Emit warning with dnssec enabled on FIPS system (#1549507)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
parent
d61ff2b613
commit
144c414c67
47
dnsmasq-2.78-fips.patch
Normal file
47
dnsmasq-2.78-fips.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Fri, 2 Mar 2018 13:17:04 +0100
|
||||||
|
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
||||||
|
has no proper FIPS 140-2 compliant implementation.
|
||||||
|
|
||||||
|
---
|
||||||
|
src/dnsmasq.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
||||||
|
index 771bec1..1cb69b7 100644
|
||||||
|
--- a/src/dnsmasq.c
|
||||||
|
+++ b/src/dnsmasq.c
|
||||||
|
@@ -182,6 +182,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
if (daemon->cachesize < CACHESIZ)
|
||||||
|
die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
|
||||||
|
+
|
||||||
|
#else
|
||||||
|
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
|
||||||
|
#endif
|
||||||
|
@@ -741,6 +742,7 @@ int main (int argc, char **argv)
|
||||||
|
if (option_bool(OPT_DNSSEC_VALID))
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
+ int fips;
|
||||||
|
|
||||||
|
/* Delay creating the timestamp file until here, after we've changed user, so that
|
||||||
|
it has the correct owner to allow updating the mtime later.
|
||||||
|
@@ -752,6 +754,13 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
|
||||||
|
+
|
||||||
|
+ fips = open("/etc/system-fips", O_RDONLY);
|
||||||
|
+ if (fips != -1)
|
||||||
|
+ {
|
||||||
|
+ close(fips);
|
||||||
|
+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
|
||||||
|
+ }
|
||||||
|
|
||||||
|
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
|
||||||
|
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.78
|
Version: 2.78
|
||||||
Release: 6%{?extraversion:.%{extraversion}}%{?dist}
|
Release: 7%{?extraversion:.%{extraversion}}%{?dist}
|
||||||
Summary: A lightweight DHCP/caching DNS server
|
Summary: A lightweight DHCP/caching DNS server
|
||||||
|
|
||||||
License: GPLv2 or GPLv3
|
License: GPLv2 or GPLv3
|
||||||
@ -25,6 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
||||||
Patch1: dnsmasq-2.77-underflow.patch
|
Patch1: dnsmasq-2.77-underflow.patch
|
||||||
Patch2: dnsmasq-2.78-CVE-2017-15107.patch
|
Patch2: dnsmasq-2.78-CVE-2017-15107.patch
|
||||||
|
Patch3: dnsmasq-2.78-fips.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: dbus-devel
|
BuildRequires: dbus-devel
|
||||||
@ -58,6 +59,7 @@ server's leases.
|
|||||||
%setup -q -n %{name}-%{version}%{?extraversion}
|
%setup -q -n %{name}-%{version}%{?extraversion}
|
||||||
%patch1 -p1 -b .underflow
|
%patch1 -p1 -b .underflow
|
||||||
%patch2 -p1 -b .CVE-2017-15107
|
%patch2 -p1 -b .CVE-2017-15107
|
||||||
|
%patch3 -p1 -b .fips
|
||||||
|
|
||||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||||
@ -157,6 +159,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
|||||||
%{_mandir}/man1/dhcp_*
|
%{_mandir}/man1/dhcp_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 02 2018 Petr Menšík <pemensik@redhat.com> - 2.78-7
|
||||||
|
- Emit warning with dnssec enabled on FIPS system (#1549507)
|
||||||
|
|
||||||
* Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.78-6
|
* Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.78-6
|
||||||
- Create user before installing files (#1548050)
|
- Create user before installing files (#1548050)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user