X-Original-To: bind9-public@bugs.isc.org X-RT-Interface: Email X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 25 Jan 2018 21:30:10 +0000 (UTC) Content-Language: en-US User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,T_RP_MATCHES_RCVD autolearn=disabled version=3.4.1 From pemensik@redhat.com Thu Jan 25 21:30:13 2018 In-Reply-To: To: bind9-public@isc.org, fdupont@isc.org Return-Path: X-Scanned-BY: MIMEDefang 2.79 on 10.5.11.15 MIME-Version: 1.0 content-type: text/plain; charset="utf-8" Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id E947BD78B10 for ; Thu, 25 Jan 2018 21:30:13 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0C3763AB06B; Thu, 25 Jan 2018 21:30:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2849FC05689D; Thu, 25 Jan 2018 21:30:10 +0000 (UTC) Received: from menpad.brq.redhat.com (unknown [10.43.2.33]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 61130379F; Thu, 25 Jan 2018 21:30:09 +0000 (UTC) Subject: Re: [ISC-Bugs #46764] check MD5 and SHA1 support at startup X-RT-Original-Encoding: utf-8 X-RT-Incoming-Encryption: Not encrypted References: From: "Petr Menšík" Delivered-To: bind9-public@bugs.isc.org Message-ID: <54fce405-5c8b-8c7e-9c20-f1c13d726283@redhat.com> Date: Thu, 25 Jan 2018 22:30:07 +0100 RT-Message-ID: Content-Length: 6057 Hello Francis, Stay tuned for the patch. Unfinished and untested preview at https://github.com/pemensik/bind9/tree/feature/runtime-md5-disable On 01/20/2018 05:45 PM, Francis Dupont via RT wrote: > I summary here recommendations for building bind9: > > configure flags: > > - --enable-openssl-hash should be on because > it makes OpenSSL crypto to be used. BTW as we fixed > at least a problem in the configure detection code I recommend > to check in config.status and/or report it is really enabled. Sure, this is definitely going to be enabled. We are fixing problem in pkcs11 variant at this time, but this will be changed as soon as it is safe to run in FIPS mode. That is in Fedora, not sure when it will be done in RHEL. > > - --enable-crypto-rand should be on for similar > reasons. As the code allows to by pass this I recommend to > remove any such possibility (the idea was to keep a way > to get reproducible system tests, something more than useless > in production). Thank you for this suggestion, I think we want this as well. > > - --with-gssapi: I have a mixed opinion about this so if > you have no customers insisting to get it (mainly for > compatibility with Windows directory) IMHO it is better > to avoid it. We cannot avoid this choice, this is absolutely required. pkcs11 variant in RHEL/Fedora is there only for freeipa usage. Freeipa provides integrated solution to identity and authorization management. Kerberos integration is primary feature. No way to turn this off. > > - --with-ecdsa: it should be autodetected so just check > it is on in the report and/or config.status No support for this in 9.11.2, I think we want it. > > - --with-gost: it is the opposite: as it uses an engine and > of course is *not* FIPS-approved it should be off. This is forbidden in whole Fedora, already is off. > > - --with-eddsa: support is only in OpenSSL 1.1 so it is > unlikely you get it. This is actually true, Fedora 26 already supports OpenSSL 1.1. This would be enabled if available. It is supported only in 9.12 however, Fedora still has 9.11.2 version where this option is available. This is not relevant to RHEL 7, but I think we want it in Fedora. I will check backport possibility. > > lib/isc/include/pk11/site.h > > - I'll come back about PK11_MD5_DISABLE > > - PK11_DSA_DISABLE should be on because DSA as it > is specified in old RFCs and implemented is not secure today. > Note ECDSA is the fine replacement so I can't see a reason > to keep it at the exception to be compliant with a clearly > obsolete RFC... > > - PK11_DH_DISABLE could be the same story (in worse > because there are some predefined groups). It is used > only for TKEY and required MD5. So at the end it will > be disable statically or dynamically in FIPS mode... I am aware this is directly linked to md5. I think is there any reason it does not support any other digest algorithm? Is it only lack of demand for it? > > - PK11_PAD_HMAC_KEYS must be off as it fools the > check on short keys for HMAC. Last time I checked this in softhsm with openssl 1.1, padding with zeros did not change results of tests. Is there anything I am missing there. > > - PK11_*_REPLACE and PK11_*_SKIP are really for PKCS#11 > so not relevant for builds with OpenSSL. Not relevant for us now. Might be useful to reconfigure openssl with different engines instead of replacing like this. > > code using crypto: > > - OpenSSL code should use EVP. There are alternatives for > old versions of OpenSSL. If you like you can get rid of them, > put a #error at the first use of !USE_EVP, etc. Sure. I think most digest should be in single file, for example openssl_digest. AFAIK most openssl digest code is the same, different only in EVP_xy function passed to EVP_DigestInit. I think single static function should be used for all OpenSSL functions isc_*_init, isc_*_update, isc_*_final. Just pass EVP_xy() to it for specic function. Code would be much more simple. Similar with PKCS11 native code. I think lib/isc/md5.c, sha1.c and sha2.c should contain only built-in functions and not be linked at all when --enable-openssl-hash is used. > > - OpenSSL code should not use engines (this is a requirement > proper to the Security Policy for Red Hat OpenSSL, i.e. the > OpenSSL FIPS module allows engines to offload crypto > to a HSM). There is a USE_ENGINE ifdef which disables > engine code, you should try it so ENGINE_set_default() is > never called. Interesting. I were planning to use pkcs11 engine in future instead of native pkcs11 code. I think I will have to talk more with our crypto people to have clear requirements. > > - not OpenSSL crypto code: there are a few places where > not-predictable values are needed outside a crypto > mechanisms so some pseudo-random generator code. > We recently cleaned up and updated this code but as > it is not involve into crypto operations it should not be > a problem. I don't know to which version of bind last > improvements were back ported... > > PK11_MD5_DISABLE: > > I think we agree what you need is the same than PK11_MD5_DISABLE > but at runtime, i.e. roughly to replace #ifdef PK11_MD5_DISABLE by > an "if" in the code. Sure, so far I am adding if (isc_md5_available()) into the ifdef. That way, you can still completely disable it at compile time. If you do not, it can be disabled runtime. > > Even as far as I know there is no way to do it without > manually editing the code the PK11_MD5_DISABLE ifdefs should > cover all the places you have to add an "if" including a hidden > dependency (I believe there is no other dependency but the code > without MD5 was not heavily used/tested so it is possible > there is still a bug somewhere...). > > Note that at the opposite it is very easy to check there is no > hidden calls to MD5 so on the security side you can provide > a high insurance. > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@redhat.com PGP: 65C6C973