Start using DEFAULT_HMAC configured variable

Do not replace hmac-md5 with fixed algorithm. But use default variable
used by more recent versions.
This commit is contained in:
Petr Menšík 2022-10-22 22:57:46 +02:00
parent 99fd53a106
commit 21fe71bc46

View File

@ -1,4 +1,4 @@
From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001
From f7d0320466815001b0fdf85f85a436f39463287e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes
@ -57,6 +57,8 @@ Date: Wed Mar 7 10:44:23 2018 +0100
Change tests to not use hmac-md5 algorithms if not required
Use hmac-sha256 instead of default hmac-md5 for allow-query
Use DEFAULT_HMAC configured variable
---
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
@ -73,26 +75,35 @@ Date: Wed Mar 7 10:44:23 2018 +0100
.../system/allow-query/ns2/named40.conf.in | 4 +-
bin/tests/system/allow-query/tests.sh | 18 ++---
bin/tests/system/catz/ns1/named.conf.in | 2 +-
bin/tests/system/catz/ns2/named1.conf.in | 2 +-
bin/tests/system/catz/ns2/named2.conf.in | 2 +-
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
bin/tests/system/checkconf/good.conf | 2 +-
bin/tests/system/cookie/ns1/named.conf.in | 2 +-
bin/tests/system/dnssec/ns4/named5.conf.in | 2 +-
bin/tests/system/feature-test.c | 14 ++++
bin/tests/system/notify/ns5/named.conf.in | 6 +-
bin/tests/system/notify/tests.sh | 6 +-
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
bin/tests/system/nsupdate/ns9/named.conf.in | 2 +-
bin/tests/system/nsupdate/setup.sh | 6 +-
bin/tests/system/nsupdate/tests.sh | 9 ++-
bin/tests/system/rndc/ns2/named.conf.in | 2 +-
bin/tests/system/rndc/ns3/named.conf.in | 2 +-
bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 22 +++---
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +-
31 files changed, 147 insertions(+), 106 deletions(-)
39 files changed, 164 insertions(+), 113 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 8787c6a..b781d0b 100644
index 8787c6a..682ba97 100644
--- a/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -35,12 +35,12 @@ options {
@ -100,18 +111,18 @@ index 8787c6a..b781d0b 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
index a95b4c1..3f3f471 100644
index a95b4c1..7b1cea6 100644
--- a/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -35,12 +35,12 @@ options {
@ -119,18 +130,18 @@ index a95b4c1..3f3f471 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
index 14cc3fe..9507706 100644
index 14cc3fe..6b35ba5 100644
--- a/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -35,17 +35,17 @@ options {
@ -138,24 +149,24 @@ index 14cc3fe..9507706 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key three {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
index 77cf110..029c91b 100644
index 77cf110..b23a1ca 100644
--- a/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -35,12 +35,12 @@ options {
@ -163,18 +174,18 @@ index 77cf110..029c91b 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
index 5ccabf9..6154797 100644
index 5ccabf9..52791aa 100644
--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -37,12 +37,12 @@ options {
@ -182,13 +193,13 @@ index 5ccabf9..6154797 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
@ -319,7 +330,7 @@ index ad98fa1..7a7ff4a 100644
echo_i "testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
index b91d19a..7d777c2 100644
index b91d19a..ae485e8 100644
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -12,7 +12,7 @@
@ -327,12 +338,12 @@ index b91d19a..7d777c2 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
index 308c4ca..00f6f40 100644
index 308c4ca..8a5e806 100644
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -12,12 +12,12 @@
@ -340,18 +351,18 @@ index 308c4ca..00f6f40 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
index 6b0fe55..491e514 100644
index 6b0fe55..a10c6d0 100644
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -12,7 +12,7 @@
@ -359,12 +370,12 @@ index 6b0fe55..491e514 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
index aefc474..7c06596 100644
index aefc474..52981a7 100644
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -12,7 +12,7 @@
@ -372,12 +383,12 @@ index aefc474..7c06596 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
index 27eccc2..eecb990 100644
index 27eccc2..f627870 100644
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -12,12 +12,12 @@
@ -385,18 +396,18 @@ index 27eccc2..eecb990 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
index adbb203..744d122 100644
index adbb203..6fd516b 100644
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -12,7 +12,7 @@
@ -404,12 +415,12 @@ index adbb203..744d122 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
index 364f94b..9518f82 100644
index 364f94b..de37915 100644
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
@ -417,13 +428,13 @@ index 364f94b..9518f82 100644
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
secret "1234efgh8765";
};
@ -513,7 +524,7 @@ index 01a13cf..3711c63 100644
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
index 3a8e401..82e720d 100644
index 3a8e401..052ae3f 100644
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -122,7 +122,7 @@ view "ch" ch {
@ -521,10 +532,34 @@ index 3a8e401..82e720d 100644
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
};
key next_key. {
diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
index 23383ed..5a7babd 100644
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -165,7 +165,7 @@ view "ch" ch {
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
key next_key. {
diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
index 62b76a6..cd5f2b9 100644
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -122,5 +122,5 @@ view "ch" ch {
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm @DEFAULT_HMAC@;
};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
index 4af25b0..9f202d5 100644
--- a/bin/tests/system/checkconf/bad-tsig.conf
@ -550,6 +585,30 @@ index 154bf75..e7a05cd 100644
+ algorithm "hmac-sha256";
secret "qwertyuiopasdfgh";
};
diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in
index 1304303..e9c28c6 100644
--- a/bin/tests/system/cookie/ns1/named.conf.in
+++ b/bin/tests/system/cookie/ns1/named.conf.in
@@ -18,7 +18,7 @@ key rndc_key {
key foo {
secret "aaaaaaaaaaaa";
- algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
};
server 10.53.0.10 {
diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in
index f1b817a..e457062 100644
--- a/bin/tests/system/dnssec/ns4/named5.conf.in
+++ b/bin/tests/system/dnssec/ns4/named5.conf.in
@@ -35,5 +35,5 @@ controls {
key auth {
secret "1234abcd8765";
- algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
};
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index 3435c91..aaaa264 100644
--- a/bin/tests/system/feature-test.c
@ -583,7 +642,7 @@ index 3435c91..aaaa264 100644
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
int s;
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
index 5cab276..d4a7bf3 100644
index 5cab276..c0492e1 100644
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -12,17 +12,17 @@
@ -591,19 +650,19 @@ index 5cab276..d4a7bf3 100644
key "a" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
+ algorithm "@DEFAULT_HMAC@";
secret "aaaaaaaaaaaaaaaaaaaa";
};
key "b" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
+ algorithm "@DEFAULT_HMAC@";
secret "bbbbbbbbbbbbbbbbbbbb";
};
key "c" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
+ algorithm "@DEFAULT_HMAC@";
secret "cccccccccccccccccccc";
};
@ -658,6 +717,19 @@ index c85eef5..428b6b1 100644
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
index 6a7ff88..0b70745 100644
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -32,7 +32,7 @@ key rndc_key {
key subkey {
secret "1234abcd8765";
- algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
};
controls {
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 50056dc..a4a1a3f 100644
--- a/bin/tests/system/nsupdate/setup.sh
@ -702,6 +774,32 @@ index 0bb9d00..ecbc0df 100755
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in
index 117a5f4..be1af25 100644
--- a/bin/tests/system/rndc/ns2/named.conf.in
+++ b/bin/tests/system/rndc/ns2/named.conf.in
@@ -27,7 +27,7 @@ key rndc_key {
key secondkey {
secret "abcd1234abcd8765";
- algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
};
controls {
diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in
index 3078e90..fd97ca2 100644
--- a/bin/tests/system/rndc/ns3/named.conf.in
+++ b/bin/tests/system/rndc/ns3/named.conf.in
@@ -25,7 +25,7 @@ key rndc_key {
key secondkey {
secret "abcd1234abcd8765";
- algorithm hmac-sha256;
+ algorithm @DEFAULT_HMAC@;
};
controls {
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index 4dd6fa7..1b79263 100644
--- a/bin/tests/system/rndc/setup.sh
@ -776,6 +874,22 @@ index 76cf970..22637af 100644
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index 34cc73b..d51ff21 100644
--- a/bin/tests/system/tsig/setup.sh
@ -882,7 +996,7 @@ index 1067227..ee05e83 100644
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index c2b57dd..cb13aa1 100644
index c2b57dd..ea744f8 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -12,7 +12,7 @@
@ -890,7 +1004,7 @@ index c2b57dd..cb13aa1 100644
key "update.example." {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
+ algorithm "@DEFAULT_HMAC@";
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};