From 805da5bf8f810f46c8f0de99ebe8f27e258537c4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 23 Dec 2021 14:09:36 +1100 Subject: [PATCH] make cfg_kaspkey_fromconfig FIPS aware - RSASHA1 (5) and NSEC3RSASHA1 (7) are not accepted in FIPS mode - minimum RSA key size is set to 2048 bit adjust kasp and checkconf system tests to ensure non FIPS compliant configurations are not used in FIPS mode --- .../checkconf/kasp-bad-nsec3-iter-fips.conf | 47 +++++++++++++++++++ bin/tests/system/checkconf/tests.sh | 11 ++++- lib/isccfg/kaspconf.c | 19 +++++++- 3 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf new file mode 100644 index 0000000000..e54df3b360 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "rsasha256" { + keys { + csk lifetime P10Y algorithm rsasha256 2048; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha256-bad" { + keys { + csk lifetime P10Y algorithm rsasha256 2048; + }; + nsec3param iterations 151; +}; + +dnssec-policy "rsasha512" { + keys { + csk lifetime P10Y algorithm rsasha512 4096; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha512-bad" { + keys { + csk lifetime P10Y algorithm rsasha512 4096; + }; + nsec3param iterations 151; +}; + +zone "example.net" { + type primary; + file "example.db"; + dnssec-policy "default"; + inline-signing yes; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index f65d603314..68ed4088d8 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -518,10 +518,17 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 +if $FEATURETEST --have-fips-mode; then + conf=kasp-bad-nsec3-iter-fips.conf + expect=2 +else + conf=kasp-bad-nsec3-iter.conf + expect=3 +fi +$CHECKCONF $conf > checkconf.out$n 2>&1 && ret=1 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 lines=$(wc -l < "checkconf.out$n") -if [ $lines -ne 3 ]; then ret=1; fi +if [ $lines -ne $expect ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 18af596704..e51d2a1426 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -170,6 +171,18 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, goto cleanup; } + if (isc_fips_mode() && + (key->algorithm == DNS_KEYALG_RSASHA1 || + key->algorithm == DNS_KEYALG_NSEC3RSASHA1)) + { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "dnssec-policy: algorithm %s not supported " + "in FIPS mode", + alg.base); + result = DNS_R_BADALG; + goto cleanup; + } + obj = cfg_tuple_get(config, "length"); if (cfg_obj_isuint32(obj)) { uint32_t min, size; @@ -180,7 +193,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_RSASHA256: case DNS_KEYALG_RSASHA512: - min = DNS_KEYALG_RSASHA512 ? 1024 : 512; + if (isc_fips_mode()) { + min = 2048; + } else { + min = DNS_KEYALG_RSASHA512 ? 1024 : 512; + } if (size < min || size > 4096) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "dnssec-policy: key with "