|
 |
814547 |
From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001
|
|
|
dab22d |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
dab22d |
Date: Mon, 5 Aug 2019 11:54:03 +0200
|
|
|
dab22d |
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
|
|
|
dab22d |
|
|
|
dab22d |
Default security policy might include explicitly disabled RSAMD5
|
|
|
dab22d |
algorithm. Current FIPS code automatically disables in FIPS mode. But if
|
|
|
dab22d |
RSAMD5 is included in security policy, it fails to start, because that
|
|
|
dab22d |
algorithm is not recognized. Allow it disabled, but fail on any
|
|
|
dab22d |
other usage.
|
|
|
dab22d |
---
|
|
|
814547 |
bin/named/server.c | 4 ++--
|
|
|
814547 |
lib/bind9/check.c | 4 ++++
|
|
|
814547 |
lib/dns/rcode.c | 1 +
|
|
|
814547 |
3 files changed, 7 insertions(+), 2 deletions(-)
|
|
|
dab22d |
|
|
|
dab22d |
diff --git a/bin/named/server.c b/bin/named/server.c
|
|
|
814547 |
index ee23f10..22a5c01 100644
|
|
|
dab22d |
--- a/bin/named/server.c
|
|
|
dab22d |
+++ b/bin/named/server.c
|
|
|
814547 |
@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
|
|
|
6f27f8 |
r.length = strlen(r.base);
|
|
|
6f27f8 |
|
|
|
6f27f8 |
result = dns_secalg_fromtext(&alg, &r);
|
|
|
6f27f8 |
- if (result != ISC_R_SUCCESS) {
|
|
|
6f27f8 |
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
|
|
|
6f27f8 |
uint8_t ui;
|
|
|
dab22d |
result = isc_parse_uint8(&ui, r.base, 10);
|
|
|
dab22d |
alg = ui;
|
|
|
dab22d |
}
|
|
|
dab22d |
- if (result != ISC_R_SUCCESS) {
|
|
|
dab22d |
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
|
|
|
814547 |
cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
|
|
|
814547 |
ISC_LOG_ERROR, "invalid algorithm");
|
|
|
814547 |
CHECK(result);
|
|
|
6f27f8 |
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
|
|
|
814547 |
index f49a346..dbf9ddb 100644
|
|
|
6f27f8 |
--- a/lib/bind9/check.c
|
|
|
6f27f8 |
+++ b/lib/bind9/check.c
|
|
|
814547 |
@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
|
|
|
6f27f8 |
r.length = strlen(r.base);
|
|
|
6f27f8 |
|
|
|
6f27f8 |
tresult = dns_secalg_fromtext(&alg, &r);
|
|
|
6f27f8 |
+ if (tresult == ISC_R_DISABLED) {
|
|
|
6f27f8 |
+ // Recognize disabled algorithms, disable it explicitly
|
|
|
6f27f8 |
+ tresult = ISC_R_SUCCESS;
|
|
|
6f27f8 |
+ }
|
|
|
6f27f8 |
if (tresult != ISC_R_SUCCESS) {
|
|
|
6f27f8 |
cfg_obj_log(cfg_listelt_value(element), logctx,
|
|
|
6f27f8 |
ISC_LOG_ERROR, "invalid algorithm '%s'",
|
|
|
dab22d |
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
|
|
|
814547 |
index 327248e..78adf63 100644
|
|
|
dab22d |
--- a/lib/dns/rcode.c
|
|
|
dab22d |
+++ b/lib/dns/rcode.c
|
|
|
814547 |
@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
|
|
|
dab22d |
static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
|
|
|
dab22d |
static struct tbl certs[] = { CERTNAMES };
|
|
|
dab22d |
static struct tbl secalgs[] = { SECALGNAMES };
|
|
|
dab22d |
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
|
|
|
dab22d |
static struct tbl secprotos[] = { SECPROTONAMES };
|
|
|
dab22d |
static struct tbl hashalgs[] = { HASHALGNAMES };
|
|
|
dab22d |
static struct tbl dsdigests[] = { DSDIGESTNAMES };
|
|
|
dab22d |
--
|
|
|
814547 |
2.21.1
|
|
|
dab22d |
|