From: Mark Andrews Date: Mon, 20 Dec 2021 06:12:53 +0000 (+1100) Subject: tsig: only use FIPS compatible HMAC in FIPS mode X-Git-Tag: v9.19.12~38^2~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e8177ac605ace55ad35aa51027f123c59d248b2b;p=thirdparty%2Fbind9.git tsig: only use FIPS compatible HMAC in FIPS mode HMACMD5 is not permitted in FIPS mode. Only test HMACMD5 when not in FIPS mode. --- diff --git a/bin/tests/system/tsig/ns1/named-fips.conf.in b/bin/tests/system/tsig/ns1/named-fips.conf.in new file mode 100644 index 00000000000..ab965689627 --- /dev/null +++ b/bin/tests/system/tsig/ns1/named-fips.conf.in @@ -0,0 +1,89 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + notify no; +}; + +key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; + algorithm hmac-sha1; +}; + +key "sha224" { + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; + algorithm hmac-sha224; +}; + +key "sha256" { + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; + algorithm hmac-sha256; +}; + +key "sha384" { + secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; + algorithm hmac-sha384; +}; + +key "sha512" { + secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; + algorithm hmac-sha512; +}; + +key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; + algorithm hmac-sha1-80; +}; + +key "sha224-trunc" { + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; + algorithm hmac-sha224-112; +}; + +key "sha256-trunc" { + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; + algorithm hmac-sha256-128; +}; + +key "sha384-trunc" { + secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; + algorithm hmac-sha384-192; +}; + +key "sha512-trunc" { + secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; + algorithm hmac-sha512-256; +}; + +zone "example.nil" { + type primary; + file "example.db"; +}; + +server 10.53.0.2 { + keys sha256; +}; + +zone "bad-tsig" { + type forward; + forwarders { 10.53.0.2; }; + forward only; +}; diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in index 22637af9016..17f2aba5e9e 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -11,83 +11,14 @@ * information regarding copyright ownership. */ -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion yes; - notify no; -}; - -# md5 key appended by setup.sh at the end - -key "sha1" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; - algorithm hmac-sha1; -}; - -key "sha224" { - secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; - algorithm hmac-sha224; -}; - -key "sha256" { - secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; - algorithm hmac-sha256; -}; - -key "sha384" { - secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; - algorithm hmac-sha384; -}; - -key "sha512" { - secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; - algorithm hmac-sha512; -}; - -# md5-trunc key appended by setup.sh at the end - -key "sha1-trunc" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; - algorithm hmac-sha1-80; -}; - -key "sha224-trunc" { - secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; - algorithm hmac-sha224-112; -}; - -key "sha256-trunc" { - secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; - algorithm hmac-sha256-128; -}; - -key "sha384-trunc" { - secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; - algorithm hmac-sha384-192; -}; - -key "sha512-trunc" { - secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; - algorithm hmac-sha512-256; -}; - -zone "example.nil" { - type primary; - file "example.db"; -}; +include "named-fips.conf"; -server 10.53.0.2 { - keys sha256; +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; }; -zone "bad-tsig" { - type forward; - forwarders { 10.53.0.2; }; - forward only; +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; }; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index 6a739f7eb1d..6a9c45f3719 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -15,20 +15,11 @@ $SHELL clean.sh -copy_setports ns1/named.conf.in ns1/named.conf - if $FEATURETEST --md5 then - cat >> ns1/named.conf << EOF -# Conditionally included when support for MD5 is available -key "md5" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5; -}; - -key "md5-trunc" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5-80; -}; -EOF + copy_setports ns1/named-fips.conf.in ns1/named-fips.conf + # includes named-fips.conf + cp ns1/named.conf.in ns1/named.conf +else + copy_setports ns1/named-fips.conf.in ns1/named.conf fi