Made RAND_status check optional (broke --disable-crypto-rand)

dhclient can terminate if not enough entropy, but it never requires random data. On a new virtual machine, lack of entropy can be common. Ensure it does not prevent DHCP client assigning an IP address.
2019-01-14 18:51:53 +01:00 · 2019-01-14 18:51:53 +01:00 · 67a5cd83ff
commit 67a5cd83ff
parent a1558710fb
2 changed files with 40 additions and 1 deletions
--- a/bind-9.11-rh1663318.patch
+++ b/bind-9.11-rh1663318.patch
@ -0,0 +1,32 @@
+From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001
+From: Francis Dupont <fdupont@isc.org>
+Date: Sun, 17 Sep 2017 12:02:09 +0200
+Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
+
+---
+ lib/dns/openssl_link.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
+index 91e87d0..3cddaa9 100644
+--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
+@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
+ #endif
+ #endif /* !defined(OPENSSL_NO_ENGINE) */
+ 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ 	/* Protect ourselves against unseeded PRNG */
+ 	if (RAND_status() != 1) {
+ 		FATAL_ERROR(__FILE__, __LINE__,
+@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
+ 			    "cannot be initialized (see the `PRNG not "
+ 			    "seeded' message in the OpenSSL FAQ)");
+ 	}
+#endif
+ 
+ 	return (ISC_R_SUCCESS);
+ 
+-- 
+2.20.1
+
--- a/bind.spec
+++ b/bind.spec
@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.5
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 #
@ -129,6 +129,8 @@ Patch160:bind-9.11-rh1624100.patch
 Patch161:bind-9.11-host-idn-disable.patch
 # https://gitlab.isc.org/isc-projects/bind9/issues/624
 Patch162:bind-9.11-unit-dnstap-pkcs11.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
+Patch163:bind-9.11-rh1663318.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -486,6 +488,7 @@ are used for building ISC DHCP.
 %patch160 -p1 -b .rh1624100
 %patch161 -p1 -b .host-idn-disable
 %patch162 -p1 -b .dnstap-pkcs11
+%patch163 -p1 -b .rh1663318

 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -712,6 +715,7 @@ export LIBDIR_SUFFIX
        --without-libjson \
        --without-zlib \
        --without-dlopen \
+        --disable-crypto-rand \
        --enable-full-report

 ## We don't want to build other libs than -export twice
@ -1483,6 +1487,9 @@ rm -rf ${RPM_BUILD_ROOT}


 %changelog
+* Mon Jan 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-3
+- Disable crypto rand for DHCP (#1663318)
+
 * Thu Oct 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-2
 - Add optional support for JSON statistics
 - Add optional DNSTAP support (#1564776), new dnstap-read tool