Merge branch 'feature/main/fips-tests-v9_18' into 'v9_18'

[9.18] FIPS tests changes for RHEL

See merge request isc-projects/bind9!7540

CHANGES

@@ -1,3 +1,6 @@
+6098.	[test]		Don't test HMAC-MD5 when not supported by libcrypto.
+			[GL #3871]
+
 6096.	[bug]		Fix RPZ reference counting error on shutdown in
 			dns__rpz_timer_cb(). [GL #3866]
 

bin/tests/system/acl/tests.sh

@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
 # and other values? right out
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
+	@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
 
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two

bin/tests/system/feature-test.c

@@ -17,6 +17,7 @@
 #include <string.h>
 #include <unistd.h>
 
+#include <isc/md.h>
 #include <isc/net.h>
 #include <isc/print.h>
 #include <isc/util.h>
@@ -37,6 +38,7 @@ usage(void) {
 	fprintf(stderr, "\t--have-json-c\n");
 	fprintf(stderr, "\t--have-libxml2\n");
 	fprintf(stderr, "\t--ipv6only=no\n");
+	fprintf(stderr, "\t--md5\n");
 	fprintf(stderr, "\t--tsan\n");
 	fprintf(stderr, "\t--with-dlz-filesystem\n");
 	fprintf(stderr, "\t--with-libidn2\n");
@@ -143,6 +145,20 @@ main(int argc, char **argv) {
 #endif
 	}
 
+	if (strcmp(argv[1], "--md5") == 0) {
+		unsigned char digest[ISC_MAX_MD_SIZE];
+		const unsigned char test[] = "test";
+		unsigned int size = sizeof(digest);
+
+		if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
+		    ISC_R_SUCCESS)
+		{
+			return (0);
+		} else {
+			return (1);
+		}
+	}
+
 	if (strcmp(argv[1], "--ipv6only=no") == 0) {
 #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
 		int s;

bin/tests/system/nsupdate/setup.sh

@@ -72,7 +72,11 @@ EOF
 
 $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
 
-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
+if $FEATURETEST --md5; then
+	$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
+else
+	echo -n > ns1/md5.key
+fi
 $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
 $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key

bin/tests/system/nsupdate/tests.sh

@@ -841,7 +841,14 @@ fi
 n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+if $FEATURETEST --md5
+then
+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
+else
+	ALGS="sha1 sha224 sha256 sha384 sha512"
+	echo_i "skipping disabled md5 algorithm"
+fi
+for alg in $ALGS; do
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -849,7 +856,7 @@ send
 END
 done
 sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
 done
 if [ $ret -ne 0 ]; then

bin/tests/system/rndc/setup.sh

@@ -47,7 +47,7 @@ make_key () {
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
 }
 
-make_key 1 ${EXTRAPORT1} hmac-md5
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
 make_key 2 ${EXTRAPORT2} hmac-sha1
 make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256

bin/tests/system/rndc/tests.sh

@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
 n=$((n+1))
-echo_i "testing rndc with hmac-md5 ($n)"
-ret=0
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
-for i in 2 3 4 5 6
-do
-        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-done
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if $FEATURETEST --md5; then
+	echo_i "testing rndc with hmac-md5 ($n)"
+	ret=0
+	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+	for i in 2 3 4 5 6
+	do
+	        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+	done
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "skipping rndc with hmac-md5 ($n)"
+fi
 
 n=$((n+1))
 echo_i "testing rndc with hmac-sha1 ($n)"

bin/tests/system/tsig/ns1/named.conf.in

@@ -23,10 +23,7 @@ options {
 	notify no;
 };
 
-key "md5" {
-	secret "97rnFx24Tfna4mHPfgnerA==";
-	algorithm hmac-md5;
-};
+# md5 key appended by setup.sh at the end
 
 key "sha1" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
@@ -53,10 +50,7 @@ key "sha512" {
 	algorithm hmac-sha512;
 };
 
-key "md5-trunc" {
-	secret "97rnFx24Tfna4mHPfgnerA==";
-	algorithm hmac-md5-80;
-};
+# md5-trunc key appended by setup.sh at the end
 
 key "sha1-trunc" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";

bin/tests/system/tsig/setup.sh

@@ -16,3 +16,19 @@
 $SHELL clean.sh
 
 copy_setports ns1/named.conf.in ns1/named.conf
+
+if $FEATURETEST --md5
+then
+	cat >> ns1/named.conf << EOF
+# Conditionally included when support for MD5 is available
+key "md5" {
+        secret "97rnFx24Tfna4mHPfgnerA==";
+        algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+        secret "97rnFx24Tfna4mHPfgnerA==";
+        algorithm hmac-md5-80;
+};
+EOF
+fi

bin/tests/system/tsig/tests.sh

@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
 
 status=0
 
-echo_i "fetching using hmac-md5 (old form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
-fi
+if $FEATURETEST --md5
+then
+	echo_i "fetching using hmac-md5 (old form)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
 
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
+	echo_i "fetching using hmac-md5 (new form)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+else
+	echo_i "skipping using hmac-md5"
 fi
 
 echo_i "fetching using hmac-sha1"
@@ -88,12 +93,17 @@ fi
 #	Truncated TSIG
 #
 #
-echo_i "fetching using hmac-md5 (trunc)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+	echo_i "fetching using hmac-md5 (trunc)"
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+else
+	echo_i "skipping using hmac-md5 (trunc)"
 fi
 
 echo_i "fetching using hmac-sha1 (trunc)"
@@ -142,12 +152,17 @@ fi
 #	Check for bad truncation.
 #
 #
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+	echo_i "fetching using hmac-md5-80 (BADTRUNC)" 
+	ret=0
+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+	if [ $ret -eq 1 ] ; then
+		echo_i "failed"; status=1
+	fi
+else
+	echo_i "skipping using hmac-md5-80 (BADTRUNC)" 
 fi
 
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"