Bug 1709553

Summary: BIND will not start in FIPS mode due to crypto-policy, invalid algorithm 'RSAMD5'
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: anon.amish, crypto-team, lef, mruprich, msehnout, nmavrogi, pemensik, pzhukov, ssorce, thozza, vonsch, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.11.10-1.fc30 bind-9.11.10-1.fc31 bind-9.11.10-1.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1737407 (view as bug list) Environment:
Last Closed: 2019-09-02 02:49:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1737407, 1772111    
Attachments:
Description Flags
Patch disable
none
downstream patch for 9.11.9 none

Description Rob Crittenden 2019-05-13 19:26:12 UTC 
Description of problem:

BIND fails to start in FIPS mode.

# journalctl -u named-pkcs11
...
May 13 19:02:40 ipa.example.test bash[32484]: /etc/crypto-policies/back-ends/bind.config:2: invalid algorithm 'RSAMD5'

To work around this I removed the line RSAMD5 under disable-algorithms in /etc/crypto-policies/back-ends/bind.config and the service starts and seems to operate ok.

I ran into this installing freeIPA in FIPS mode. There are other FIPS-related things to work through so I can't provide a simple reproducer at the moment.

Version-Release number of selected component (if applicable):
crypto-policies-20190211-2.gite3eacfc.fc29
Comment 1 Simo Sorce 2019-05-13 20:09:55 UTC 
Sounds like a Bind or IPA configuration bug, MD5 is definitely not allowed in FIPS mode, so it can't be allowed in the crypto-polices for FIPS.
Comment 2 Simo Sorce 2019-05-13 20:36:38 UTC 
Oh apparently I misunderstood the problem at first read.

The problem is that RSAMD5 is (was?) a valid algorithm for bind which we disabled in the crypto-polices.
Now for some reason when we tell bind to disable this algorithm it balks.

Sounds like a regression where a supported option suddently disappeared. This is strange because I still see applied patches in f29 dist-git where the RSAMD5 algorithm is checked.

Sounds like something for bind folks to investigate first, valid config files shouldn't stop suddenly working after an upgrade, even if RSAMD5 was dropped (I see upstream dropped it in 9.13) our bind should probably just have a rule to ignore the string when it occurs in config files, at least for the disable-algorithms option, or push a change into crypto-policies and place an explicit dependency on a "new enough" crypto-policy package.
Comment 3 Petr Menšík 2019-07-17 19:14:37 UTC 
Hmm, maybe my checks are too strict in place of fetching RSAMD5 algorithm. It pretends like it does not know about it existence, mimicking upstream support for FIPS mode on compile time. It is required to refuse key generation and similar stuff. I admit I did not take into account requests to disable such algorithm. It fails because it pretends it is not even known. Will have to modify FIPS patch to understand RSAMD5 algorithm, but just refuse to use it. But allow to disable it by security policy.
Comment 4 Petr Menšík 2019-07-17 19:18:18 UTC 
However, FIPS mode never worked correctly to me on Fedora, so I were not able to test it. I were unable to disable MD5 function in OpenSSL the way it is possible on RHEL. Is that fixed now? I used test:

$ echo test | openssl md5

which always fails on RHEL, but never fails on Fedora, regardless my system configured to FIPS mode.
Comment 5 Petr Menšík 2019-08-05 10:03:53 UTC 
Created attachment 1600612 [details]
Patch disable

Allow autodisabled algorithm to be explicitly disabled, but fail any other use of it.
Comment 6 Petr Menšík 2019-08-08 12:24:31 UTC 
Created attachment 1601781 [details]
downstream patch for 9.11.9

Upstream modified 9.14 digest functions to always use OpenSSL. It would also handle return codes of those functions. This patch is v9_11 only, because no API change would occur there.
Comment 7 Fedora Update System 2019-08-28 21:34:39 UTC 
FEDORA-2019-d04f66e595 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d04f66e595
Comment 8 Fedora Update System 2019-08-28 21:41:59 UTC 
FEDORA-2019-11a3771c04 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-11a3771c04
Comment 9 Fedora Update System 2019-08-28 21:43:33 UTC 
FEDORA-2019-8984905bca has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8984905bca
Comment 10 Fedora Update System 2019-08-30 00:04:44 UTC 
bind-9.11.10-1.fc30, bind-dyndb-ldap-11.1-19.fc30, dhcp-4.3.6-37.fc30, dnsperf-2.3.2-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8984905bca
Comment 11 Fedora Update System 2019-08-30 00:25:47 UTC 
bind-9.11.10-1.fc29, bind-dyndb-ldap-11.1-19.fc29, dhcp-4.3.6-34.fc29, dnsperf-2.3.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d04f66e595
Comment 12 Fedora Update System 2019-08-30 12:17:12 UTC 
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-11a3771c04
Comment 13 Fedora Update System 2019-09-02 02:49:56 UTC 
bind-9.11.10-1.fc30, bind-dyndb-ldap-11.1-19.fc30, dhcp-4.3.6-37.fc30, dnsperf-2.3.2-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2019-09-14 00:06:56 UTC 
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2019-09-14 01:54:15 UTC 
bind-9.11.10-1.fc29, bind-dyndb-ldap-11.1-19.fc29, dhcp-4.3.6-34.fc29, dnsperf-2.3.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2019-09-14 16:31:06 UTC 
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.