diff --git a/bind-9.11-fips-disable.patch b/bind-9.11-fips-disable.patch index 525316a..afe9564 100644 --- a/bind-9.11-fips-disable.patch +++ b/bind-9.11-fips-disable.patch @@ -1,4 +1,4 @@ -From df23c869f8973bc9494dcdc86ef46070d8194897 Mon Sep 17 00:00:00 2001 +From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Mon, 5 Aug 2019 11:54:03 +0200 Subject: [PATCH] Allow explicit disabling of autodisabled MD5 @@ -9,15 +9,22 @@ RSAMD5 is included in security policy, it fails to start, because that algorithm is not recognized. Allow it disabled, but fail on any other usage. --- - bin/named/server.c | 2 +- - lib/dns/rcode.c | 31 +++++++++++++------------------ - 2 files changed, 14 insertions(+), 19 deletions(-) + bin/named/server.c | 4 ++-- + lib/bind9/check.c | 4 ++++ + lib/dns/rcode.c | 33 +++++++++++++++------------------ + 3 files changed, 21 insertions(+), 20 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c -index 3cd49a9..ef82d89 100644 +index 5b57371..51702ab 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -1551,7 +1551,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { +@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { + r.length = strlen(r.base); + + result = dns_secalg_fromtext(&alg, &r); +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { + uint8_t ui; result = isc_parse_uint8(&ui, r.base, 10); alg = ui; } @@ -26,8 +33,23 @@ index 3cd49a9..ef82d89 100644 cfg_obj_log(cfg_listelt_value(element), ns_g_lctx, ISC_LOG_ERROR, "invalid algorithm"); +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index e0803d4..8023784 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { + r.length = strlen(r.base); + + tresult = dns_secalg_fromtext(&alg, &r); ++ if (tresult == ISC_R_DISABLED) { ++ // Recognize disabled algorithms, disable it explicitly ++ tresult = ISC_R_SUCCESS; ++ } + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(cfg_listelt_value(element), logctx, + ISC_LOG_ERROR, "invalid algorithm '%s'", diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index f51d548..8dbb12d 100644 +index f51d548..c49b8d1 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -126,7 +126,6 @@ @@ -46,7 +68,7 @@ index f51d548..8dbb12d 100644 static struct tbl secprotos[] = { SECPROTONAMES }; static struct tbl hashalgs[] = { HASHALGNAMES }; static struct tbl dsdigests[] = { DSDIGESTNAMES }; -@@ -358,33 +358,28 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { +@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { return (dns_mnemonic_totext(cert, target, certs)); } @@ -72,14 +94,16 @@ index f51d548..8dbb12d 100644 - RETERR(dns_mnemonic_fromtext(&value, source, - secalgs_tbl_start(), 0xff)); + result = dns_mnemonic_fromtext(&value, source, -+ secalgs, 0xff); ++ secalgs, 0xff); + if (result != ISC_R_SUCCESS) { + result = dns_mnemonic_fromtext(&value, source, -+ md5_secalgs, 0xff); ++ md5_secalgs, 0xff); + if (result != ISC_R_SUCCESS) { + return (result); -+ } else if (!isc_md5_available()) ++ } else if (!isc_md5_available()) { ++ *secalgp = value; + return (ISC_R_DISABLED); ++ } + } *secalgp = value; return (ISC_R_SUCCESS); diff --git a/bind.spec b/bind.spec index e542efb..6473bea 100644 --- a/bind.spec +++ b/bind.spec @@ -62,7 +62,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.13 -Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -1571,6 +1571,9 @@ fi; %changelog +* Tue Nov 26 2019 Petr Menšík - 32:9.11.13-2 +- Complete explicit disabling of RSAMD5 in FIPS mode (#1709553) + * Tue Nov 19 2019 Petr Menšík - 32:9.11.13-1 - Update to 9.11.13