dnsmasq/dnsmasq-2.78-fips.patch

From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 2 Mar 2018 13:17:04 +0100
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
 has no proper FIPS 140-2 compliant implementation.

---
 src/dnsmasq.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 480c5f9..5fd229e 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
       
       if (daemon->cachesize < CACHESIZ)
 	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
+           
 #else 
       die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
 #endif
@@ -786,7 +787,10 @@ int main (int argc, char **argv)
 	my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
       else
 	my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
-      
+
+      if (access("/etc/system-fips", F_OK) == 0)
+        my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
+
       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
-- 
2.14.4
Update to dnsmasq 2.80 Fix underflow patch 2018-10-24 17:26:46 +00:00			`From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00			`From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>`
			`Date: Fri, 2 Mar 2018 13:17:04 +0100`
			`Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq`
			`has no proper FIPS 140-2 compliant implementation.`

			`---`
Emit warning on FIPS without opening the file 2018-07-02 11:03:40 +00:00			`src/dnsmasq.c \| 6 +++++-`
			`1 file changed, 5 insertions(+), 1 deletion(-)`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00
			`diff --git a/src/dnsmasq.c b/src/dnsmasq.c`
Update to dnsmasq 2.80 Fix underflow patch 2018-10-24 17:26:46 +00:00			`index 480c5f9..5fd229e 100644`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00			`--- a/src/dnsmasq.c`
			`+++ b/src/dnsmasq.c`
Emit warning on FIPS without opening the file 2018-07-02 11:03:40 +00:00			`@@ -187,6 +187,7 @@ int main (int argc, char **argv)`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00
			`if (daemon->cachesize < CACHESIZ)`
			`die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);`
			`+`
			`#else`
			`die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);`
			`#endif`
Update to dnsmasq 2.80 Fix underflow patch 2018-10-24 17:26:46 +00:00			`@@ -786,7 +787,10 @@ int main (int argc, char **argv)`
			`my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));`
			`else`
			`my_syslog(LOG_INFO, _("DNSSEC validation enabled"));`
Emit warning on FIPS without opening the file 2018-07-02 11:03:40 +00:00			`-`
			`+`
			`+ if (access("/etc/system-fips", F_OK) == 0)`
			`+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00			`+`
			`daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);`
			`if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)`
Emit warning on FIPS without opening the file 2018-07-02 11:03:40 +00:00			`my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00			`--`
Emit warning on FIPS without opening the file 2018-07-02 11:03:40 +00:00			`2.14.4`
Emit warning with dnssec enabled on FIPS system (#1549507) Signed-off-by: Petr Menšík <pemensik@redhat.com> 2018-03-02 12:15:26 +00:00