From 38ae0949251e7bd228858120d8eaa2a697f84f1a Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Mon, 5 Aug 2019 11:54:03 +0200 Subject: [PATCH] Allow explicit disabling of autodisabled MD5 Default security policy might include explicitly disabled RSAMD5 algorithm. Current FIPS code automatically disables in FIPS mode. But if RSAMD5 is included in security policy, it fails to start, because that algorithm is not recognized. Allow it disabled, but fail on any other usage. --- bin/named/server.c | 4 ++-- lib/bind9/check.c | 4 ++++ lib/dns/rcode.c | 33 +++++++++++++++------------------ 3 files changed, 21 insertions(+), 20 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 1afb461226..8116cab0cb 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1530,12 +1530,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { r.length = strlen(r.base); result = dns_secalg_fromtext(&alg, &r); - if (result != ISC_R_SUCCESS) { + if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { isc_uint8_t ui; result = isc_parse_uint8(&ui, r.base, 10); alg = ui; } - if (result != ISC_R_SUCCESS) { + if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { cfg_obj_log(cfg_listelt_value(element), ns_g_lctx, ISC_LOG_ERROR, "invalid algorithm"); diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 1a3d534799..545e3c6a5e 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -298,6 +298,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { r.length = strlen(r.base); tresult = dns_secalg_fromtext(&alg, &r); + if (tresult == ISC_R_DISABLED) { + // Recognize disabled algorithms, disable it explicitly + tresult = ISC_R_SUCCESS; + } if (tresult != ISC_R_SUCCESS) { cfg_obj_log(cfg_listelt_value(element), logctx, ISC_LOG_ERROR, "invalid algorithm '%s'", diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index d1fa8d5870..d57a798e29 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -124,7 +124,6 @@ #endif #define SECALGNAMES \ - MD5_SECALGNAMES \ DH_SECALGNAMES \ DSA_SECALGNAMES \ { DNS_KEYALG_ECC, "ECC", 0 }, \ @@ -176,6 +175,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; static struct tbl certs[] = { CERTNAMES }; static struct tbl secalgs[] = { SECALGNAMES }; +static struct tbl md5_secalgs[] = { MD5_SECALGNAMES }; static struct tbl secprotos[] = { SECPROTONAMES }; static struct tbl hashalgs[] = { HASHALGNAMES }; static struct tbl dsdigests[] = { DSDIGESTNAMES }; @@ -348,33 +348,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { return (dns_mnemonic_totext(cert, target, certs)); } -static inline struct tbl * -secalgs_tbl_start() { - struct tbl *algs = secalgs; - -#ifndef PK11_MD5_DISABLE - if (isc_md5_available() == ISC_FALSE) { - while (algs->name != NULL && - algs->value == DNS_KEYALG_RSAMD5) - ++algs; - } -#endif - return algs; -} - isc_result_t dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { unsigned int value; + isc_result_t result; - RETERR(dns_mnemonic_fromtext(&value, source, - secalgs_tbl_start(), 0xff)); + result = dns_mnemonic_fromtext(&value, source, + secalgs, 0xff); + if (result != ISC_R_SUCCESS) { + result = dns_mnemonic_fromtext(&value, source, + md5_secalgs, 0xff); + if (result != ISC_R_SUCCESS) { + return (result); + } else if (!isc_md5_available()) { + *secalgp = value; + return (ISC_R_DISABLED); + } + } *secalgp = value; return (ISC_R_SUCCESS); } isc_result_t dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { - return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); + return (dns_mnemonic_totext(secalg, target, secalgs)); } void -- 2.20.1