From df23c869f8973bc9494dcdc86ef46070d8194897 Mon Sep 17 00:00:00 2001

From: Petr Mensik <pemensik@redhat.com>

Date: Mon, 5 Aug 2019 11:54:03 +0200

Subject: [PATCH] Allow explicit disabling of autodisabled MD5

Default security policy might include explicitly disabled RSAMD5

algorithm. Current FIPS code automatically disables in FIPS mode. But if

RSAMD5 is included in security policy, it fails to start, because that

algorithm is not recognized. Allow it disabled, but fail on any

other usage.

---

 bin/named/server.c |  2 +-

 lib/dns/rcode.c    | 31 +++++++++++++------------------

 2 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c

index 3cd49a9..ef82d89 100644

--- a/bin/named/server.c

+++ b/bin/named/server.c

@@ -1551,7 +1551,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {

 			result = isc_parse_uint8(&ui, r.base, 10);

 			alg = ui;

 		}

-		if (result != ISC_R_SUCCESS) {

+		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {

 			cfg_obj_log(cfg_listelt_value(element),

 				    ns_g_lctx, ISC_LOG_ERROR,

 				    "invalid algorithm");

diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c

index f51d548..8dbb12d 100644

--- a/lib/dns/rcode.c

+++ b/lib/dns/rcode.c

@@ -126,7 +126,6 @@

 #endif

 #define SECALGNAMES \

-	MD5_SECALGNAMES \

 	DH_SECALGNAMES \

 	DSA_SECALGNAMES \

 	{ DNS_KEYALG_ECC, "ECC", 0 }, \

@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };

 static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };

 static struct tbl certs[] = { CERTNAMES };

 static struct tbl secalgs[] = { SECALGNAMES };

+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };

 static struct tbl secprotos[] = { SECPROTONAMES };

 static struct tbl hashalgs[] = { HASHALGNAMES };

 static struct tbl dsdigests[] = { DSDIGESTNAMES };

@@ -358,33 +358,28 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {

 	return (dns_mnemonic_totext(cert, target, certs));

 }

-static inline struct tbl *

-secalgs_tbl_start() {

-	struct tbl *algs = secalgs;

-

-#ifndef PK11_MD5_DISABLE

-	if (!isc_md5_available()) {

-		while (algs->name != NULL &&

-		       algs->value == DNS_KEYALG_RSAMD5)

-			++algs;

-	}

-#endif

-	return algs;

-}

-

 isc_result_t

 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {

 	unsigned int value;

+	isc_result_t result;

-	RETERR(dns_mnemonic_fromtext(&value, source,

-	                             secalgs_tbl_start(), 0xff));

+	result = dns_mnemonic_fromtext(&value, source,

+	                             secalgs, 0xff);

+	if (result != ISC_R_SUCCESS) {

+		result = dns_mnemonic_fromtext(&value, source,

+		                               md5_secalgs, 0xff);

+		if (result != ISC_R_SUCCESS) {

+			return (result);

+		} else if (!isc_md5_available())

+			return (ISC_R_DISABLED);

+	}

 	*secalgp = value;

 	return (ISC_R_SUCCESS);

 }

 isc_result_t

 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {

-	return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));

+	return (dns_mnemonic_totext(secalg, target, secalgs));

 }

 void

-- 

2.20.1