From: Petr Menšík Date: Thu, 2 Aug 2018 21:46:45 +0000 (+0200) Subject: FIPS tests changes for RHEL X-Git-Tag: v9.19.11~65^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ad794a8cdd092bbb093660164739ad2d1469fa3;p=thirdparty%2Fbind9.git FIPS tests changes for RHEL Include MD5 feature detection in featuretest tool and use it in some places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5 algorithm is unavailable completely and even hmac-md5 algorithm usage will always fail. Work that around by checking MD5 works and if not, skipping its usage. Those changes were dragged as downstream patch bind-9.11-fips-tests.patch in Fedora and RHEL. --- diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index df23d6a2f15..0984d85ed9a 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 # and other values? right out t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index b1adaedadea..e6b1eb1e229 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -17,6 +17,7 @@ #include #include +#include #include #include #include @@ -37,6 +38,7 @@ usage(void) { fprintf(stderr, "\t--have-json-c\n"); fprintf(stderr, "\t--have-libxml2\n"); fprintf(stderr, "\t--ipv6only=no\n"); + fprintf(stderr, "\t--md5\n"); fprintf(stderr, "\t--tsan\n"); fprintf(stderr, "\t--with-dlz-filesystem\n"); fprintf(stderr, "\t--with-libidn2\n"); @@ -143,6 +145,20 @@ main(int argc, char **argv) { #endif } + if (strcmp(argv[1], "--md5") == 0) { + unsigned char digest[ISC_MAX_MD_SIZE]; + const unsigned char test[] = "test"; + unsigned int size = sizeof(digest); + + if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) == + ISC_R_SUCCESS) + { + return (0); + } else { + return (1); + } + } + if (strcmp(argv[1], "--ipv6only=no") == 0) { #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) int s; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index b7d7b38107b..25c4cb4d8bb 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -73,7 +73,11 @@ EOF $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key -$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key +if $FEATURETEST --md5; then + $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key +else + echo -n > ns1/md5.key +fi $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index c45b2fe3ad6..64895423480 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -959,7 +959,14 @@ fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +if $FEATURETEST --md5 +then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" +else + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" +fi +for alg in $ALGS; do $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 @@ -967,7 +974,7 @@ send END done sleep 2 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index a8793f36d9f..e6714c09913 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -48,7 +48,7 @@ make_key () { sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf } -make_key 1 ${EXTRAPORT1} hmac-md5 +$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 make_key 2 ${EXTRAPORT2} hmac-sha1 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index 424ac2befe7..27219a3df8d 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "testing rndc with hmac-md5 ($n)" -ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -for i in 2 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if $FEATURETEST --md5; then + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6 + do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping rndc with hmac-md5 ($n)" +fi n=$((n+1)) echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in index 76cf970397d..22637af9016 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -23,10 +23,7 @@ options { notify no; }; -key "md5" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5; -}; +# md5 key appended by setup.sh at the end key "sha1" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; @@ -53,10 +50,7 @@ key "sha512" { algorithm hmac-sha512; }; -key "md5-trunc" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5-80; -}; +# md5-trunc key appended by setup.sh at the end key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index 34cc73bf534..6a739f7eb1d 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -16,3 +16,19 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf + +if $FEATURETEST --md5 +then + cat >> ns1/named.conf << EOF +# Conditionally included when support for MD5 is available +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; +}; + +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; +}; +EOF +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 106722741cf..ee05e838c17 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f status=0 -echo_i "fetching using hmac-md5 (old form)" -ret=0 -$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 -fi - -echo_i "fetching using hmac-md5 (new form)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi + + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1" @@ -88,12 +93,17 @@ fi # Truncated TSIG # # -echo_i "fetching using hmac-md5 (trunc)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (trunc)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5 (trunc)" fi echo_i "fetching using hmac-sha1 (trunc)" @@ -142,12 +152,17 @@ fi # Check for bad truncation. # # -echo_i "fetching using hmac-md5-80 (BADTRUNC)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5-80 (BADTRUNC)" fi echo_i "fetching using hmac-sha1-80 (BADTRUNC)"