From b03cedc7547959dca3e30b8703e3a72d442b4486 Mon Sep 17 00:00:00 2001 From: Colin Vidal Date: Mon, 27 Jan 2025 12:52:19 +0100 Subject: [PATCH] fix DNSSEC EDE system tests on FIPS platform Changes !9948 introducing the support of extended DNS error code 1 and 2 uses SHA-1 digest for some tests which break FIPS platform. The digest itself was irrelevant, another digest is used. (cherry picked from commit d82262d293059d75932000df5e4aa30178ddc99e) --- bin/tests/system/dnssec/ns3/sign.sh | 4 ++-- bin/tests/system/dnssec/ns4/named1.conf.in | 6 +++--- bin/tests/system/dnssec/ns4/named2.conf.in | 6 +++--- bin/tests/system/dnssec/ns4/named3.conf.in | 6 +++--- bin/tests/system/dnssec/ns4/named4.conf.in | 6 +++--- bin/tests/system/dnssec/tests.sh | 4 ++-- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 5689979cf1..f61ea28381 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -309,7 +309,7 @@ zonefile=digest-alg-unsupported.example.db cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone") dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -keyname2=$("$KEYGEN" -q -a ED448 -b "$DEFAULT_BITS" -n zone "$zone") +keyname2=$("$KEYGEN" -q -a ECDSAP384SHA384 -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" "$keyname2.key" >"$zonefile" @@ -319,7 +319,7 @@ mv "$zonefile".tmp "$zonefile".signed # override generated DS record file so we can set different digest to each keys DSFILE="dsset-${zone}" -$DSFROMKEY -1 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE" +$DSFROMKEY -a SHA-384 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE" $DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE" # diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index be904a53a2..8e29a45db7 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -30,9 +30,9 @@ options { nta-recheck 9s; validate-except { corp; }; - disable-algorithms "digest-alg-unsupported.example." { ED448; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; }; - disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; + disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; + disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; # Note: We only reference the bind.keys file here to confirm that it diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index 7f1188830b..bf82385f71 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -25,9 +25,9 @@ options { dnssec-validation auto; bindkeys-file "managed.conf"; minimal-responses no; - disable-algorithms "digest-alg-unsupported.example." { ED448; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; }; - disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; + disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; + disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; }; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index d90ffb0531..21fb38db9d 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -26,9 +26,9 @@ options { bindkeys-file "managed.conf"; dnssec-accept-expired yes; minimal-responses no; - disable-algorithms "digest-alg-unsupported.example." { ED448; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; }; - disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; + disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; + disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; }; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 1a8d917ca8..34f59b498a 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -21,9 +21,9 @@ options { pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; - disable-algorithms "digest-alg-unsupported.example." { ED448; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; }; - disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; + disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; + disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; }; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index ea2eafcb56..12cb3de13e 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3704,8 +3704,8 @@ status=$((status + ret)) echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)" ret=0 dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1 -grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ED448 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 -grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-1 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 +grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP384SHA384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 +grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed"