diff --git a/bind-9.11-fips-disable.patch b/bind-9.11-fips-disable.patch new file mode 100644 index 0000000..525316a --- /dev/null +++ b/bind-9.11-fips-disable.patch @@ -0,0 +1,97 @@ +From df23c869f8973bc9494dcdc86ef46070d8194897 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 5 Aug 2019 11:54:03 +0200 +Subject: [PATCH] Allow explicit disabling of autodisabled MD5 + +Default security policy might include explicitly disabled RSAMD5 +algorithm. Current FIPS code automatically disables in FIPS mode. But if +RSAMD5 is included in security policy, it fails to start, because that +algorithm is not recognized. Allow it disabled, but fail on any +other usage. +--- + bin/named/server.c | 2 +- + lib/dns/rcode.c | 31 +++++++++++++------------------ + 2 files changed, 14 insertions(+), 19 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 3cd49a9..ef82d89 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -1551,7 +1551,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { + result = isc_parse_uint8(&ui, r.base, 10); + alg = ui; + } +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { + cfg_obj_log(cfg_listelt_value(element), + ns_g_lctx, ISC_LOG_ERROR, + "invalid algorithm"); +diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c +index f51d548..8dbb12d 100644 +--- a/lib/dns/rcode.c ++++ b/lib/dns/rcode.c +@@ -126,7 +126,6 @@ + #endif + + #define SECALGNAMES \ +- MD5_SECALGNAMES \ + DH_SECALGNAMES \ + DSA_SECALGNAMES \ + { DNS_KEYALG_ECC, "ECC", 0 }, \ +@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; + static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; + static struct tbl certs[] = { CERTNAMES }; + static struct tbl secalgs[] = { SECALGNAMES }; ++static struct tbl md5_secalgs[] = { MD5_SECALGNAMES }; + static struct tbl secprotos[] = { SECPROTONAMES }; + static struct tbl hashalgs[] = { HASHALGNAMES }; + static struct tbl dsdigests[] = { DSDIGESTNAMES }; +@@ -358,33 +358,28 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { + return (dns_mnemonic_totext(cert, target, certs)); + } + +-static inline struct tbl * +-secalgs_tbl_start() { +- struct tbl *algs = secalgs; +- +-#ifndef PK11_MD5_DISABLE +- if (!isc_md5_available()) { +- while (algs->name != NULL && +- algs->value == DNS_KEYALG_RSAMD5) +- ++algs; +- } +-#endif +- return algs; +-} +- + isc_result_t + dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { + unsigned int value; ++ isc_result_t result; + +- RETERR(dns_mnemonic_fromtext(&value, source, +- secalgs_tbl_start(), 0xff)); ++ result = dns_mnemonic_fromtext(&value, source, ++ secalgs, 0xff); ++ if (result != ISC_R_SUCCESS) { ++ result = dns_mnemonic_fromtext(&value, source, ++ md5_secalgs, 0xff); ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } else if (!isc_md5_available()) ++ return (ISC_R_DISABLED); ++ } + *secalgp = value; + return (ISC_R_SUCCESS); + } + + isc_result_t + dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { +- return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); ++ return (dns_mnemonic_totext(secalg, target, secalgs)); + } + + void +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index 6db85bf..4e24616 100644 --- a/bind.spec +++ b/bind.spec @@ -57,7 +57,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.9 -Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -145,6 +145,7 @@ Patch172:bind-9.11-tests-pkcs11.patch Patch173:bind-9.11-rh1732883.patch # Make sure jsonccp-devel does not interfere Patch174:bind-9.11-json-c.patch +Patch175:bind-9.11-fips-disable.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -538,6 +539,7 @@ are used for building ISC DHCP. %patch172 -p1 -b .test-pkcs11 %patch173 -p1 -b .rh1732883 %patch174 -p1 -b .json-c +%patch175 -p1 -b .rh1709553 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1539,6 +1541,9 @@ fi; %changelog +* Thu Aug 08 2019 Petr Menšík - 32:9.11.9-2 +- Permit explicit disabling of RSAMD5 in FIPS mode (#1709553) + * Wed Jul 24 2019 Petr Menšík - 32:9.11.9-1 - Update to 9.11.9 - Add GeoLite2 support