From 2376abc18ee04a8d2e98acb901ba9418be5a6fd8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Jun 2023 14:17:14 +1000 Subject: [PATCH 1/5] Restore the ability to read legacy K*+157+* files The ability to read legacy HMAC-MD5 K* keyfile pairs using algorithm number 157 was accidentally lost when the algorithm numbers were consolidated into a single block, in commit 09f7e0607a34d90eae53f862954e98c31b5ae532. The assumption was that these algorithm numbers were only known internally, but they were also used in key files. But since HMAC-MD5 got renumbered from 157 to 160, legacy HMAC-MD5 key files no longer work. Move HMAC-MD5 back to 157 and GSSAPI back to 160. Add exception for GSSAPI to list_hmac_algorithms. (cherry picked from commit 3f93d3f757ce3e5ea92c3e899e262aa2318b32fc) --- CHANGES | 3 +++ bin/named/main.c | 3 +++ bin/tests/system/dnssec/tests.sh | 2 +- lib/dns/include/dst/dst.h | 11 +++++++++-- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 79d5a49a64..ce55e61dc2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs. + [GL #4154] + 6204. [bug] Use NS records for relaxed QNAME-minimization mode. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets diff --git a/bin/named/main.c b/bin/named/main.c index bb7798c667..154e17efa7 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -498,6 +498,9 @@ list_hmac_algorithms(isc_buffer_t *b) { for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST; i++) { + if (i == DST_ALG_GSSAPI) { + continue; + } if (dst_algorithm_supported(i)) { isc_buffer_putstr(b, " "); isc_buffer_putstr(b, dst_hmac_algorithm_totext(i)); diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index f2d095f916..966c891e2a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3376,7 +3376,7 @@ do 2) # Diffie Helman alg=$((alg+1)) continue;; - 159|160|161|162|163|164|165) # private - non standard + 157|160|161|162|163|164|165) # private - non standard alg=$((alg+1)) continue;; 1|5|7|8|10) # RSA algorithms diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 3e60ee3def..ca292b0ef0 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -95,15 +95,22 @@ typedef enum dst_algorithm { DST_ALG_ECDSA384 = 14, DST_ALG_ED25519 = 15, DST_ALG_ED448 = 16, - DST_ALG_GSSAPI = 159, - DST_ALG_HMACMD5 = 160, + + /* + * Do not renumber HMAC algorithms as they are used externally to named + * in legacy K* key pair files. + * Do not add non HMAC between DST_ALG_HMACMD5 and DST_ALG_HMACSHA512. + */ + DST_ALG_HMACMD5 = 157, DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5, + DST_ALG_GSSAPI = 160, /* Internal use only. Exception. */ DST_ALG_HMACSHA1 = 161, /* XXXMPA */ DST_ALG_HMACSHA224 = 162, /* XXXMPA */ DST_ALG_HMACSHA256 = 163, /* XXXMPA */ DST_ALG_HMACSHA384 = 164, /* XXXMPA */ DST_ALG_HMACSHA512 = 165, /* XXXMPA */ DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512, + DST_ALG_INDIRECT = 252, DST_ALG_PRIVATE = 254, DST_MAX_ALGS = 256, From a16e10ad8a3fe2f3386b20d598c7083850303471 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Jun 2023 14:14:39 +1000 Subject: [PATCH 2/5] Test support with legacy HMAC K files with nsupdate tsig-keygen generates key files that are different to those that where generated by dnssec-keygen. Check that nsupdate can still read those old format files. (cherry picked from commit e1fb17e72c069534cd08ad187e419005d75bbcf6) --- bin/tests/system/nsupdate/clean.sh | 1 + .../ns1/legacy/Klegacy-157.+157+23571.key | 1 + .../ns1/legacy/Klegacy-157.+157+23571.private | 7 +++++ .../ns1/legacy/Klegacy-161.+161+23350.key | 1 + .../ns1/legacy/Klegacy-161.+161+23350.private | 7 +++++ .../ns1/legacy/Klegacy-162.+162+00032.key | 1 + .../ns1/legacy/Klegacy-162.+162+00032.private | 7 +++++ .../ns1/legacy/Klegacy-163.+163+48857.key | 1 + .../ns1/legacy/Klegacy-163.+163+48857.private | 7 +++++ .../ns1/legacy/Klegacy-164.+164+09001.key | 1 + .../ns1/legacy/Klegacy-164.+164+09001.private | 7 +++++ .../ns1/legacy/Klegacy-165.+165+61012.key | 1 + .../ns1/legacy/Klegacy-165.+165+61012.private | 7 +++++ bin/tests/system/nsupdate/ns1/named.conf.in | 12 ++++++++ bin/tests/system/nsupdate/setup.sh | 11 +++++++ bin/tests/system/nsupdate/tests.sh | 30 +++++++++++++++++++ 16 files changed, 102 insertions(+) create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key create mode 100644 bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 1746ec1474..2302d685c0 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -31,6 +31,7 @@ rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.d rm -f ns1/many.test.db rm -f ns1/maxjournal.db rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key +rm -f ns1/legacy157.key ns1/legacy161.key ns1/legacy162.key ns1/legacy163.key ns1/legacy164.key ns1/legacy165.key rm -f ns1/sample.db rm -f ns1/sha512.key ns1/ddns.key rm -f ns10/_default.tsigkeys diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key new file mode 100644 index 0000000000..bed002b19d --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.key @@ -0,0 +1 @@ +legacy-157. IN KEY 0 3 157 mGcDSCx/fF121GOVJlITLg== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private new file mode 100644 index 0000000000..3ce72dd12d --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-157.+157+23571.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 157 (HMAC_MD5) +Key: mGcDSCx/fF121GOVJlITLg== +Bits: AAA= +Created: 20230619042408 +Publish: 20230619042408 +Activate: 20230619042408 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key new file mode 100644 index 0000000000..cb50883139 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.key @@ -0,0 +1 @@ +legacy-161. IN KEY 0 3 161 N80fGvcr8JifzRUJ62R4rQ== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private new file mode 100644 index 0000000000..dea2850f66 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-161.+161+23350.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 161 (HMAC_SHA1) +Key: N80fGvcr8JifzRUJ62R4rQ== +Bits: AAA= +Created: 20230619042427 +Publish: 20230619042427 +Activate: 20230619042427 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key new file mode 100644 index 0000000000..126c94f943 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.key @@ -0,0 +1 @@ +legacy-162. IN KEY 0 3 162 nSIKzFAGS7/tvBs8JteI+Q== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private new file mode 100644 index 0000000000..af78756918 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-162.+162+00032.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 162 (HMAC_SHA224) +Key: nSIKzFAGS7/tvBs8JteI+Q== +Bits: AAA= +Created: 20230619042555 +Publish: 20230619042555 +Activate: 20230619042555 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key new file mode 100644 index 0000000000..6945b1b6cd --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.key @@ -0,0 +1 @@ +legacy-163. IN KEY 0 3 163 CvaupxnDeES3HnlYhTq53w== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private new file mode 100644 index 0000000000..590ba14623 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-163.+163+48857.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 163 (HMAC_SHA256) +Key: CvaupxnDeES3HnlYhTq53w== +Bits: AAA= +Created: 20230619042525 +Publish: 20230619042525 +Activate: 20230619042525 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key new file mode 100644 index 0000000000..4869618e83 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.key @@ -0,0 +1 @@ +legacy-164. IN KEY 0 3 164 wDldBJwJrYfPoL1Pj4ucOQ== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private new file mode 100644 index 0000000000..f06f67a731 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-164.+164+09001.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 164 (HMAC_SHA384) +Key: wDldBJwJrYfPoL1Pj4ucOQ== +Bits: AAA= +Created: 20230619042615 +Publish: 20230619042615 +Activate: 20230619042615 diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key new file mode 100644 index 0000000000..45a2811ba6 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.key @@ -0,0 +1 @@ +legacy-165. IN KEY 0 3 165 OgZrTcEa8P76hVY+xyN7Wg== diff --git a/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private new file mode 100644 index 0000000000..1635f2aea8 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/legacy/Klegacy-165.+165+61012.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 165 (HMAC_SHA512) +Key: OgZrTcEa8P76hVY+xyN7Wg== +Bits: AAA= +Created: 20230619042627 +Publish: 20230619042627 +Activate: 20230619042627 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in index aa423c2253..2c1899f17a 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -129,6 +129,12 @@ include "sha224.key"; include "sha256.key"; include "sha384.key"; include "sha512.key"; +include "legacy157.key"; +include "legacy161.key"; +include "legacy162.key"; +include "legacy163.key"; +include "legacy164.key"; +include "legacy165.key"; zone "keytests.nil" { type primary; @@ -140,6 +146,12 @@ zone "keytests.nil" { grant sha256-key name sha256.keytests.nil. ANY; grant sha384-key name sha384.keytests.nil. ANY; grant sha512-key name sha512.keytests.nil. ANY; + grant legacy-157 name 157.keytests.nil. ANY; + grant legacy-161 name 161.keytests.nil. ANY; + grant legacy-162 name 162.keytests.nil. ANY; + grant legacy-163 name 163.keytests.nil. ANY; + grant legacy-164 name 164.keytests.nil. ANY; + grant legacy-165 name 165.keytests.nil. ANY; }; }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index a4a1a3f8f9..b12c79789e 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -83,6 +83,17 @@ $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key $TSIGKEYGEN -a hmac-sha384 sha384-key > ns1/sha384.key $TSIGKEYGEN -a hmac-sha512 sha512-key > ns1/sha512.key +if $FEATURETEST --md5; then + echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' > ns1/legacy157.key +else + echo "/* MD5 NOT SUPPORTED */" > ns1/legacy157.key +fi +echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' > ns1/legacy161.key +echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' > ns1/legacy162.key +echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' > ns1/legacy163.key +echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' > ns1/legacy164.key +echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' > ns1/legacy165.key + (cd ns3; $SHELL -e sign.sh) cp -f ns1/many.test.db.in ns1/many.test.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 9b6c774753..81b51926ce 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -840,6 +840,36 @@ fi n=$((n + 1)) ret=0 + +n=$((n + 1)) +ret=0 +echo_i "check TSIG key algorithms using legacy K file pairs (nsupdate -k) ($n)" +if $FEATURETEST --md5 +then + ALGS="157 161 162 163 164 165" +else + ALGS="161 162 163 164 165" + echo_i "skipping disabled md5 (157) algorithm" +fi +for alg in $ALGS; do + $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key < /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add ${alg}.keytests.nil. 600 A 10.10.10.3 +send +END +done +sleep 2 +for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 +done +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" if $FEATURETEST --md5 then From 16d6b10c5bed86646d3007cc555a415d070a2383 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Jun 2023 17:49:05 +1000 Subject: [PATCH 3/5] Test legacy HMAC key files with dig tsig-keygen is now used to generate key files for TSIG. These have a different format to those that were generated by dnssec-keygen. Test that dig can still read these files. (cherry picked from commit c91a208ef5e59c25555f5ae576c2f1ddb54a655b) --- .../legacy/Khmac-md5-legacy.+157+22023.key | 1 + .../Khmac-md5-legacy.+157+22023.private | 7 +++ .../legacy/Khmac-sha1-legacy.+161+50591.key | 1 + .../Khmac-sha1-legacy.+161+50591.private | 7 +++ .../legacy/Khmac-sha224-legacy.+162+50865.key | 1 + .../Khmac-sha224-legacy.+162+50865.private | 7 +++ .../legacy/Khmac-sha256-legacy.+163+38999.key | 1 + .../Khmac-sha256-legacy.+163+38999.private | 7 +++ .../legacy/Khmac-sha384-legacy.+164+56610.key | 1 + .../Khmac-sha384-legacy.+164+56610.private | 7 +++ .../legacy/Khmac-sha512-legacy.+165+22767.key | 1 + .../Khmac-sha512-legacy.+165+22767.private | 7 +++ bin/tests/system/tsig/ns1/named.conf.in | 27 ++++++++++ bin/tests/system/tsig/setup.sh | 5 ++ bin/tests/system/tsig/tests.sh | 53 +++++++++++++++++++ 15 files changed, 133 insertions(+) create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key create mode 100644 bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key new file mode 100644 index 0000000000..37ee8aec85 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key @@ -0,0 +1 @@ +hmac-md5-legacy. IN KEY 0 3 157 B7HCXJs0XnSPzypG5oHuGw== diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private new file mode 100644 index 0000000000..8b2f435513 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 157 (HMAC_MD5) +Key: B7HCXJs0XnSPzypG5oHuGw== +Bits: AAA= +Created: 20230619071002 +Publish: 20230619071002 +Activate: 20230619071002 diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key new file mode 100644 index 0000000000..bd1445deec --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key @@ -0,0 +1 @@ +hmac-sha1-legacy. IN KEY 0 3 161 TxGx9XBp6Pp5yYAOKXdERA== diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private new file mode 100644 index 0000000000..fe3d7ec0e3 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 161 (HMAC_SHA1) +Key: TxGx9XBp6Pp5yYAOKXdERA== +Bits: AAA= +Created: 20230619071031 +Publish: 20230619071031 +Activate: 20230619071031 diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key new file mode 100644 index 0000000000..c849be93d7 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key @@ -0,0 +1 @@ +hmac-sha224-legacy. IN KEY 0 3 162 H8Hyw718rLqToQFRLAeFWQ== diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private new file mode 100644 index 0000000000..a2f31ec375 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 162 (HMAC_SHA224) +Key: H8Hyw718rLqToQFRLAeFWQ== +Bits: AAA= +Created: 20230619071136 +Publish: 20230619071136 +Activate: 20230619071136 diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key new file mode 100644 index 0000000000..1bbb6f00c3 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key @@ -0,0 +1 @@ +hmac-sha256-legacy. IN KEY 0 3 163 fdT9hiPov4ThMEfRv1FNmA== diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private new file mode 100644 index 0000000000..0b209c694d --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 163 (HMAC_SHA256) +Key: fdT9hiPov4ThMEfRv1FNmA== +Bits: AAA= +Created: 20230619071043 +Publish: 20230619071043 +Activate: 20230619071043 diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key new file mode 100644 index 0000000000..46fae39435 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key @@ -0,0 +1 @@ +hmac-sha384-legacy. IN KEY 0 3 164 fnshFIjQTLFap6+j2JGBkA== diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private new file mode 100644 index 0000000000..be5aa1268d --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 164 (HMAC_SHA384) +Key: fnshFIjQTLFap6+j2JGBkA== +Bits: AAA= +Created: 20230619071109 +Publish: 20230619071109 +Activate: 20230619071109 diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key new file mode 100644 index 0000000000..0defc84585 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key @@ -0,0 +1 @@ +hmac-sha512-legacy. IN KEY 0 3 165 BZwNLICp2tj4hi6gil41eg== diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private new file mode 100644 index 0000000000..21268e5642 --- /dev/null +++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private @@ -0,0 +1,7 @@ +Private-key-format: v1.3 +Algorithm: 165 (HMAC_SHA512) +Key: BZwNLICp2tj4hi6gil41eg== +Bits: AAA= +Created: 20230619071124 +Publish: 20230619071124 +Activate: 20230619071124 diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in index 22637af901..de16ccf493 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -50,6 +50,33 @@ key "sha512" { algorithm hmac-sha512; }; +# hmac-md5-legacy key appended by setup.sh at the end + +key "hmac-sha1-legacy" { + algorithm "hmac-sha1"; + secret "TxGx9XBp6Pp5yYAOKXdERA=="; +}; + +key "hmac-sha224-legacy" { + algorithm "hmac-sha224"; + secret "H8Hyw718rLqToQFRLAeFWQ=="; +}; + +key "hmac-sha256-legacy" { + algorithm "hmac-sha256"; + secret "fdT9hiPov4ThMEfRv1FNmA=="; +}; + +key "hmac-sha384-legacy" { + algorithm "hmac-sha384"; + secret "fnshFIjQTLFap6+j2JGBkA=="; +}; + +key "hmac-sha512-legacy" { + algorithm "hmac-sha512"; + secret "BZwNLICp2tj4hi6gil41eg=="; +}; + # md5-trunc key appended by setup.sh at the end key "sha1-trunc" { diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index 6a739f7eb1..d8dbbe3aea 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -26,6 +26,11 @@ key "md5" { algorithm hmac-md5; }; +key "hmac-md5-legacy" { + algorithm "hmac-md5"; + secret "B7HCXJs0XnSPzypG5oHuGw=="; +}; + key "md5-trunc" { secret "97rnFx24Tfna4mHPfgnerA=="; algorithm hmac-md5-80; diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index da85e7d622..42ee16cf54 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -257,5 +257,58 @@ if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (legacy)" + ret=0 + $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5" +fi + +echo_i "fetching using hmac-sha1 (legacy)" +ret=0 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224 (legacy)" +ret=0 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256 (legacy)" +ret=0 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384 (legacy)" +ret=0 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512 (legacy)" +ret=0 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 3db353c646336052d44dc903445fa91cc76ca2b1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 19 Jun 2023 18:58:40 +1000 Subject: [PATCH 4/5] Add release note entry for [GL #4154] (cherry picked from commit 91cb94dcbb01ba06bf355c42a26351d524039989) --- doc/notes/notes-current.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 2b5bc41428..61e01401c9 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -43,7 +43,8 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- None. +- Restored the abilty to read HMAC-MD5 K file pairs (K*.+157+*.{key,private}) + that was accidentally lost. :gl:`#4154` Known Issues ~~~~~~~~~~~~ From c73876fa90c94c7b930f8c338dcf9c4d0e176010 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 27 Jun 2023 14:24:40 +1000 Subject: [PATCH 5/5] Emit deprecated warning for K* file pairs We try reading the same file using different methods so only emit a warning if we successfully read the file. (cherry picked from commit e3e20ed76e4b13d5cb66718cb8f75538e3290a50) --- bin/tests/system/nsupdate/clean.sh | 1 + bin/tests/system/nsupdate/tests.sh | 3 ++- bin/tests/system/tsig/tests.sh | 18 ++++++++++++------ lib/dns/hmac_link.c | 13 ++++++++++++- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 2302d685c0..689c2f589a 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -63,6 +63,7 @@ rm -f ns9/denyname.example.db rm -f ns9/example.com.db rm -f ns9/in-addr.db rm -f perl.update_test.out +rm -f nsupdate.alg-* rm -f nsupdate.out* rm -f typelist.out.* rm -f update.out.* diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 81b51926ce..4df7ad8f1c 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -852,7 +852,7 @@ else echo_i "skipping disabled md5 (157) algorithm" fi for alg in $ALGS; do - $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key < /dev/null || ret=1 + $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key < nsupdate.alg-$alg.out 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 send @@ -861,6 +861,7 @@ done sleep 2 for alg in $ALGS; do $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed" diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 42ee16cf54..9791283778 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -261,8 +261,9 @@ if $FEATURETEST --md5 then echo_i "fetching using hmac-md5 (legacy)" ret=0 - $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy || ret=1 + $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1 grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi @@ -272,39 +273,44 @@ fi echo_i "fetching using hmac-sha1 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha224 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1 grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha256 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1 grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha384 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1 grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha512 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1 grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 0a0df8a25b..9f8e94b3d6 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -32,6 +32,7 @@ #include #include +#include #include #include #include @@ -102,7 +103,17 @@ } \ static isc_result_t hmac##alg##_parse( \ dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { \ - return (hmac_parse(ISC_MD_##alg, key, lexer, pub)); \ + const char *file = isc_lex_getsourcename(lexer); \ + isc_result_t result; \ + result = hmac_parse(ISC_MD_##alg, key, lexer, pub); \ + if (result == ISC_R_SUCCESS && file != NULL) { \ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, \ + DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, \ + "%s: Use of K* file pairs for HMAC is " \ + "deprecated\n", \ + file); \ + } \ + return (result); \ } \ static dst_func_t hmac##alg##_functions = { \ hmac##alg##_createctx, \