Fix FIPS tests to contain upstream proposal

2023-01-21 23:08:56 +01:00 · 2023-01-21 23:08:56 +01:00 · 16501a5fd1
parent b94624a2fa
commit 16501a5fd1
1 changed files with 35 additions and 70 deletions
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -1,62 +1,16 @@
-From 305c3aec507f7f1fb64f92c28d086cd3acf45a5a Mon Sep 17 00:00:00 2001
+From 75c029a38b59deb4f1b1861faf9113220e438253 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
-Subject: [PATCH] FIPS tests changes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
+Subject: [PATCH] FIPS tests changes for RHEL

-Squashed commit of the following:
+Include MD5 feature detection in featuretest tool and use it in some
+places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
+algorithm is unavailable completely and even hmac-md5 algorithm usage
+will always fail. Work that around by checking MD5 works and if not,
+skipping its usage.

-commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 20:35:13 2018 +0100
-
-    Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
-
-commit ab303db70082db76ecf36493d0b82ef3e8750cad
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 18:11:10 2018 +0100
-
-    Changed root key to be RSASHA256
-
-    Change bad trusted key to be the same algorithm.
-
-commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 16:56:17 2018 +0100
-
-    Change used key to not use hmac-md5
-
-    Fix upforwd test, do not use hmac-md5
-
-commit aec891571626f053acfb4d0a247240cbc21a84e9
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 15:54:11 2018 +0100
-
-    Increase bitsize of DSA key to pass FIPS 140-2 mode.
-
-commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 15:41:08 2018 +0100
-
-    Fix tsig and rndc tests for disabled md5
-
-    Use hmac-sha256 instead of hmac-md5.
-
-commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 13:21:00 2018 +0100
-
-    Add md5 availability detection to featuretest
-
-commit f389a918803e2853e4b55fed62765dc4a492e34f
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Wed Mar 7 10:44:23 2018 +0100
-
-    Change tests to not use hmac-md5 algorithms if not required
-
-    Use hmac-sha256 instead of default hmac-md5 for allow-query
+Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
+in Fedora and RHEL.
 ---
 bin/tests/system/acl/tests.sh           |  2 +-
 bin/tests/system/feature-test.c         | 14 ++++++
@ -65,12 +19,12 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
 bin/tests/system/rndc/setup.sh          |  2 +-
 bin/tests/system/rndc/tests.sh          | 22 ++++----
 bin/tests/system/tsig/ns1/named.conf.in | 10 +---
- bin/tests/system/tsig/setup.sh          |  5 ++
+ bin/tests/system/tsig/setup.sh          | 16 ++++++
 bin/tests/system/tsig/tests.sh          | 67 +++++++++++++++----------
- 9 files changed, 91 insertions(+), 48 deletions(-)
+ 9 files changed, 102 insertions(+), 48 deletions(-)

 diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
-index df23d6a..0984d85 100644
+index df23d6a2f1..0984d85ed9 100644
 --- a/bin/tests/system/acl/tests.sh
 +++ b/bin/tests/system/acl/tests.sh
@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
@ -83,7 +37,7 @@ index df23d6a..0984d85 100644
 
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index b1adaed..3942df6 100644
+index b1adaedade..4dd76fb187 100644
 --- a/bin/tests/system/feature-test.c
 +++ b/bin/tests/system/feature-test.c
@@ -17,6 +17,7 @@
@ -103,8 +57,8 @@ index b1adaed..3942df6 100644
 +		const unsigned char test[] = "test";
 +		unsigned int size = sizeof(digest);
 +
-+		if (isc_md(ISC_MD_MD5, test, sizeof(test),
-+		           digest, &size) == ISC_R_SUCCESS) {
+		if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
+		    ISC_R_SUCCESS) {
 +			return (0);
 +		} else {
 +			return (1);
@ -115,7 +69,7 @@ index b1adaed..3942df6 100644
 #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
 		int s;
 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index b7d7b38..25c4cb4 100644
+index b7d7b38107..25c4cb4d8b 100644
 --- a/bin/tests/system/nsupdate/setup.sh
 +++ b/bin/tests/system/nsupdate/setup.sh
@@ -73,7 +73,11 @@ EOF
@ -132,7 +86,7 @@ index b7d7b38..25c4cb4 100644
 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
 $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 5adc99c..54e1d53 100755
+index 5adc99ce5c..54e1d531a6 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
@@ -959,7 +959,14 @@ fi
@ -161,7 +115,7 @@ index 5adc99c..54e1d53 100755
 done
 if [ $ret -ne 0 ]; then
 diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index a8793f3..e6714c0 100644
+index a8793f36d9..e6714c0991 100644
 --- a/bin/tests/system/rndc/setup.sh
 +++ b/bin/tests/system/rndc/setup.sh
@@ -48,7 +48,7 @@ make_key () {
@ -174,7 +128,7 @@ index a8793f3..e6714c0 100644
 make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256
 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index 424ac2b..27219a3 100644
+index 424ac2befe..27219a3df8 100644
 --- a/bin/tests/system/rndc/tests.sh
 +++ b/bin/tests/system/rndc/tests.sh
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
@ -207,7 +161,7 @@ index 424ac2b..27219a3 100644
 n=$((n+1))
 echo_i "testing rndc with hmac-sha1 ($n)"
 diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
-index 76cf970..22637af 100644
+index 76cf970397..22637af901 100644
 --- a/bin/tests/system/tsig/ns1/named.conf.in
 +++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -23,10 +23,7 @@ options {
@ -235,20 +189,31 @@ index 76cf970..22637af 100644
 key "sha1-trunc" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index 34cc73b..d51ff21 100644
+index 34cc73bf53..6a739f7eb1 100644
 --- a/bin/tests/system/tsig/setup.sh
 +++ b/bin/tests/system/tsig/setup.sh
-@@ -16,3 +16,8 @@
+@@ -16,3 +16,19 @@
 $SHELL clean.sh
 
 copy_setports ns1/named.conf.in ns1/named.conf
 +
 +if $FEATURETEST --md5
 +then
-+	cat ns1/rndc5.conf.in >> ns1/named.conf
+	cat >> ns1/named.conf << EOF
+# Conditionally included when support for MD5 is available
+key "md5" {
+        secret "97rnFx24Tfna4mHPfgnerA==";
+        algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+        secret "97rnFx24Tfna4mHPfgnerA==";
+        algorithm hmac-md5-80;
+};
+EOF
 +fi
 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
-index 1067227..ee05e83 100644
+index 106722741c..ee05e838c1 100644
 --- a/bin/tests/system/tsig/tests.sh
 +++ b/bin/tests/system/tsig/tests.sh
@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f