make cfg_kaspkey_fromconfig FIPS aware

- RSASHA1 (5) and NSEC3RSASHA1 (7) are not accepted in FIPS mode - minimum RSA key size is set to 2048 bit adjust kasp and checkconf system tests to ensure non FIPS compliant configurations are not used in FIPS mode
2025-08-31 14:35:26 +00:00 · 2021-12-23 14:09:36 +11:00
parent 07a3b5b02f
commit 805da5bf8f
3 changed files with 74 additions and 3 deletions
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "rsasha256" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha256-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha512" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha512-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 151;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -518,10 +518,17 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
 ret=0
-$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
+if $FEATURETEST --have-fips-mode; then
+    conf=kasp-bad-nsec3-iter-fips.conf
+    expect=2
+else
+    conf=kasp-bad-nsec3-iter.conf
+    expect=3
+fi
+$CHECKCONF $conf > checkconf.out$n 2>&1 && ret=1
 grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
 lines=$(wc -l < "checkconf.out$n")
-if [ $lines -ne 3 ]; then ret=1; fi
+if [ $lines -ne $expect ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -15,6 +15,7 @@
 #include <stdbool.h>
 #include <stdlib.h>

+#include <isc/fips.h>
 #include <isc/mem.h>
 #include <isc/region.h>
 #include <isc/result.h>
@@ -170,6 +171,18 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 			goto cleanup;
 		}

+		if (isc_fips_mode() &&
+		    (key->algorithm == DNS_KEYALG_RSASHA1 ||
+		     key->algorithm == DNS_KEYALG_NSEC3RSASHA1))
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy: algorithm %s not supported "
+				    "in FIPS mode",
+				    alg.base);
+			result = DNS_R_BADALG;
+			goto cleanup;
+		}
+
 		obj = cfg_tuple_get(config, "length");
 		if (cfg_obj_isuint32(obj)) {
 			uint32_t min, size;
@@ -180,7 +193,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 			case DNS_KEYALG_NSEC3RSASHA1:
 			case DNS_KEYALG_RSASHA256:
 			case DNS_KEYALG_RSASHA512:
-				min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+				if (isc_fips_mode()) {
+					min = 2048;
+				} else {
+					min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+				}
 				if (size < min || size > 4096) {
 					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 						    "dnssec-policy: key with "