Ubuntu
isc-dhcp package

dhcp server does not support HMAC-SHA256

Bug #797356 reported by Mike Power
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

It seems the isc-dhcp server either does not support HMAC-SHA256 or it is broken.

Steps to reproduce
Setup a ddns using isc-dhcp and bind9. Use a HMAC-MD5 key between dhcp and bind
Confirm that the setup is working. Then repeat these steps:

mpower@dodtsair:~/dnssec-keygen -a HMAC-SHA256 -b 256 -n HOST dhcp
Kdhcp.+163+35012
mpower@dodtsair:~/temp$ cat Kdhcp.+163+35012.*
dhcp. IN KEY 512 3 163 N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=
Private-key-format: v1.3
Algorithm: 163 (HMAC_SHA256)
Key: N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=
Bits: AAA=
Created: 20110614185327
Publish: 20110614185327
Activate: 20110614185327
mpower@dodtsair:~/temp$ sudo vim /etc/dhcp/dhcpd.conf
mpower@dodtsair:~/temp$ sudo cat /etc/dhcp/dhcpd.conf
...
#key dhcp {
# algorithm HMAC-MD5;
# secret "######################################";
#};

key dhcp {
        algorithm HMAC-SHA256;
        secret "N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=";
};
...
mpower@dodtsair:~/temp$ sudo vim /etc/bind/named.conf.d/localnet.conf
mpower@dodtsair:~/temp$ sudo cat /etc/bind/named.conf.d/localnet.conf
...
#key dhcp {
# algorithm HMAC-MD5;
# secret "#####################################";
#};

key dhcp {
 algorithm HMAC-SHA256;
 secret "N1fUVe1skmNjDOhlkbBbGOFiHHIah9kIUuw9Oj5e/34=";
};
...
mpower@dodtsair:~/temp$ sudo /etc/init.d/bind9 restart
 * Stopping domain name service... bind9 [ OK ]
 * Starting domain name service... bind9 [ OK ]
mpower@dodtsair:~/temp$ sudo /etc/init.d/isc-dhcp-server restart
 * Stopping ISC DHCP server dhcpd [ OK ]
 * Starting ISC DHCP server dhcpd [ OK ]

tail -f /var/log/syslog
...
Jun 14 11:58:51 dodtsair dhcpd: if ubuntu1104.localnet. IN TXT "00e1de827daf7686f48ceb1c68e524f0bb" rrset exists and ubuntu1104.localnet. IN A 192.168.122.2 rrset exists delete ubuntu1104.localnet. IN A 192.168.122.2: bad DNS key.
Jun 14 11:58:51 dodtsair dhcpd: DHCPREQUEST for 192.168.122.2 from 52:54:00:0e:b5:00 via virbr0
Jun 14 11:58:51 dodtsair dhcpd: DHCPACK on 192.168.122.2 to 52:54:00:0e:b5:00 (ubuntu1104) via virbr0
...
HMAC-MD5 works HMAC-SHA256 does not. MD5 is fairly broken, SHA1 is on the way out. SHA256 is next my list of secure hashes to use.

Note also dhcp servers cryptic error message "bad DNS key". DHCP should verify it supports the key algorithm on start up not on first use. It should also state something more like "bad DNS key algorithm: HMAC-SHA256, not supported by dhcpd"

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: isc-dhcp-server 4.1.1-P1-15ubuntu9
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic x86_64
Architecture: amd64
Date: Tue Jun 14 12:00:03 2011
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: isc-dhcp
UpgradeStatus: Upgraded to natty on 2011-05-17 (28 days ago)

Revision history for this message
Mike Power (mpower) wrote :
Marc Deslauriers (mdeslaur)
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Stéphane Graber (stgraber) wrote :

Ubuntu is certainly not going to do any implementation work on this, though 4.2 will soon land in 12.10 and it'll be interesting to know whether hmac-sha256 is included in that release.

Quickly scanning through the code I couldn't easily find which algorithms are supported, though there clearly isn't any reference to sha256 in there.

I'd strongly recommend sending an e-mail to upstream (isc) about that feature request as they're the most likely to implement it.

summary: - dchp server does not support HMAC-SHA256
+ dhcp server does not support HMAC-SHA256
Changed in isc-dhcp (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Stéphane Graber (stgraber) wrote :

Moving to incomplete until we know whether it still affects 4.2.

Changed in isc-dhcp (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for isc-dhcp (Ubuntu) because there has been no activity for 60 days.]

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Falcon Darkstar Momot (falcon-p) wrote :

I find that this bug continues to exist in isc-dhcpd-4.2.4.

Also, it affects not only HMAC-SHA256, but HMAC-SHA{1,224,256,384,512}. The only working algorithm is HMAC-MD5, which we don't want to use for obvious reasons.

If another algorithm is specified, the server prints to the syslog that it is "Unable to create tsec structure for %s", and all future DNS updates are sent only unauthenticated, and are not retried after being refused. It no longer reports "bad DNS key", but it does warn that the tsec is missing each time it attempts an update.

tags: added: saucy
removed: natty
Changed in isc-dhcp (Ubuntu):
status: Expired → Confirmed
Revision history for this message
Falcon Darkstar Momot (falcon-p) wrote :

Apparently support has in fact been provided by upstream, which makes it all the more mysterious that it is lacking. Evidence:

http://isc-dhcp.sourcearchive.com/documentation/4.2.2/hmacsha_8c_source.html

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.