57726f
From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
57726f
From: Petr Mensik <pemensik@redhat.com>
57726f
Date: Mon, 5 Aug 2019 11:54:03 +0200
57726f
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
57726f
57726f
Default security policy might include explicitly disabled RSAMD5
57726f
algorithm. Current FIPS code automatically disables in FIPS mode. But if
57726f
RSAMD5 is included in security policy, it fails to start, because that
57726f
algorithm is not recognized. Allow it disabled, but fail on any
57726f
other usage.
57726f
---
57726f
 bin/named/server.c |  4 ++--
57726f
 lib/bind9/check.c  |  4 ++++
57726f
 lib/dns/rcode.c    | 33 +++++++++++++++------------------
57726f
 3 files changed, 21 insertions(+), 20 deletions(-)
57726f
57726f
diff --git a/bin/named/server.c b/bin/named/server.c
57726f
index 5b57371..51702ab 100644
57726f
--- a/bin/named/server.c
57726f
+++ b/bin/named/server.c
57726f
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
57726f
 		r.length = strlen(r.base);
57726f
 
57726f
 		result = dns_secalg_fromtext(&alg, &r);
57726f
-		if (result != ISC_R_SUCCESS) {
57726f
+		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
57726f
 			uint8_t ui;
57726f
 			result = isc_parse_uint8(&ui, r.base, 10);
57726f
 			alg = ui;
57726f
 		}
57726f
-		if (result != ISC_R_SUCCESS) {
57726f
+		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
57726f
 			cfg_obj_log(cfg_listelt_value(element),
57726f
 				    ns_g_lctx, ISC_LOG_ERROR,
57726f
 				    "invalid algorithm");
57726f
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
57726f
index e0803d4..8023784 100644
57726f
--- a/lib/bind9/check.c
57726f
+++ b/lib/bind9/check.c
57726f
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
57726f
 		r.length = strlen(r.base);
57726f
 
57726f
 		tresult = dns_secalg_fromtext(&alg, &r);
57726f
+		if (tresult == ISC_R_DISABLED) {
57726f
+			// Recognize disabled algorithms, disable it explicitly
57726f
+			tresult = ISC_R_SUCCESS;
57726f
+		}
57726f
 		if (tresult != ISC_R_SUCCESS) {
57726f
 			cfg_obj_log(cfg_listelt_value(element), logctx,
57726f
 				    ISC_LOG_ERROR, "invalid algorithm '%s'",
57726f
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
57726f
index f51d548..c49b8d1 100644
57726f
--- a/lib/dns/rcode.c
57726f
+++ b/lib/dns/rcode.c
57726f
@@ -126,7 +126,6 @@
57726f
 #endif
57726f
 
57726f
 #define SECALGNAMES \
57726f
-	MD5_SECALGNAMES \
57726f
 	DH_SECALGNAMES \
57726f
 	DSA_SECALGNAMES \
57726f
 	{ DNS_KEYALG_ECC, "ECC", 0 }, \
57726f
@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
57726f
 static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
57726f
 static struct tbl certs[] = { CERTNAMES };
57726f
 static struct tbl secalgs[] = { SECALGNAMES };
57726f
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
57726f
 static struct tbl secprotos[] = { SECPROTONAMES };
57726f
 static struct tbl hashalgs[] = { HASHALGNAMES };
57726f
 static struct tbl dsdigests[] = { DSDIGESTNAMES };
57726f
@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
57726f
 	return (dns_mnemonic_totext(cert, target, certs));
57726f
 }
57726f
 
57726f
-static inline struct tbl *
57726f
-secalgs_tbl_start() {
57726f
-	struct tbl *algs = secalgs;
57726f
-
57726f
-#ifndef PK11_MD5_DISABLE
57726f
-	if (!isc_md5_available()) {
57726f
-		while (algs->name != NULL &&
57726f
-		       algs->value == DNS_KEYALG_RSAMD5)
57726f
-			++algs;
57726f
-	}
57726f
-#endif
57726f
-	return algs;
57726f
-}
57726f
-
57726f
 isc_result_t
57726f
 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
57726f
 	unsigned int value;
57726f
+	isc_result_t result;
57726f
 
57726f
-	RETERR(dns_mnemonic_fromtext(&value, source,
57726f
-	                             secalgs_tbl_start(), 0xff));
57726f
+	result = dns_mnemonic_fromtext(&value, source,
57726f
+	                               secalgs, 0xff);
57726f
+	if (result != ISC_R_SUCCESS) {
57726f
+		result = dns_mnemonic_fromtext(&value, source,
57726f
+	                                       md5_secalgs, 0xff);
57726f
+		if (result != ISC_R_SUCCESS) {
57726f
+			return (result);
57726f
+		} else if (!isc_md5_available()) {
57726f
+			*secalgp = value;
57726f
+			return (ISC_R_DISABLED);
57726f
+		}
57726f
+	}
57726f
 	*secalgp = value;
57726f
 	return (ISC_R_SUCCESS);
57726f
 }
57726f
 
57726f
 isc_result_t
57726f
 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
57726f
-	return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
57726f
+	return (dns_mnemonic_totext(secalg, target, secalgs));
57726f
 }
57726f
 
57726f
 void
57726f
-- 
57726f
2.20.1
57726f