diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 072419f..25f0e76 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001 +From f7d0320466815001b0fdf85f85a436f39463287e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -57,6 +57,8 @@ Date: Wed Mar 7 10:44:23 2018 +0100 Change tests to not use hmac-md5 algorithms if not required Use hmac-sha256 instead of default hmac-md5 for allow-query + +Use DEFAULT_HMAC configured variable --- bin/tests/system/acl/ns2/named1.conf.in | 4 +- bin/tests/system/acl/ns2/named2.conf.in | 4 +- @@ -73,26 +75,35 @@ Date: Wed Mar 7 10:44:23 2018 +0100 .../system/allow-query/ns2/named40.conf.in | 4 +- bin/tests/system/allow-query/tests.sh | 18 ++--- bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named1.conf.in | 2 +- + bin/tests/system/catz/ns2/named2.conf.in | 2 +- bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/cookie/ns1/named.conf.in | 2 +- + bin/tests/system/dnssec/ns4/named5.conf.in | 2 +- bin/tests/system/feature-test.c | 14 ++++ bin/tests/system/notify/ns5/named.conf.in | 6 +- bin/tests/system/notify/tests.sh | 6 +- bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns9/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 6 +- bin/tests/system/nsupdate/tests.sh | 9 ++- + bin/tests/system/rndc/ns2/named.conf.in | 2 +- + bin/tests/system/rndc/ns3/named.conf.in | 2 +- bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/tests.sh | 22 +++--- bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ bin/tests/system/tsig/setup.sh | 5 ++ bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 31 files changed, 147 insertions(+), 106 deletions(-) + 39 files changed, 164 insertions(+), 113 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 8787c6a..b781d0b 100644 +index 8787c6a..682ba97 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -35,12 +35,12 @@ options { @@ -100,18 +111,18 @@ index 8787c6a..b781d0b 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index a95b4c1..3f3f471 100644 +index a95b4c1..7b1cea6 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -35,12 +35,12 @@ options { @@ -119,18 +130,18 @@ index a95b4c1..3f3f471 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 14cc3fe..9507706 100644 +index 14cc3fe..6b35ba5 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -35,17 +35,17 @@ options { @@ -138,24 +149,24 @@ index 14cc3fe..9507706 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key three { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 77cf110..029c91b 100644 +index 77cf110..b23a1ca 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -35,12 +35,12 @@ options { @@ -163,18 +174,18 @@ index 77cf110..029c91b 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 5ccabf9..6154797 100644 +index 5ccabf9..52791aa 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -37,12 +37,12 @@ options { @@ -182,13 +193,13 @@ index 5ccabf9..6154797 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; @@ -319,7 +330,7 @@ index ad98fa1..7a7ff4a 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index b91d19a..7d777c2 100644 +index b91d19a..ae485e8 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ @@ -327,12 +338,12 @@ index b91d19a..7d777c2 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 308c4ca..00f6f40 100644 +index 308c4ca..8a5e806 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ @@ -340,18 +351,18 @@ index 308c4ca..00f6f40 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 6b0fe55..491e514 100644 +index 6b0fe55..a10c6d0 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ @@ -359,12 +370,12 @@ index 6b0fe55..491e514 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aefc474..7c06596 100644 +index aefc474..52981a7 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ @@ -372,12 +383,12 @@ index aefc474..7c06596 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index 27eccc2..eecb990 100644 +index 27eccc2..f627870 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ @@ -385,18 +396,18 @@ index 27eccc2..eecb990 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index adbb203..744d122 100644 +index adbb203..6fd516b 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ @@ -404,12 +415,12 @@ index adbb203..744d122 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index 364f94b..9518f82 100644 +index 364f94b..de37915 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; @@ -417,13 +428,13 @@ index 364f94b..9518f82 100644 key one { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234abcd8765"; }; key two { - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; secret "1234efgh8765"; }; @@ -513,7 +524,7 @@ index 01a13cf..3711c63 100644 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 3a8e401..82e720d 100644 +index 3a8e401..052ae3f 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -122,7 +122,7 @@ view "ch" ch { @@ -521,10 +532,34 @@ index 3a8e401..82e720d 100644 key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; -+ algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; }; key next_key. { +diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in +index 23383ed..5a7babd 100644 +--- a/bin/tests/system/catz/ns2/named1.conf.in ++++ b/bin/tests/system/catz/ns2/named1.conf.in +@@ -165,7 +165,7 @@ view "ch" ch { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm @DEFAULT_HMAC@; + }; + + key next_key. { +diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in +index 62b76a6..cd5f2b9 100644 +--- a/bin/tests/system/catz/ns2/named2.conf.in ++++ b/bin/tests/system/catz/ns2/named2.conf.in +@@ -122,5 +122,5 @@ view "ch" ch { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm @DEFAULT_HMAC@; + }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf index 4af25b0..9f202d5 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf @@ -550,6 +585,30 @@ index 154bf75..e7a05cd 100644 + algorithm "hmac-sha256"; secret "qwertyuiopasdfgh"; }; +diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in +index 1304303..e9c28c6 100644 +--- a/bin/tests/system/cookie/ns1/named.conf.in ++++ b/bin/tests/system/cookie/ns1/named.conf.in +@@ -18,7 +18,7 @@ key rndc_key { + + key foo { + secret "aaaaaaaaaaaa"; +- algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; + }; + + server 10.53.0.10 { +diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in +index f1b817a..e457062 100644 +--- a/bin/tests/system/dnssec/ns4/named5.conf.in ++++ b/bin/tests/system/dnssec/ns4/named5.conf.in +@@ -35,5 +35,5 @@ controls { + + key auth { + secret "1234abcd8765"; +- algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; + }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 3435c91..aaaa264 100644 --- a/bin/tests/system/feature-test.c @@ -583,7 +642,7 @@ index 3435c91..aaaa264 100644 #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) int s; diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 5cab276..d4a7bf3 100644 +index 5cab276..c0492e1 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -12,17 +12,17 @@ @@ -591,19 +650,19 @@ index 5cab276..d4a7bf3 100644 key "a" { - algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; ++ algorithm "@DEFAULT_HMAC@"; secret "aaaaaaaaaaaaaaaaaaaa"; }; key "b" { - algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; ++ algorithm "@DEFAULT_HMAC@"; secret "bbbbbbbbbbbbbbbbbbbb"; }; key "c" { - algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; ++ algorithm "@DEFAULT_HMAC@"; secret "cccccccccccccccccccc"; }; @@ -658,6 +717,19 @@ index c85eef5..428b6b1 100644 secret "1234abcd8765"; }; +diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in +index 6a7ff88..0b70745 100644 +--- a/bin/tests/system/nsupdate/ns9/named.conf.in ++++ b/bin/tests/system/nsupdate/ns9/named.conf.in +@@ -32,7 +32,7 @@ key rndc_key { + + key subkey { + secret "1234abcd8765"; +- algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; + }; + + controls { diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index 50056dc..a4a1a3f 100644 --- a/bin/tests/system/nsupdate/setup.sh @@ -702,6 +774,32 @@ index 0bb9d00..ecbc0df 100755 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in +index 117a5f4..be1af25 100644 +--- a/bin/tests/system/rndc/ns2/named.conf.in ++++ b/bin/tests/system/rndc/ns2/named.conf.in +@@ -27,7 +27,7 @@ key rndc_key { + + key secondkey { + secret "abcd1234abcd8765"; +- algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; + }; + + controls { +diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in +index 3078e90..fd97ca2 100644 +--- a/bin/tests/system/rndc/ns3/named.conf.in ++++ b/bin/tests/system/rndc/ns3/named.conf.in +@@ -25,7 +25,7 @@ key rndc_key { + + key secondkey { + secret "abcd1234abcd8765"; +- algorithm hmac-sha256; ++ algorithm @DEFAULT_HMAC@; + }; + + controls { diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index 4dd6fa7..1b79263 100644 --- a/bin/tests/system/rndc/setup.sh @@ -776,6 +874,22 @@ index 76cf970..22637af 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index 34cc73b..d51ff21 100644 --- a/bin/tests/system/tsig/setup.sh @@ -882,7 +996,7 @@ index 1067227..ee05e83 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index c2b57dd..cb13aa1 100644 +index c2b57dd..ea744f8 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -12,7 +12,7 @@ @@ -890,7 +1004,7 @@ index c2b57dd..cb13aa1 100644 key "update.example." { - algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; ++ algorithm "@DEFAULT_HMAC@"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; };