From e3e20ed76e4b13d5cb66718cb8f75538e3290a50 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 27 Jun 2023 14:24:40 +1000 Subject: [PATCH] Emit deprecated warning for K* file pairs We try reading the same file using different methods so only emit a warning if we successfully read the file. --- bin/tests/system/nsupdate/clean.sh | 1 + bin/tests/system/nsupdate/tests.sh | 3 ++- bin/tests/system/tsig/tests.sh | 18 ++++++++++++------ lib/dns/hmac_link.c | 13 ++++++++++++- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 9c67956938..1928de89ac 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -70,6 +70,7 @@ rm -f ns9/denyname.example.db rm -f ns9/example.com.db rm -f ns9/in-addr.db rm -f perl.update_test.out +rm -f nsupdate.alg-* rm -f nsupdate.out* rm -f typelist.out.* rm -f update.out.* diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index eae4cdf338..c8de7911b2 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1022,7 +1022,7 @@ else echo_i "skipping disabled md5 (157) algorithm" fi for alg in $ALGS; do - $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key < /dev/null || ret=1 + $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key < nsupdate.alg-$alg.out 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 send @@ -1031,6 +1031,7 @@ done sleep 2 for alg in $ALGS; do $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed" diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 42ee16cf54..9791283778 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -261,8 +261,9 @@ if $FEATURETEST --md5 then echo_i "fetching using hmac-md5 (legacy)" ret=0 - $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy || ret=1 + $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1 grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi @@ -272,39 +273,44 @@ fi echo_i "fetching using hmac-sha1 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1 grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha224 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1 grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha256 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1 grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha384 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1 grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 fi echo_i "fetching using hmac-sha512 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 || ret=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1 grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 if [ $ret -eq 1 ] ; then echo_i "failed"; status=1 diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 2c900080b8..c8c806df97 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -32,6 +32,7 @@ #include #include +#include #include #include #include @@ -99,7 +100,17 @@ } \ static isc_result_t hmac##alg##_parse( \ dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { \ - return (hmac_parse(ISC_MD_##alg, key, lexer, pub)); \ + const char *file = isc_lex_getsourcename(lexer); \ + isc_result_t result; \ + result = hmac_parse(ISC_MD_##alg, key, lexer, pub); \ + if (result == ISC_R_SUCCESS && file != NULL) { \ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, \ + DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, \ + "%s: Use of K* file pairs for HMAC is " \ + "deprecated\n", \ + file); \ + } \ + return (result); \ } \ static dst_func_t hmac##alg##_functions = { \ hmac##alg##_createctx, \