1066603 – [RFE] dhcpd is not able to use HMAC-SHA1 or better for dyndns updates

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1066603 - [RFE] dhcpd is not able to use HMAC-SHA1 or better for dyndns updates

Summary: [RFE] dhcpd is not able to use HMAC-SHA1 or better for dyndns updates

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	dhcp
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Zhukov
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-18 17:19 UTC by Tuomo Soini
Modified:	2017-09-05 14:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-05 14:35:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1396985	0	medium	CLOSED	dhcpd only supports insecure HMAC-MD5 algorhitm for DDNS	2021-02-22 00:41:40 UTC

Internal Links: 1396985

Description Tuomo Soini 2014-02-18 17:19:52 UTC

Description of problem:

dhcpd in dhcp-4.1.1-38.P1.el6 is not able to use other algoritms other than hmac-md5 for dyndns updates.

I'd propose dhcp update to later version which is capable to use more secure hmac-sha1, hmac-sha256 and hmac-sha512 algoritms.

According source code hmac-sha1 should be supported but it just doesn't work. Configuring algorhitm: hmac-sha1 causes all dyndns updates to fail with error:

bad DNS key

Comment 2 Jiri Popelka 2014-03-31 09:12:25 UTC

(In reply to Tuomo Soini from comment #0)
> I'd propose dhcp update to later version which is capable to use more secure
> hmac-sha1, hmac-sha256 and hmac-sha512 algoritms.

Do you know which version has this implemented ?
I found https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/797356
where comment #5 says that 4.2.4 still lacks the support.

Comment 3 Tuomo Soini 2014-03-31 10:00:56 UTC

I don't really know - according source code 4.3.0 already supports hmac-sha256.

Comment 4 Jaromír Končický 2014-03-31 11:10:17 UTC

Really? Now I looked into 4.3.0 code and I found those:

common/dns.c:116

 * or by the IANA.  Currently only the HMAC-MD5... key type is
 * supported.

omapip/isclib:282

	/* We only support HMAC_MD5 currently */
	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
		return(DHCP_R_INVALIDARG);
	}

dhcpctl/remote.c:40

   (currently, only "hmac-md5" is supported).

For me it seems that hmac-sha256 and others are not supported.

Comment 5 Tuomo Soini 2014-03-31 11:22:52 UTC

Actually yes - they only support sha256 for other things but not HMAC-SHA1 or HMAC-SHA256 - how stupid.

Comment 6 Jiri Popelka 2014-03-31 11:53:52 UTC

Thanks both for the investigation.

I'm afraid I have to close this ticket as we can't implement such a security sensitive feature alone - this has to be implemented upstream first - closing as UPSTREAM then.

You can suggest it upstream via dhcp-bugs but be aware that it probably won't get much attention if it's not backed up with patches.

Comment 7 Tuomo Soini 2016-11-21 10:23:44 UTC

I'd like to reopen this issue. HMAC-MD5 is by no means secure, neither is HMAC-SHA1 any more. This issue is fixed by upstream now so I'd suggest backporting this fix.

Upstream commit e4a2cb79b2679738f56b3803a44c9899f6982c09.

Comment 9 Tomáš Hozza 2017-09-05 14:35:13 UTC

Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com

Note You need to log in before you can comment on or make changes to this bug.