Emit warning with dnssec enabled on FIPS system (#1549507)

Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
Petr Menšík 2018-03-02 13:15:26 +01:00
parent d61ff2b613
commit 144c414c67
2 changed files with 53 additions and 1 deletions

47
dnsmasq-2.78-fips.patch Normal file
View File

@ -0,0 +1,47 @@
From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 2 Mar 2018 13:17:04 +0100
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
has no proper FIPS 140-2 compliant implementation.
---
src/dnsmasq.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 771bec1..1cb69b7 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -182,6 +182,7 @@ int main (int argc, char **argv)
if (daemon->cachesize < CACHESIZ)
die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
+
#else
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
#endif
@@ -741,6 +742,7 @@ int main (int argc, char **argv)
if (option_bool(OPT_DNSSEC_VALID))
{
int rc;
+ int fips;
/* Delay creating the timestamp file until here, after we've changed user, so that
it has the correct owner to allow updating the mtime later.
@@ -752,6 +754,13 @@ int main (int argc, char **argv)
}
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+
+ fips = open("/etc/system-fips", O_RDONLY);
+ if (fips != -1)
+ {
+ close(fips);
+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
+ }
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
--
2.14.3

View File

@ -13,7 +13,7 @@
Name: dnsmasq Name: dnsmasq
Version: 2.78 Version: 2.78
Release: 6%{?extraversion:.%{extraversion}}%{?dist} Release: 7%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3 License: GPLv2 or GPLv3
@ -25,6 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409 # https://bugzilla.redhat.com/show_bug.cgi?id=1495409
Patch1: dnsmasq-2.77-underflow.patch Patch1: dnsmasq-2.77-underflow.patch
Patch2: dnsmasq-2.78-CVE-2017-15107.patch Patch2: dnsmasq-2.78-CVE-2017-15107.patch
Patch3: dnsmasq-2.78-fips.patch
BuildRequires: dbus-devel BuildRequires: dbus-devel
@ -58,6 +59,7 @@ server's leases.
%setup -q -n %{name}-%{version}%{?extraversion} %setup -q -n %{name}-%{version}%{?extraversion}
%patch1 -p1 -b .underflow %patch1 -p1 -b .underflow
%patch2 -p1 -b .CVE-2017-15107 %patch2 -p1 -b .CVE-2017-15107
%patch3 -p1 -b .fips
# use /var/lib/dnsmasq instead of /var/lib/misc # use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@ -157,6 +159,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
%{_mandir}/man1/dhcp_* %{_mandir}/man1/dhcp_*
%changelog %changelog
* Fri Mar 02 2018 Petr Menšík <pemensik@redhat.com> - 2.78-7
- Emit warning with dnssec enabled on FIPS system (#1549507)
* Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.78-6 * Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.78-6
- Create user before installing files (#1548050) - Create user before installing files (#1548050)