Made RAND_status check optional (broke --disable-crypto-rand)
Unlike upstream, skip it also for DHCP. Disable RAND_status also in non-threaded builds. DHCP is built without threads and should not check RAND_status on dns library initialization. Lack of entropy is possible state for dhclient, but it must not fail even in this case. Because DHCP itself does not require custom random generator, leave default RAND_OpenSSL configured. It should help TLS connection to LDAP in single DHCP binary, while keeping secure random data if needed. Resolves: #1663318 (modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
This commit is contained in:
parent
219b0e889f
commit
32d91f12ca
@ -1,21 +1,37 @@
|
|||||||
From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001
|
From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
|
||||||
From: Francis Dupont <fdupont@isc.org>
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
Date: Sun, 17 Sep 2017 12:02:09 +0200
|
Date: Wed, 23 Jan 2019 21:11:07 +0100
|
||||||
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
|
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Unlike upstream, skip it also for DHCP.
|
||||||
|
|
||||||
|
Disable RAND_status also in non-threaded builds. DHCP is built without
|
||||||
|
threads and should not check RAND_status on dns library initialization.
|
||||||
|
Lack of entropy is possible state for dhclient, but it must not fail
|
||||||
|
even in this case. Because DHCP itself does not require custom random
|
||||||
|
generator, leave default RAND_OpenSSL configured. It should help TLS
|
||||||
|
connection to LDAP in single DHCP binary, while keeping secure random
|
||||||
|
data if needed.
|
||||||
|
|
||||||
|
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
|
||||||
|
|
||||||
|
Signed-off-by: Petr Menšík <pemensik@redhat.com>
|
||||||
---
|
---
|
||||||
lib/dns/openssl_link.c | 2 ++
|
lib/dns/openssl_link.c | 2 ++
|
||||||
1 file changed, 2 insertions(+)
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||||
index 91e87d0..3cddaa9 100644
|
index 7a233dd..941eb17 100644
|
||||||
--- a/lib/dns/openssl_link.c
|
--- a/lib/dns/openssl_link.c
|
||||||
+++ b/lib/dns/openssl_link.c
|
+++ b/lib/dns/openssl_link.c
|
||||||
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
|
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
|
||||||
#endif
|
#endif
|
||||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||||
|
|
||||||
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
+#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
|
||||||
/* Protect ourselves against unseeded PRNG */
|
/* Protect ourselves against unseeded PRNG */
|
||||||
if (RAND_status() != 1) {
|
if (RAND_status() != 1) {
|
||||||
FATAL_ERROR(__FILE__, __LINE__,
|
FATAL_ERROR(__FILE__, __LINE__,
|
||||||
|
@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.11.5
|
Version: 9.11.5
|
||||||
Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: http://www.isc.org/products/BIND/
|
Url: http://www.isc.org/products/BIND/
|
||||||
#
|
#
|
||||||
@ -736,7 +736,6 @@ export LIBDIR_SUFFIX
|
|||||||
--without-libjson \
|
--without-libjson \
|
||||||
--without-zlib \
|
--without-zlib \
|
||||||
--without-dlopen \
|
--without-dlopen \
|
||||||
--disable-crypto-rand \
|
|
||||||
--enable-full-report
|
--enable-full-report
|
||||||
|
|
||||||
## We don't want to build other libs than -export twice
|
## We don't want to build other libs than -export twice
|
||||||
@ -1510,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 23 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-6
|
||||||
|
- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
|
||||||
|
|
||||||
* Thu Jan 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-5
|
* Thu Jan 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-5
|
||||||
- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
|
- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user