Bug 1066603

Summary: [RFE] dhcpd is not able to use HMAC-SHA1 or better for dyndns updates
Product: Red Hat Enterprise Linux 6 Reporter: Tuomo Soini <tis>
Component: dhcpAssignee: Pavel Zhukov <pzhukov>
Status: CLOSED WONTFIX QA Contact: Release Test Team <release-test-team-automation>
Severity: low Docs Contact:
Priority: low    
Version: 6.8CC: jkoncick, jpopelka, thozza, tis
Target Milestone: rcKeywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-05 14:35:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tuomo Soini 2014-02-18 17:19:52 UTC 
Description of problem:

dhcpd in dhcp-4.1.1-38.P1.el6 is not able to use other algoritms other than hmac-md5 for dyndns updates.

I'd propose dhcp update to later version which is capable to use more secure hmac-sha1, hmac-sha256 and hmac-sha512 algoritms.

According source code hmac-sha1 should be supported but it just doesn't work. Configuring algorhitm: hmac-sha1 causes all dyndns updates to fail with error:

bad DNS key
Comment 2 Jiri Popelka 2014-03-31 09:12:25 UTC 
(In reply to Tuomo Soini from comment #0)
> I'd propose dhcp update to later version which is capable to use more secure
> hmac-sha1, hmac-sha256 and hmac-sha512 algoritms.

Do you know which version has this implemented ?
I found https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/797356
where comment #5 says that 4.2.4 still lacks the support.
Comment 3 Tuomo Soini 2014-03-31 10:00:56 UTC 
I don't really know - according source code 4.3.0 already supports hmac-sha256.
Comment 4 Jaromír Končický 2014-03-31 11:10:17 UTC 
Really? Now I looked into 4.3.0 code and I found those:

common/dns.c:116

 * or by the IANA.  Currently only the HMAC-MD5... key type is
 * supported.

omapip/isclib:282

	/* We only support HMAC_MD5 currently */
	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
		return(DHCP_R_INVALIDARG);
	}

dhcpctl/remote.c:40

   (currently, only "hmac-md5" is supported).

For me it seems that hmac-sha256 and others are not supported.
Comment 5 Tuomo Soini 2014-03-31 11:22:52 UTC 
Actually yes - they only support sha256 for other things but not HMAC-SHA1 or HMAC-SHA256 - how stupid.
Comment 6 Jiri Popelka 2014-03-31 11:53:52 UTC 
Thanks both for the investigation.

I'm afraid I have to close this ticket as we can't implement such a security sensitive feature alone - this has to be implemented upstream first - closing as UPSTREAM then.

You can suggest it upstream via dhcp-bugs but be aware that it probably won't get much attention if it's not backed up with patches.
Comment 7 Tuomo Soini 2016-11-21 10:23:44 UTC 
I'd like to reopen this issue. HMAC-MD5 is by no means secure, neither is HMAC-SHA1 any more. This issue is fixed by upstream now so I'd suggest backporting this fix.

Upstream commit e4a2cb79b2679738f56b3803a44c9899f6982c09.
Comment 9 Tomáš Hozza 2017-09-05 14:35:13 UTC 
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com