From 144c414c6792bdddbdb92529a4186ebb27afb28f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 2 Mar 2018 13:15:26 +0100 Subject: [PATCH] Emit warning with dnssec enabled on FIPS system (#1549507) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Petr Menšík --- dnsmasq-2.78-fips.patch | 47 +++++++++++++++++++++++++++++++++++++++++ dnsmasq.spec | 7 +++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 dnsmasq-2.78-fips.patch diff --git a/dnsmasq-2.78-fips.patch b/dnsmasq-2.78-fips.patch new file mode 100644 index 0000000..a341796 --- /dev/null +++ b/dnsmasq-2.78-fips.patch @@ -0,0 +1,47 @@ +From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 2 Mar 2018 13:17:04 +0100 +Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq + has no proper FIPS 140-2 compliant implementation. + +--- + src/dnsmasq.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 771bec1..1cb69b7 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -182,6 +182,7 @@ int main (int argc, char **argv) + + if (daemon->cachesize < CACHESIZ) + die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); ++ + #else + die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); + #endif +@@ -741,6 +742,7 @@ int main (int argc, char **argv) + if (option_bool(OPT_DNSSEC_VALID)) + { + int rc; ++ int fips; + + /* Delay creating the timestamp file until here, after we've changed user, so that + it has the correct owner to allow updating the mtime later. +@@ -752,6 +754,13 @@ int main (int argc, char **argv) + } + + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); ++ ++ fips = open("/etc/system-fips", O_RDONLY); ++ if (fips != -1) ++ { ++ close(fips); ++ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant")); ++ } + + daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); + if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) +-- +2.14.3 + diff --git a/dnsmasq.spec b/dnsmasq.spec index cb4fca5..b135676 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.78 -Release: 6%{?extraversion:.%{extraversion}}%{?dist} +Release: 7%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -25,6 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf # https://bugzilla.redhat.com/show_bug.cgi?id=1495409 Patch1: dnsmasq-2.77-underflow.patch Patch2: dnsmasq-2.78-CVE-2017-15107.patch +Patch3: dnsmasq-2.78-fips.patch BuildRequires: dbus-devel @@ -58,6 +59,7 @@ server's leases. %setup -q -n %{name}-%{version}%{?extraversion} %patch1 -p1 -b .underflow %patch2 -p1 -b .CVE-2017-15107 +%patch3 -p1 -b .fips # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -157,6 +159,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Fri Mar 02 2018 Petr Menšík - 2.78-7 +- Emit warning with dnssec enabled on FIPS system (#1549507) + * Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek - 2.78-6 - Create user before installing files (#1548050)