diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch index 79487b0..1af7efb 100644 --- a/bind-9.11-rh1663318.patch +++ b/bind-9.11-rh1663318.patch @@ -1,21 +1,37 @@ -From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001 -From: Francis Dupont -Date: Sun, 17 Sep 2017 12:02:09 +0200 +From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 23 Jan 2019 21:11:07 +0100 Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Unlike upstream, skip it also for DHCP. + +Disable RAND_status also in non-threaded builds. DHCP is built without +threads and should not check RAND_status on dns library initialization. +Lack of entropy is possible state for dhclient, but it must not fail +even in this case. Because DHCP itself does not require custom random +generator, leave default RAND_OpenSSL configured. It should help TLS +connection to LDAP in single DHCP binary, while keeping secure random +data if needed. + +(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099) + +Signed-off-by: Petr Menšík --- lib/dns/openssl_link.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index 91e87d0..3cddaa9 100644 +index 7a233dd..941eb17 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) { #endif #endif /* !defined(OPENSSL_NO_ENGINE) */ -+#ifdef ISC_PLATFORM_CRYPTORANDOM ++#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS) /* Protect ourselves against unseeded PRNG */ if (RAND_status() != 1) { FATAL_ERROR(__FILE__, __LINE__, diff --git a/bind.spec b/bind.spec index 421da0d..5b2f349 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -736,7 +736,6 @@ export LIBDIR_SUFFIX --without-libjson \ --without-zlib \ --without-dlopen \ - --disable-crypto-rand \ --enable-full-report ## We don't want to build other libs than -export twice @@ -1510,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed Jan 23 2019 Petr Menšík - 32:9.11.5-6 +- Reenable crypto rand for DHCP, disable just entropy check (#1663318) + * Thu Jan 17 2019 Petr Menšík - 32:9.11.5-5 - Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)