66 lines
2.4 KiB
Diff
66 lines
2.4 KiB
Diff
From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Mon, 5 Aug 2019 11:54:03 +0200
|
|
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
|
|
|
|
Default security policy might include explicitly disabled RSAMD5
|
|
algorithm. Current FIPS code automatically disables in FIPS mode. But if
|
|
RSAMD5 is included in security policy, it fails to start, because that
|
|
algorithm is not recognized. Allow it disabled, but fail on any
|
|
other usage.
|
|
---
|
|
bin/named/server.c | 4 ++--
|
|
lib/bind9/check.c | 4 ++++
|
|
lib/dns/rcode.c | 1 +
|
|
3 files changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
|
index ee23f10..22a5c01 100644
|
|
--- a/bin/named/server.c
|
|
+++ b/bin/named/server.c
|
|
@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
|
|
r.length = strlen(r.base);
|
|
|
|
result = dns_secalg_fromtext(&alg, &r);
|
|
- if (result != ISC_R_SUCCESS) {
|
|
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
|
|
uint8_t ui;
|
|
result = isc_parse_uint8(&ui, r.base, 10);
|
|
alg = ui;
|
|
}
|
|
- if (result != ISC_R_SUCCESS) {
|
|
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
|
|
cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
|
|
ISC_LOG_ERROR, "invalid algorithm");
|
|
CHECK(result);
|
|
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
|
|
index f49a346..dbf9ddb 100644
|
|
--- a/lib/bind9/check.c
|
|
+++ b/lib/bind9/check.c
|
|
@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
|
|
r.length = strlen(r.base);
|
|
|
|
tresult = dns_secalg_fromtext(&alg, &r);
|
|
+ if (tresult == ISC_R_DISABLED) {
|
|
+ // Recognize disabled algorithms, disable it explicitly
|
|
+ tresult = ISC_R_SUCCESS;
|
|
+ }
|
|
if (tresult != ISC_R_SUCCESS) {
|
|
cfg_obj_log(cfg_listelt_value(element), logctx,
|
|
ISC_LOG_ERROR, "invalid algorithm '%s'",
|
|
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
|
|
index 327248e..78adf63 100644
|
|
--- a/lib/dns/rcode.c
|
|
+++ b/lib/dns/rcode.c
|
|
@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
|
|
static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
|
|
static struct tbl certs[] = { CERTNAMES };
|
|
static struct tbl secalgs[] = { SECALGNAMES };
|
|
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
|
|
static struct tbl secprotos[] = { SECPROTONAMES };
|
|
static struct tbl hashalgs[] = { HASHALGNAMES };
|
|
static struct tbl dsdigests[] = { DSDIGESTNAMES };
|
|
--
|
|
2.21.1
|
|
|