Bug 1539894

Summary: [RFE] implement DH keys support using FIPS compatible implementation
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: mruprich, msehnout, pemensik, vonsch, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.18.5-1.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-27 16:28:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2109170    
Bug Blocks:    

Description Petr Menšík 2018-01-29 19:48:13 UTC 
Description of problem:
Support for FIPS mode would be benefical to BIND, especially IdM. However FIPS certified cannot be any low-level implementations of Diffie-Hellman key exchange.

Look at possibility to replace built-in functions with higher level implementation EVP_* [1], which might be possibly ceritifed in FIPS. Current code will not conform to FIPS in any way. Try to reuse already implemented things from OpenSSL.

Version-Release number of selected component (if applicable):
bind-9.11.2-5.P1.fc28.i686


Additional info:

[1] https://wiki.openssl.org/index.php/Manual:EVP_PKEY_derive(3)
Comment 1 Petr Menšík 2022-09-27 16:28:10 UTC 
I think upstream has implemented enough high level DH API from OpenSSL 3.0, which implements a FIPS compatible way. That is part of all 9.18.x versions.

Especially in upstream commit e18777c758 [1]. Incldued in MR 5385 [2].

1. https://gitlab.isc.org/isc-projects/bind9/commit/e18777c7582d54d227714882e9e79746ce48e002
2. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385