Fix FIPS tests to contain upstream proposal
This commit is contained in:
parent
b94624a2fa
commit
16501a5fd1
|
@ -1,62 +1,16 @@
|
|||
From 305c3aec507f7f1fb64f92c28d086cd3acf45a5a Mon Sep 17 00:00:00 2001
|
||||
From 75c029a38b59deb4f1b1861faf9113220e438253 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Subject: [PATCH] FIPS tests changes for RHEL
|
||||
|
||||
Squashed commit of the following:
|
||||
Include MD5 feature detection in featuretest tool and use it in some
|
||||
places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
|
||||
algorithm is unavailable completely and even hmac-md5 algorithm usage
|
||||
will always fail. Work that around by checking MD5 works and if not,
|
||||
skipping its usage.
|
||||
|
||||
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 20:35:13 2018 +0100
|
||||
|
||||
Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
|
||||
|
||||
commit ab303db70082db76ecf36493d0b82ef3e8750cad
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 18:11:10 2018 +0100
|
||||
|
||||
Changed root key to be RSASHA256
|
||||
|
||||
Change bad trusted key to be the same algorithm.
|
||||
|
||||
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 16:56:17 2018 +0100
|
||||
|
||||
Change used key to not use hmac-md5
|
||||
|
||||
Fix upforwd test, do not use hmac-md5
|
||||
|
||||
commit aec891571626f053acfb4d0a247240cbc21a84e9
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 15:54:11 2018 +0100
|
||||
|
||||
Increase bitsize of DSA key to pass FIPS 140-2 mode.
|
||||
|
||||
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 15:41:08 2018 +0100
|
||||
|
||||
Fix tsig and rndc tests for disabled md5
|
||||
|
||||
Use hmac-sha256 instead of hmac-md5.
|
||||
|
||||
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 13:21:00 2018 +0100
|
||||
|
||||
Add md5 availability detection to featuretest
|
||||
|
||||
commit f389a918803e2853e4b55fed62765dc4a492e34f
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 10:44:23 2018 +0100
|
||||
|
||||
Change tests to not use hmac-md5 algorithms if not required
|
||||
|
||||
Use hmac-sha256 instead of default hmac-md5 for allow-query
|
||||
Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
|
||||
in Fedora and RHEL.
|
||||
---
|
||||
bin/tests/system/acl/tests.sh | 2 +-
|
||||
bin/tests/system/feature-test.c | 14 ++++++
|
||||
|
@ -65,12 +19,12 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
|||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 22 ++++----
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +---
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/setup.sh | 16 ++++++
|
||||
bin/tests/system/tsig/tests.sh | 67 +++++++++++++++----------
|
||||
9 files changed, 91 insertions(+), 48 deletions(-)
|
||||
9 files changed, 102 insertions(+), 48 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index df23d6a..0984d85 100644
|
||||
index df23d6a2f1..0984d85ed9 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
||||
|
@ -83,7 +37,7 @@ index df23d6a..0984d85 100644
|
|||
|
||||
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index b1adaed..3942df6 100644
|
||||
index b1adaedade..4dd76fb187 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -17,6 +17,7 @@
|
||||
|
@ -103,8 +57,8 @@ index b1adaed..3942df6 100644
|
|||
+ const unsigned char test[] = "test";
|
||||
+ unsigned int size = sizeof(digest);
|
||||
+
|
||||
+ if (isc_md(ISC_MD_MD5, test, sizeof(test),
|
||||
+ digest, &size) == ISC_R_SUCCESS) {
|
||||
+ if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
|
||||
+ ISC_R_SUCCESS) {
|
||||
+ return (0);
|
||||
+ } else {
|
||||
+ return (1);
|
||||
|
@ -115,7 +69,7 @@ index b1adaed..3942df6 100644
|
|||
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
|
||||
int s;
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index b7d7b38..25c4cb4 100644
|
||||
index b7d7b38107..25c4cb4d8b 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -73,7 +73,11 @@ EOF
|
||||
|
@ -132,7 +86,7 @@ index b7d7b38..25c4cb4 100644
|
|||
$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
|
||||
$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index 5adc99c..54e1d53 100755
|
||||
index 5adc99ce5c..54e1d531a6 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -959,7 +959,14 @@ fi
|
||||
|
@ -161,7 +115,7 @@ index 5adc99c..54e1d53 100755
|
|||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index a8793f3..e6714c0 100644
|
||||
index a8793f36d9..e6714c0991 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -48,7 +48,7 @@ make_key () {
|
||||
|
@ -174,7 +128,7 @@ index a8793f3..e6714c0 100644
|
|||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index 424ac2b..27219a3 100644
|
||||
index 424ac2befe..27219a3df8 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
|
@ -207,7 +161,7 @@ index 424ac2b..27219a3 100644
|
|||
n=$((n+1))
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
index 76cf970..22637af 100644
|
||||
index 76cf970397..22637af901 100644
|
||||
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
@@ -23,10 +23,7 @@ options {
|
||||
|
@ -235,20 +189,31 @@ index 76cf970..22637af 100644
|
|||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index 34cc73b..d51ff21 100644
|
||||
index 34cc73bf53..6a739f7eb1 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
+++ b/bin/tests/system/tsig/setup.sh
|
||||
@@ -16,3 +16,8 @@
|
||||
@@ -16,3 +16,19 @@
|
||||
$SHELL clean.sh
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
+
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||
+ cat >> ns1/named.conf << EOF
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
+EOF
|
||||
+fi
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index 1067227..ee05e83 100644
|
||||
index 106722741c..ee05e838c1 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||
|
|
Loading…
Reference in New Issue