Start using DEFAULT_HMAC configured variable

Do not replace hmac-md5 with fixed algorithm. But use default variable
used by more recent versions.

bind-9.11-fips-tests.patch

@@ -1,4 +1,4 @@
-From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001
+From f7d0320466815001b0fdf85f85a436f39463287e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@@ -57,6 +57,8 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
     Change tests to not use hmac-md5 algorithms if not required
 
     Use hmac-sha256 instead of default hmac-md5 for allow-query
+
+Use DEFAULT_HMAC configured variable
 ---
  bin/tests/system/acl/ns2/named1.conf.in       |  4 +-
  bin/tests/system/acl/ns2/named2.conf.in       |  4 +-
@@ -73,26 +75,35 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
  .../system/allow-query/ns2/named40.conf.in    |  4 +-
  bin/tests/system/allow-query/tests.sh         | 18 ++---
  bin/tests/system/catz/ns1/named.conf.in       |  2 +-
+ bin/tests/system/catz/ns2/named1.conf.in      |  2 +-
+ bin/tests/system/catz/ns2/named2.conf.in      |  2 +-
  bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
  bin/tests/system/checkconf/good.conf          |  2 +-
+ bin/tests/system/cookie/ns1/named.conf.in     |  2 +-
+ bin/tests/system/dnssec/ns4/named5.conf.in    |  2 +-
  bin/tests/system/feature-test.c               | 14 ++++
  bin/tests/system/notify/ns5/named.conf.in     |  6 +-
  bin/tests/system/notify/tests.sh              |  6 +-
  bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
  bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
+ bin/tests/system/nsupdate/ns9/named.conf.in   |  2 +-
  bin/tests/system/nsupdate/setup.sh            |  6 +-
  bin/tests/system/nsupdate/tests.sh            |  9 ++-
+ bin/tests/system/rndc/ns2/named.conf.in       |  2 +-
+ bin/tests/system/rndc/ns3/named.conf.in       |  2 +-
  bin/tests/system/rndc/setup.sh                |  2 +-
  bin/tests/system/rndc/tests.sh                | 22 +++---
  bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
+ bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++
  bin/tests/system/tsig/setup.sh                |  5 ++
  bin/tests/system/tsig/tests.sh                | 67 ++++++++++++-------
  bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
  bin/tests/system/upforwd/tests.sh             |  2 +-
- 31 files changed, 147 insertions(+), 106 deletions(-)
+ 39 files changed, 164 insertions(+), 113 deletions(-)
+ create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
 
 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
-index 8787c6a..b781d0b 100644
+index 8787c6a..682ba97 100644
 --- a/bin/tests/system/acl/ns2/named1.conf.in
 +++ b/bin/tests/system/acl/ns2/named1.conf.in
 @@ -35,12 +35,12 @@ options {
@@ -100,18 +111,18 @@ index 8787c6a..b781d0b 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
-index a95b4c1..3f3f471 100644
+index a95b4c1..7b1cea6 100644
 --- a/bin/tests/system/acl/ns2/named2.conf.in
 +++ b/bin/tests/system/acl/ns2/named2.conf.in
 @@ -35,12 +35,12 @@ options {
@@ -119,18 +130,18 @@ index a95b4c1..3f3f471 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
-index 14cc3fe..9507706 100644
+index 14cc3fe..6b35ba5 100644
 --- a/bin/tests/system/acl/ns2/named3.conf.in
 +++ b/bin/tests/system/acl/ns2/named3.conf.in
 @@ -35,17 +35,17 @@ options {
@@ -138,24 +149,24 @@ index 14cc3fe..9507706 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key three {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
-index 77cf110..029c91b 100644
+index 77cf110..b23a1ca 100644
 --- a/bin/tests/system/acl/ns2/named4.conf.in
 +++ b/bin/tests/system/acl/ns2/named4.conf.in
 @@ -35,12 +35,12 @@ options {
@@ -163,18 +174,18 @@ index 77cf110..029c91b 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
-index 5ccabf9..6154797 100644
+index 5ccabf9..52791aa 100644
 --- a/bin/tests/system/acl/ns2/named5.conf.in
 +++ b/bin/tests/system/acl/ns2/named5.conf.in
 @@ -37,12 +37,12 @@ options {
@@ -182,13 +193,13 @@ index 5ccabf9..6154797 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
@@ -319,7 +330,7 @@ index ad98fa1..7a7ff4a 100644
  
  echo_i "testing allow-query-on ACL processing"
 diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
-index b91d19a..7d777c2 100644
+index b91d19a..ae485e8 100644
 --- a/bin/tests/system/allow-query/ns2/named10.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named10.conf.in
 @@ -12,7 +12,7 @@
@@ -327,12 +338,12 @@ index b91d19a..7d777c2 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
-index 308c4ca..00f6f40 100644
+index 308c4ca..8a5e806 100644
 --- a/bin/tests/system/allow-query/ns2/named11.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named11.conf.in
 @@ -12,12 +12,12 @@
@@ -340,18 +351,18 @@ index 308c4ca..00f6f40 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234efgh8765";
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
-index 6b0fe55..491e514 100644
+index 6b0fe55..a10c6d0 100644
 --- a/bin/tests/system/allow-query/ns2/named12.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named12.conf.in
 @@ -12,7 +12,7 @@
@@ -359,12 +370,12 @@ index 6b0fe55..491e514 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
-index aefc474..7c06596 100644
+index aefc474..52981a7 100644
 --- a/bin/tests/system/allow-query/ns2/named30.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named30.conf.in
 @@ -12,7 +12,7 @@
@@ -372,12 +383,12 @@ index aefc474..7c06596 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
-index 27eccc2..eecb990 100644
+index 27eccc2..f627870 100644
 --- a/bin/tests/system/allow-query/ns2/named31.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named31.conf.in
 @@ -12,12 +12,12 @@
@@ -385,18 +396,18 @@ index 27eccc2..eecb990 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234efgh8765";
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
-index adbb203..744d122 100644
+index adbb203..6fd516b 100644
 --- a/bin/tests/system/allow-query/ns2/named32.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named32.conf.in
 @@ -12,7 +12,7 @@
@@ -404,12 +415,12 @@ index adbb203..744d122 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
-index 364f94b..9518f82 100644
+index 364f94b..de37915 100644
 --- a/bin/tests/system/allow-query/ns2/named40.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named40.conf.in
 @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
@@ -417,13 +428,13 @@ index 364f94b..9518f82 100644
  
  key one {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234abcd8765";
  };
  
  key two {
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  	secret "1234efgh8765";
  };
  
@@ -513,7 +524,7 @@ index 01a13cf..3711c63 100644
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
-index 3a8e401..82e720d 100644
+index 3a8e401..052ae3f 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
 +++ b/bin/tests/system/catz/ns1/named.conf.in
 @@ -122,7 +122,7 @@ view "ch" ch {
@@ -521,10 +532,34 @@ index 3a8e401..82e720d 100644
  key tsig_key. {
  	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
  };
  
  key next_key. {
+diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
+index 23383ed..5a7babd 100644
+--- a/bin/tests/system/catz/ns2/named1.conf.in
++++ b/bin/tests/system/catz/ns2/named1.conf.in
+@@ -165,7 +165,7 @@ view "ch" ch {
+ 
+ key tsig_key. {
+ 	secret "LSAnCU+Z";
+-	algorithm hmac-md5;
++	algorithm @DEFAULT_HMAC@;
+ };
+ 
+ key next_key. {
+diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
+index 62b76a6..cd5f2b9 100644
+--- a/bin/tests/system/catz/ns2/named2.conf.in
++++ b/bin/tests/system/catz/ns2/named2.conf.in
+@@ -122,5 +122,5 @@ view "ch" ch {
+ 
+ key tsig_key. {
+ 	secret "LSAnCU+Z";
+-	algorithm hmac-md5;
++	algorithm @DEFAULT_HMAC@;
+ };
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
 index 4af25b0..9f202d5 100644
 --- a/bin/tests/system/checkconf/bad-tsig.conf
@@ -550,6 +585,30 @@ index 154bf75..e7a05cd 100644
 +	algorithm "hmac-sha256";
  	secret "qwertyuiopasdfgh";
  };
+diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in
+index 1304303..e9c28c6 100644
+--- a/bin/tests/system/cookie/ns1/named.conf.in
++++ b/bin/tests/system/cookie/ns1/named.conf.in
+@@ -18,7 +18,7 @@ key rndc_key {
+ 
+ key foo {
+ 	secret "aaaaaaaaaaaa";
+-	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
+ };
+ 
+ server 10.53.0.10 {
+diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in
+index f1b817a..e457062 100644
+--- a/bin/tests/system/dnssec/ns4/named5.conf.in
++++ b/bin/tests/system/dnssec/ns4/named5.conf.in
+@@ -35,5 +35,5 @@ controls {
+ 
+ key auth {
+ 	secret "1234abcd8765";
+-	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
+ };
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
 index 3435c91..aaaa264 100644
 --- a/bin/tests/system/feature-test.c
@@ -583,7 +642,7 @@ index 3435c91..aaaa264 100644
  #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
  		int s;
 diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
-index 5cab276..d4a7bf3 100644
+index 5cab276..c0492e1 100644
 --- a/bin/tests/system/notify/ns5/named.conf.in
 +++ b/bin/tests/system/notify/ns5/named.conf.in
 @@ -12,17 +12,17 @@
@@ -591,19 +650,19 @@ index 5cab276..d4a7bf3 100644
  
  key "a" {
 -	algorithm "hmac-md5";
-+	algorithm "hmac-sha256";
++	algorithm "@DEFAULT_HMAC@";
  	secret "aaaaaaaaaaaaaaaaaaaa";
  };
  
  key "b" {
 -	algorithm "hmac-md5";
-+	algorithm "hmac-sha256";
++	algorithm "@DEFAULT_HMAC@";
  	secret "bbbbbbbbbbbbbbbbbbbb";
  };
  
  key "c" {
 -	algorithm "hmac-md5";
-+	algorithm "hmac-sha256";
++	algorithm "@DEFAULT_HMAC@";
  	secret "cccccccccccccccccccc";
  };
  
@@ -658,6 +717,19 @@ index c85eef5..428b6b1 100644
  	secret "1234abcd8765";
  };
  
+diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
+index 6a7ff88..0b70745 100644
+--- a/bin/tests/system/nsupdate/ns9/named.conf.in
++++ b/bin/tests/system/nsupdate/ns9/named.conf.in
+@@ -32,7 +32,7 @@ key rndc_key {
+ 
+ key subkey {
+ 	secret "1234abcd8765";
+-	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
+ };
+ 
+ controls {
 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
 index 50056dc..a4a1a3f 100644
 --- a/bin/tests/system/nsupdate/setup.sh
@@ -702,6 +774,32 @@ index 0bb9d00..ecbc0df 100755
      $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
  done
  if [ $ret -ne 0 ]; then
+diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in
+index 117a5f4..be1af25 100644
+--- a/bin/tests/system/rndc/ns2/named.conf.in
++++ b/bin/tests/system/rndc/ns2/named.conf.in
+@@ -27,7 +27,7 @@ key rndc_key {
+ 
+ key secondkey {
+ 	secret "abcd1234abcd8765";
+-	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
+ };
+ 
+ controls {
+diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in
+index 3078e90..fd97ca2 100644
+--- a/bin/tests/system/rndc/ns3/named.conf.in
++++ b/bin/tests/system/rndc/ns3/named.conf.in
+@@ -25,7 +25,7 @@ key rndc_key {
+ 
+ key secondkey {
+ 	secret "abcd1234abcd8765";
+-	algorithm hmac-sha256;
++	algorithm @DEFAULT_HMAC@;
+ };
+ 
+ controls {
 diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
 index 4dd6fa7..1b79263 100644
 --- a/bin/tests/system/rndc/setup.sh
@@ -776,6 +874,22 @@ index 76cf970..22637af 100644
  
  key "sha1-trunc" {
  	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
+new file mode 100644
+index 0000000..0682194
+--- /dev/null
++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
+@@ -0,0 +1,10 @@
++# Conditionally included when support for MD5 is available
++key "md5" {
++	secret "97rnFx24Tfna4mHPfgnerA==";
++	algorithm hmac-md5;
++};
++
++key "md5-trunc" {
++	secret "97rnFx24Tfna4mHPfgnerA==";
++	algorithm hmac-md5-80;
++};
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
 index 34cc73b..d51ff21 100644
 --- a/bin/tests/system/tsig/setup.sh
@@ -882,7 +996,7 @@ index 1067227..ee05e83 100644
  
  echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
 diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
-index c2b57dd..cb13aa1 100644
+index c2b57dd..ea744f8 100644
 --- a/bin/tests/system/upforwd/ns1/named.conf.in
 +++ b/bin/tests/system/upforwd/ns1/named.conf.in
 @@ -12,7 +12,7 @@
@@ -890,7 +1004,7 @@ index c2b57dd..cb13aa1 100644
  
  key "update.example." {
 -	algorithm "hmac-md5";
-+	algorithm "hmac-sha256";
++	algorithm "@DEFAULT_HMAC@";
  	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
  };