Bug 1709553 - BIND will not start in FIPS mode due to crypto-policy, invalid algorithm 'RSAMD5'
Summary: BIND will not start in FIPS mode due to crypto-policy, invalid algorithm 'RSA...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1737407 1772111
TreeView+ depends on / blocked
 
Reported: 2019-05-13 19:26 UTC by Rob Crittenden
Modified: 2019-11-13 17:32 UTC (History)
12 users (show)

Fixed In Version: bind-9.11.10-1.fc30 bind-9.11.10-1.fc31 bind-9.11.10-1.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1737407 (view as bug list)
Environment:
Last Closed: 2019-09-02 02:49:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Patch disable (2.55 MB, patch)
2019-08-05 10:03 UTC, Petr Menšík
no flags Details | Diff
downstream patch for 9.11.9 (3.05 KB, patch)
2019-08-08 12:24 UTC, Petr Menšík
no flags Details | Diff

Description Rob Crittenden 2019-05-13 19:26:12 UTC
Description of problem:

BIND fails to start in FIPS mode.

# journalctl -u named-pkcs11
...
May 13 19:02:40 ipa.example.test bash[32484]: /etc/crypto-policies/back-ends/bind.config:2: invalid algorithm 'RSAMD5'

To work around this I removed the line RSAMD5 under disable-algorithms in /etc/crypto-policies/back-ends/bind.config and the service starts and seems to operate ok.

I ran into this installing freeIPA in FIPS mode. There are other FIPS-related things to work through so I can't provide a simple reproducer at the moment.

Version-Release number of selected component (if applicable):
crypto-policies-20190211-2.gite3eacfc.fc29

Comment 1 Simo Sorce 2019-05-13 20:09:55 UTC
Sounds like a Bind or IPA configuration bug, MD5 is definitely not allowed in FIPS mode, so it can't be allowed in the crypto-polices for FIPS.

Comment 2 Simo Sorce 2019-05-13 20:36:38 UTC
Oh apparently I misunderstood the problem at first read.

The problem is that RSAMD5 is (was?) a valid algorithm for bind which we disabled in the crypto-polices.
Now for some reason when we tell bind to disable this algorithm it balks.

Sounds like a regression where a supported option suddently disappeared. This is strange because I still see applied patches in f29 dist-git where the RSAMD5 algorithm is checked.

Sounds like something for bind folks to investigate first, valid config files shouldn't stop suddenly working after an upgrade, even if RSAMD5 was dropped (I see upstream dropped it in 9.13) our bind should probably just have a rule to ignore the string when it occurs in config files, at least for the disable-algorithms option, or push a change into crypto-policies and place an explicit dependency on a "new enough" crypto-policy package.

Comment 3 Petr Menšík 2019-07-17 19:14:37 UTC
Hmm, maybe my checks are too strict in place of fetching RSAMD5 algorithm. It pretends like it does not know about it existence, mimicking upstream support for FIPS mode on compile time. It is required to refuse key generation and similar stuff. I admit I did not take into account requests to disable such algorithm. It fails because it pretends it is not even known. Will have to modify FIPS patch to understand RSAMD5 algorithm, but just refuse to use it. But allow to disable it by security policy.

Comment 4 Petr Menšík 2019-07-17 19:18:18 UTC
However, FIPS mode never worked correctly to me on Fedora, so I were not able to test it. I were unable to disable MD5 function in OpenSSL the way it is possible on RHEL. Is that fixed now? I used test:

$ echo test | openssl md5

which always fails on RHEL, but never fails on Fedora, regardless my system configured to FIPS mode.

Comment 5 Petr Menšík 2019-08-05 10:03:53 UTC
Created attachment 1600612 [details]
Patch disable

Allow autodisabled algorithm to be explicitly disabled, but fail any other use of it.

Comment 6 Petr Menšík 2019-08-08 12:24:31 UTC
Created attachment 1601781 [details]
downstream patch for 9.11.9

Upstream modified 9.14 digest functions to always use OpenSSL. It would also handle return codes of those functions. This patch is v9_11 only, because no API change would occur there.

Comment 7 Fedora Update System 2019-08-28 21:34:39 UTC
FEDORA-2019-d04f66e595 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d04f66e595

Comment 8 Fedora Update System 2019-08-28 21:41:59 UTC
FEDORA-2019-11a3771c04 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-11a3771c04

Comment 9 Fedora Update System 2019-08-28 21:43:33 UTC
FEDORA-2019-8984905bca has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8984905bca

Comment 10 Fedora Update System 2019-08-30 00:04:44 UTC
bind-9.11.10-1.fc30, bind-dyndb-ldap-11.1-19.fc30, dhcp-4.3.6-37.fc30, dnsperf-2.3.2-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8984905bca

Comment 11 Fedora Update System 2019-08-30 00:25:47 UTC
bind-9.11.10-1.fc29, bind-dyndb-ldap-11.1-19.fc29, dhcp-4.3.6-34.fc29, dnsperf-2.3.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d04f66e595

Comment 12 Fedora Update System 2019-08-30 12:17:12 UTC
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-11a3771c04

Comment 13 Fedora Update System 2019-09-02 02:49:56 UTC
bind-9.11.10-1.fc30, bind-dyndb-ldap-11.1-19.fc30, dhcp-4.3.6-37.fc30, dnsperf-2.3.2-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-09-14 00:06:56 UTC
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2019-09-14 01:54:15 UTC
bind-9.11.10-1.fc29, bind-dyndb-ldap-11.1-19.fc29, dhcp-4.3.6-34.fc29, dnsperf-2.3.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2019-09-14 16:31:06 UTC
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.