mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-19 23:58:52 -04:00
FIPS tests changes for RHEL
Include MD5 feature detection in featuretest tool and use it in some
places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
algorithm is unavailable completely and even hmac-md5 algorithm usage
will always fail. Work that around by checking MD5 works and if not,
skipping its usage.
Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
in Fedora and RHEL.
(cherry picked from commit 6ad794a8cd)
This commit is contained in:
Petr Menšík
Mark Andrews
parent
77fb1a4dc8
commit
3f81fbed12
9 changed files with 104 additions and 48 deletions
|
|
@ -99,7 +99,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
|||
# and other values? right out
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
||||
@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <isc/md.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
|
|
@ -45,6 +46,7 @@ usage() {
|
|||
fprintf(stderr, "\t--have-json-c\n");
|
||||
fprintf(stderr, "\t--have-libxml2\n");
|
||||
fprintf(stderr, "\t--ipv6only=no\n");
|
||||
fprintf(stderr, "\t--md5\n");
|
||||
fprintf(stderr, "\t--tsan\n");
|
||||
fprintf(stderr, "\t--with-dlz-filesystem\n");
|
||||
fprintf(stderr, "\t--with-idn\n");
|
||||
|
|
@ -174,6 +176,20 @@ main(int argc, char **argv) {
|
|||
#endif /* ifdef WIN32 */
|
||||
}
|
||||
|
||||
if (strcmp(argv[1], "--md5") == 0) {
|
||||
unsigned char digest[ISC_MAX_MD_SIZE];
|
||||
const unsigned char test[] = "test";
|
||||
unsigned int size = sizeof(digest);
|
||||
|
||||
if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
|
||||
ISC_R_SUCCESS)
|
||||
{
|
||||
return (0);
|
||||
} else {
|
||||
return (1);
|
||||
}
|
||||
}
|
||||
|
||||
if (strcmp(argv[1], "--tsan") == 0) {
|
||||
#if defined(__has_feature)
|
||||
#if __has_feature(thread_sanitizer)
|
||||
|
|
|
|||
|
|
@ -73,7 +73,11 @@ EOF
|
|||
|
||||
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
|
||||
|
||||
$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
if $FEATURETEST --md5; then
|
||||
$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
else
|
||||
echo -n > ns1/md5.key
|
||||
fi
|
||||
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
||||
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||
|
|
|
|||
|
|
@ -852,7 +852,14 @@ fi
|
|||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
||||
else
|
||||
ALGS="sha1 sha224 sha256 sha384 sha512"
|
||||
echo_i "skipping disabled md5 algorithm"
|
||||
fi
|
||||
for alg in $ALGS; do
|
||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
|
|
@ -860,7 +867,7 @@ send
|
|||
END
|
||||
done
|
||||
sleep 2
|
||||
for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
for alg in $ALGS; do
|
||||
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ make_key () {
|
|||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
make_key 2 ${EXTRAPORT2} hmac-sha1
|
||||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
|
|
|
|||
|
|
@ -350,16 +350,20 @@ done
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "testing rndc with hmac-md5 ($n)"
|
||||
ret=0
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
for i in 2 3 4 5 6
|
||||
do
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
n=$((n+1))
|
||||
if $FEATURETEST --md5; then
|
||||
echo_i "testing rndc with hmac-md5 ($n)"
|
||||
ret=0
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
for i in 2 3 4 5 6
|
||||
do
|
||||
$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
else
|
||||
echo_i "skipping rndc with hmac-md5 ($n)"
|
||||
fi
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
|
|
|
|||
|
|
@ -23,10 +23,7 @@ options {
|
|||
notify no;
|
||||
};
|
||||
|
||||
key "md5" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5;
|
||||
};
|
||||
# md5 key appended by setup.sh at the end
|
||||
|
||||
key "sha1" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
|
|
@ -53,10 +50,7 @@ key "sha512" {
|
|||
algorithm hmac-sha512;
|
||||
};
|
||||
|
||||
key "md5-trunc" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5-80;
|
||||
};
|
||||
# md5-trunc key appended by setup.sh at the end
|
||||
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
|
|
|
|||
|
|
@ -17,3 +17,19 @@ SYSTEMTESTTOP=..
|
|||
$SHELL clean.sh
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
cat >> ns1/named.conf << EOF
|
||||
# Conditionally included when support for MD5 is available
|
||||
key "md5" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5;
|
||||
};
|
||||
|
||||
key "md5-trunc" {
|
||||
secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
algorithm hmac-md5-80;
|
||||
};
|
||||
EOF
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -28,20 +28,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
|||
|
||||
status=0
|
||||
|
||||
echo_i "fetching using hmac-md5 (old form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5 (old form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-md5 (new form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
echo_i "fetching using hmac-md5 (new form)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1"
|
||||
|
|
@ -89,12 +94,17 @@ fi
|
|||
# Truncated TSIG
|
||||
#
|
||||
#
|
||||
echo_i "fetching using hmac-md5 (trunc)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5 (trunc)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5 (trunc)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1 (trunc)"
|
||||
|
|
@ -143,12 +153,17 @@ fi
|
|||
# Check for bad truncation.
|
||||
#
|
||||
#
|
||||
echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
if $FEATURETEST --md5
|
||||
then
|
||||
echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
else
|
||||
echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
|
|
|
|||
Loading…
Reference in a new issue