Permit explicit disabling of RSAMD5 in FIPS mode (#1709553)

When MD5 is disabled in library, it behaved like RSAMD5 were unknown. But security-policy disables it explicitly. It failed to even start in FIPS mode, because such algorithm were unknown. Fix disabled algorithm to return disabled result code. Accept such algorithm only when disabling it. Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 13:51:16 +02:00 · 2019-08-08 13:51:16 +02:00 · dab22dd2c2
commit dab22dd2c2
parent fac5ed036c
2 changed files with 103 additions and 1 deletions
--- a/bind-9.11-fips-disable.patch
+++ b/bind-9.11-fips-disable.patch
@ -0,0 +1,97 @@
+From df23c869f8973bc9494dcdc86ef46070d8194897 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 5 Aug 2019 11:54:03 +0200
+Subject: [PATCH] Allow explicit disabling of autodisabled MD5
+
+Default security policy might include explicitly disabled RSAMD5
+algorithm. Current FIPS code automatically disables in FIPS mode. But if
+RSAMD5 is included in security policy, it fails to start, because that
+algorithm is not recognized. Allow it disabled, but fail on any
+other usage.
+---
+ bin/named/server.c |  2 +-
+ lib/dns/rcode.c    | 31 +++++++++++++------------------
+ 2 files changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 3cd49a9..ef82d89 100644
+--- a/bin/named/server.c
+++ b/bin/named/server.c
+@@ -1551,7 +1551,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
+ 			result = isc_parse_uint8(&ui, r.base, 10);
+ 			alg = ui;
+ 		}
+-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
+ 			cfg_obj_log(cfg_listelt_value(element),
+ 				    ns_g_lctx, ISC_LOG_ERROR,
+ 				    "invalid algorithm");
+diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
+index f51d548..8dbb12d 100644
+--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
+@@ -126,7 +126,6 @@
+ #endif
+ 
+ #define SECALGNAMES \
+-	MD5_SECALGNAMES \
+ 	DH_SECALGNAMES \
+ 	DSA_SECALGNAMES \
+ 	{ DNS_KEYALG_ECC, "ECC", 0 }, \
+@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
+ static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
+ static struct tbl certs[] = { CERTNAMES };
+ static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
+ static struct tbl secprotos[] = { SECPROTONAMES };
+ static struct tbl hashalgs[] = { HASHALGNAMES };
+ static struct tbl dsdigests[] = { DSDIGESTNAMES };
+@@ -358,33 +358,28 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+ 	return (dns_mnemonic_totext(cert, target, certs));
+ }
+ 
+-static inline struct tbl *
+-secalgs_tbl_start() {
+-	struct tbl *algs = secalgs;
+-
+-#ifndef PK11_MD5_DISABLE
+-	if (!isc_md5_available()) {
+-		while (algs->name != NULL &&
+-		       algs->value == DNS_KEYALG_RSAMD5)
+-			++algs;
+-	}
+-#endif
+-	return algs;
+-}
+-
+ isc_result_t
+ dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
+ 	unsigned int value;
+	isc_result_t result;
+ 
+-	RETERR(dns_mnemonic_fromtext(&value, source,
+-	                             secalgs_tbl_start(), 0xff));
+	result = dns_mnemonic_fromtext(&value, source,
+	                             secalgs, 0xff);
+	if (result != ISC_R_SUCCESS) {
+		result = dns_mnemonic_fromtext(&value, source,
+		                               md5_secalgs, 0xff);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		} else if (!isc_md5_available())
+			return (ISC_R_DISABLED);
+	}
+ 	*secalgp = value;
+ 	return (ISC_R_SUCCESS);
+ }
+ 
+ isc_result_t
+ dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
+-	return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
+	return (dns_mnemonic_totext(secalg, target, secalgs));
+ }
+ 
+ void
+-- 
+2.20.1
+
--- a/bind.spec
+++ b/bind.spec
@ -57,7 +57,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.9
-Release:  1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -145,6 +145,7 @@ Patch172:bind-9.11-tests-pkcs11.patch
 Patch173:bind-9.11-rh1732883.patch
 # Make sure jsonccp-devel does not interfere
 Patch174:bind-9.11-json-c.patch
+Patch175:bind-9.11-fips-disable.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -538,6 +539,7 @@ are used for building ISC DHCP.
 %patch172 -p1 -b .test-pkcs11
 %patch173 -p1 -b .rh1732883
 %patch174 -p1 -b .json-c
+%patch175 -p1 -b .rh1709553

 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1539,6 +1541,9 @@ fi;


 %changelog
+* Thu Aug 08 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-2
+- Permit explicit disabling of RSAMD5 in FIPS mode (#1709553)
+
 * Wed Jul 24 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-1
 - Update to 9.11.9
 - Add GeoLite2 support