DST_ALG_HMACSHA1 = 161, /* XXXMPA */
|
||||
DST_ALG_HMACSHA224 = 162, /* XXXMPA */
|
||||
DST_ALG_HMACSHA256 = 163, /* XXXMPA */
|
||||
DST_ALG_HMACSHA384 = 164, /* XXXMPA */
|
||||
DST_ALG_HMACSHA512 = 165, /* XXXMPA */
|
||||
DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512,
|
||||
|
||||
DST_ALG_INDIRECT = 252,
|
||||
DST_ALG_PRIVATE = 254,
|
||||
DST_MAX_ALGS = 256,
|
||||
|
|
|
|||
Loading…
Reference in a new issue