rpms/bind
5
0
Fork 1
Code Issues Pull Requests Releases Activity

Made RAND_status check optional (broke --disable-crypto-rand)

Browse Source 
dhclient can terminate if not enough entropy, but it never requires
random data. On a new virtual machine, lack of entropy can be common.
Ensure it does not prevent DHCP client assigning an IP address.
This commit is contained in:
Petr Menšík 2019-01-14 18:51:53 +01:00
parent a1558710fb
commit 67a5cd83ff
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
bind-9.11-rh1663318.patch Normal file
View File

@ -0,0 +1,32 @@
From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Sun, 17 Sep 2017 12:02:09 +0200
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 91e87d0..3cddaa9 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
+#ifdef ISC_PLATFORM_CRYPTORANDOM
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
+#endif
return (ISC_R_SUCCESS);
--
2.20.1

9
bind.spec
View File

@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind Name: bind
License: MPLv2.0 License: MPLv2.0
Version: 9.11.5 Version: 9.11.5
Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32 Epoch: 32
Url: http://www.isc.org/products/BIND/ Url: http://www.isc.org/products/BIND/
# #
@ -129,6 +129,8 @@ Patch160:bind-9.11-rh1624100.patch
Patch161:bind-9.11-host-idn-disable.patch Patch161:bind-9.11-host-idn-disable.patch
# https://gitlab.isc.org/isc-projects/bind9/issues/624 # https://gitlab.isc.org/isc-projects/bind9/issues/624
Patch162:bind-9.11-unit-dnstap-pkcs11.patch Patch162:bind-9.11-unit-dnstap-pkcs11.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
Patch163:bind-9.11-rh1663318.patch
# SDB patches # SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch Patch11: bind-9.3.2b2-sdbsrc.patch
@ -486,6 +488,7 @@ are used for building ISC DHCP.
%patch160 -p1 -b .rh1624100 %patch160 -p1 -b .rh1624100
%patch161 -p1 -b .host-idn-disable %patch161 -p1 -b .host-idn-disable
%patch162 -p1 -b .dnstap-pkcs11 %patch162 -p1 -b .dnstap-pkcs11
%patch163 -p1 -b .rh1663318
mkdir lib/dns/tests/testdata/dstrandom mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -712,6 +715,7 @@ export LIBDIR_SUFFIX
--without-libjson \ --without-libjson \
--without-zlib \ --without-zlib \
--without-dlopen \ --without-dlopen \
--disable-crypto-rand \
--enable-full-report --enable-full-report
## We don't want to build other libs than -export twice ## We don't want to build other libs than -export twice
@ -1483,6 +1487,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog %changelog
* Mon Jan 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-3
- Disable crypto rand for DHCP (#1663318)
* Thu Oct 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-2 * Thu Oct 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-2
- Add optional support for JSON statistics - Add optional support for JSON statistics
- Add optional DNSTAP support (#1564776), new dnstap-read tool - Add optional DNSTAP support (#1564776), new dnstap-read tool