]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
make cfg_kaspkey_fromconfig FIPS aware
authorMark Andrews <marka@isc.org>
Thu, 23 Dec 2021 03:09:36 +0000 (14:09 +1100)
committerMark Andrews <marka@isc.org>
Mon, 3 Apr 2023 02:06:04 +0000 (12:06 +1000)
- RSASHA1 (5) and NSEC3RSASHA1 (7) are not accepted in FIPS mode
- minimum RSA key size is set to 2048 bit

adjust kasp and checkconf system tests to ensure non FIPS
compliant configurations are not used in FIPS mode

bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf [new file with mode: 0644]
bin/tests/system/checkconf/tests.sh
lib/isccfg/kaspconf.c

diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
new file mode 100644 (file)
index 0000000..e54df3b
--- /dev/null
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "rsasha256" {
+       keys {
+               csk lifetime P10Y algorithm rsasha256 2048;
+       };
+       nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha256-bad" {
+       keys {
+               csk lifetime P10Y algorithm rsasha256 2048;
+       };
+       nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha512" {
+       keys {
+               csk lifetime P10Y algorithm rsasha512 4096;
+       };
+       nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha512-bad" {
+       keys {
+               csk lifetime P10Y algorithm rsasha512 4096;
+       };
+       nsec3param iterations 151;
+};
+
+zone "example.net" {
+       type primary;
+       file "example.db";
+       dnssec-policy "default";
+       inline-signing yes;
+};
index f65d60331401ae29a5c08d9515951c466c0603da..68ed4088d8a8a58686a23d6c62eebb3a63155522 100644 (file)
@@ -518,10 +518,17 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
 ret=0
-$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
+if $FEATURETEST --have-fips-mode; then
+    conf=kasp-bad-nsec3-iter-fips.conf
+    expect=2
+else
+    conf=kasp-bad-nsec3-iter.conf
+    expect=3
+fi
+$CHECKCONF $conf > checkconf.out$n 2>&1 && ret=1
 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
 lines=$(wc -l < "checkconf.out$n")
-if [ $lines -ne 3 ]; then ret=1; fi
+if [ $lines -ne $expect ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
index 18af596704aaff81ab73e0fbc67ba66e379c10a0..e51d2a142619a80342697d336fc4c01c044f5ec9 100644 (file)
@@ -15,6 +15,7 @@
 #include <stdbool.h>
 #include <stdlib.h>
 
+#include <isc/fips.h>
 #include <isc/mem.h>
 #include <isc/region.h>
 #include <isc/result.h>
@@ -170,6 +171,18 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
                        goto cleanup;
                }
 
+               if (isc_fips_mode() &&
+                   (key->algorithm == DNS_KEYALG_RSASHA1 ||
+                    key->algorithm == DNS_KEYALG_NSEC3RSASHA1))
+               {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "dnssec-policy: algorithm %s not supported "
+                                   "in FIPS mode",
+                                   alg.base);
+                       result = DNS_R_BADALG;
+                       goto cleanup;
+               }
+
                obj = cfg_tuple_get(config, "length");
                if (cfg_obj_isuint32(obj)) {
                        uint32_t min, size;
@@ -180,7 +193,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
                        case DNS_KEYALG_NSEC3RSASHA1:
                        case DNS_KEYALG_RSASHA256:
                        case DNS_KEYALG_RSASHA512:
-                               min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+                               if (isc_fips_mode()) {
+                                       min = 2048;
+                               } else {
+                                       min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+                               }
                                if (size < min || size > 4096) {
                                        cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
                                                    "dnssec-policy: key with "