Disable ED25519 and ED448 in FIPS mode

Those algorithms are not accepted by current FIPS mode. Disable them in that mode, because they are not allowed. Might change once they are added. Resolves: rhbz#2079548
2022-07-08 19:53:16 +02:00 · 2022-07-08 19:53:16 +02:00 · 53ceffb423
commit 53ceffb423
parent d10d20851e
2 changed files with 108 additions and 6 deletions
--- a/unbound-1.16-fips-ed25519.patch
+++ b/unbound-1.16-fips-ed25519.patch
@ -0,0 +1,96 @@
+From cff6307f44c79df8975b3f205e98cd1a0464824b Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 27 Apr 2022 19:58:39 +0200
+Subject: [PATCH] Disable ED25519 and ED448 in FIPS mode on openssl3
+
+Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0
+function to check FIPS mode presence and use it to make those algorithms
+unsupported.
+---
+ unbound-1.16.0/config.h.in             |  4 ++++
+ unbound-1.16.0/configure.ac            |  2 +-
+ unbound-1.16.0/validator/val_secalgo.c | 17 ++++++++++++++++-
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/unbound-1.16.0/config.h.in b/unbound-1.16.0/config.h.in
+index a080dde..cc1fbe8 100644
+--- a/unbound-1.16.0/config.h.in
+++ b/unbound-1.16.0/config.h.in
+@@ -222,6 +222,10 @@
+ /* Define to 1 if you have the `EVP_cleanup' function. */
+ #undef HAVE_EVP_CLEANUP
+ 
+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
+   function. */
+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+
+ /* Define to 1 if you have the `EVP_DigestVerify' function. */
+ #undef HAVE_EVP_DIGESTVERIFY
+ 
+diff --git a/unbound-1.16.0/configure.ac b/unbound-1.16.0/configure.ac
+index 1453b3a..69cb13b 100644
+--- a/unbound-1.16.0/configure.ac
+++ b/unbound-1.16.0/configure.ac
+@@ -906,7 +906,7 @@ else
+ 	AC_MSG_RESULT([no])
+ fi
+ AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
+-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
+ 
+ # these check_funcs need -lssl
+ BAKLIBS="$LIBS"
+diff --git a/unbound-1.16.0/validator/val_secalgo.c b/unbound-1.16.0/validator/val_secalgo.c
+index 7abf66f..6276675 100644
+--- a/unbound-1.16.0/validator/val_secalgo.c
+++ b/unbound-1.16.0/validator/val_secalgo.c
+@@ -215,6 +215,10 @@ ds_digest_size_supported(int algo)
+ 	switch(algo) {
+ 		case LDNS_SHA1:
+ #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+			if (EVP_default_properties_is_fips_enabled(NULL))
+				return 0;
+#endif
+ 			return SHA_DIGEST_LENGTH;
+ #else
+ 			if(fake_sha1) return 20;
+@@ -325,7 +329,11 @@ dnskey_algo_id_is_supported(int id)
+ 	case LDNS_RSASHA1:
+ 	case LDNS_RSASHA1_NSEC3:
+ #ifdef USE_SHA1
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+		return !EVP_default_properties_is_fips_enabled(NULL);
+#else
+ 		return 1;
+#endif
+ #else
+ 		if(fake_sha1) return 1;
+ 		return 0;
+@@ -341,15 +349,22 @@ dnskey_algo_id_is_supported(int id)
+ 	case LDNS_ECDSAP256SHA256:
+ 	case LDNS_ECDSAP384SHA384:
+ #endif
+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
+		return 1;
+#endif
+ #ifdef USE_ED25519
+ 	case LDNS_ED25519:
+ #endif
+ #ifdef USE_ED448
+ 	case LDNS_ED448:
+ #endif
+-#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
+#if defined(USE_ED25519) || defined(USE_ED448)
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+		return !EVP_default_properties_is_fips_enabled(NULL);
+#else
+ 		return 1;
+ #endif
+#endif
+ 
+ #ifdef USE_GOST
+ 	case LDNS_ECC_GOST:
+-- 
+2.36.1
+
--- a/unbound.spec
+++ b/unbound.spec
@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.0
-Release: 2%{?extra_version:.%{extra_version}}%{?dist}
+Release: 3%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -53,6 +53,9 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key

+# https://github.com/NLnetLabs/unbound/pull/671
+Patch1:   unbound-1.16-fips-ed25519.patch
+
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
@ -80,9 +83,9 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
-# Required for SVN versions
-# BuildRequires: bison
-# BuildRequires: automake autoconf libtool
+# Required for SVN versions or modified configure.ac
+BuildRequires: bison
+BuildRequires: automake autoconf libtool

 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -173,10 +176,10 @@ Python 3 modules and extensions for unbound

 pushd %{pkgname}
 # patches go here
-%autopatch -p1
+%autopatch -p2

 # only for snapshots
-# autoreconf -iv
+autoreconf -iv

 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../
@ -444,6 +447,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key

 %changelog
+* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-3
+- Disable ED25519 and ED448 in FIPS mode (#2079548)
+
 * Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
 - Restart keygen service before every unbound start (#2094336)