tsig: only use FIPS compatible HMAC in FIPS mode

HMACMD5 is not permitted in FIPS mode.  Only test HMACMD5 when not
in FIPS mode.

diff --git a/bin/tests/system/tsig/ns1/named-fips.conf.in b/bin/tests/system/tsig/ns1/named-fips.conf.in
new file mode 100644 (file)
index 0000000..ab96568
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/named-fips.conf.in
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       query-source address 10.53.0.1;
+       notify-source 10.53.0.1;
+       transfer-source 10.53.0.1;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.1; };
+       listen-on-v6 { none; };
+       recursion yes;
+       notify no;
+};
+
+key "sha1" {
+       secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+       algorithm hmac-sha1;
+};
+
+key "sha224" {
+       secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+       algorithm hmac-sha224;
+};
+
+key "sha256" {
+       secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+       algorithm hmac-sha256;
+};
+
+key "sha384" {
+       secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
+       algorithm hmac-sha384;
+};
+
+key "sha512" {
+       secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
+       algorithm hmac-sha512;
+};
+
+key "sha1-trunc" {
+       secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+       algorithm hmac-sha1-80;
+};
+
+key "sha224-trunc" {
+       secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
+       algorithm hmac-sha224-112;
+};
+
+key "sha256-trunc" {
+       secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+       algorithm hmac-sha256-128;
+};
+
+key "sha384-trunc" {
+       secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
+       algorithm hmac-sha384-192;
+};
+
+key "sha512-trunc" {
+       secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
+       algorithm hmac-sha512-256;
+};
+
+zone "example.nil" {
+       type primary;
+       file "example.db";
+};
+
+server 10.53.0.2 {
+       keys sha256;
+};
+
+zone "bad-tsig" {
+       type forward;
+       forwarders { 10.53.0.2; };
+       forward only;
+};

diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
index 22637af90163da134d766fe7b3ea3c5d9b0995a6..17f2aba5e9e1e3dad67d972f33a46280e99b8dfe 100644 (file)
--- a/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -11,83 +11,14 @@
  * information regarding copyright ownership.
  */
 
-options {
-       query-source address 10.53.0.1;
-       notify-source 10.53.0.1;
-       transfer-source 10.53.0.1;
-       port @PORT@;
-       pid-file "named.pid";
-       listen-on { 10.53.0.1; };
-       listen-on-v6 { none; };
-       recursion yes;
-       notify no;
-};
-
-# md5 key appended by setup.sh at the end
-
-key "sha1" {
-       secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-       algorithm hmac-sha1;
-};
-
-key "sha224" {
-       secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
-       algorithm hmac-sha224;
-};
-
-key "sha256" {
-       secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
-       algorithm hmac-sha256;
-};
-
-key "sha384" {
-       secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
-       algorithm hmac-sha384;
-};
-
-key "sha512" {
-       secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
-       algorithm hmac-sha512;
-};
-
-# md5-trunc key appended by setup.sh at the end
-
-key "sha1-trunc" {
-       secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-       algorithm hmac-sha1-80;
-};
-
-key "sha224-trunc" {
-       secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
-       algorithm hmac-sha224-112;
-};
-
-key "sha256-trunc" {
-       secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
-       algorithm hmac-sha256-128;
-};
-
-key "sha384-trunc" {
-       secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h";
-       algorithm hmac-sha384-192;
-};
-
-key "sha512-trunc" {
-       secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==";
-       algorithm hmac-sha512-256;
-};
-
-zone "example.nil" {
-       type primary;
-       file "example.db";
-};
+include "named-fips.conf";
 
-server 10.53.0.2 {
-       keys sha256;
+key "md5" {
+       secret "97rnFx24Tfna4mHPfgnerA==";
+       algorithm hmac-md5;
 };
 
-zone "bad-tsig" {
-       type forward;
-       forwarders { 10.53.0.2; };
-       forward only;
+key "md5-trunc" {
+       secret "97rnFx24Tfna4mHPfgnerA==";
+       algorithm hmac-md5-80;
 };

diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index 6a739f7eb1d66c57fe9534f2d21be599397cec17..6a9c45f37196c84620621efab71fe1be5cec605d 100644 (file)
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -15,20 +15,11 @@
 
 $SHELL clean.sh
 
-copy_setports ns1/named.conf.in ns1/named.conf
-
 if $FEATURETEST --md5
 then
-       cat >> ns1/named.conf << EOF
-# Conditionally included when support for MD5 is available
-key "md5" {
-        secret "97rnFx24Tfna4mHPfgnerA==";
-        algorithm hmac-md5;
-};
-
-key "md5-trunc" {
-        secret "97rnFx24Tfna4mHPfgnerA==";
-        algorithm hmac-md5-80;
-};
-EOF
+    copy_setports ns1/named-fips.conf.in ns1/named-fips.conf
+    # includes named-fips.conf
+    cp ns1/named.conf.in ns1/named.conf
+else
+    copy_setports ns1/named-fips.conf.in ns1/named.conf
 fi