Emit warning on FIPS without opening the file

2018-07-02 13:03:40 +02:00 · 2018-07-02 13:03:40 +02:00 · 981bbce593
commit 981bbce593
parent db0bc30a48
1 changed files with 12 additions and 22 deletions
--- a/dnsmasq-2.78-fips.patch
+++ b/dnsmasq-2.78-fips.patch
@ -1,18 +1,18 @@
-From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001
+From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Fri, 2 Mar 2018 13:17:04 +0100
 Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
 has no proper FIPS 140-2 compliant implementation.

 ---
- src/dnsmasq.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
+ src/dnsmasq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)

 diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index 771bec1..1cb69b7 100644
+index ce44809..9f6c020 100644
 --- a/src/dnsmasq.c
 +++ b/src/dnsmasq.c
-@@ -182,6 +182,7 @@ int main (int argc, char **argv)
+@@ -187,6 +187,7 @@ int main (int argc, char **argv)
       
       if (daemon->cachesize < CACHESIZ)
 	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
@ -20,28 +20,18 @@ index 771bec1..1cb69b7 100644
 #else 
       die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
 #endif
-@@ -741,6 +742,7 @@ int main (int argc, char **argv)
-   if (option_bool(OPT_DNSSEC_VALID))
-     {
-       int rc;
-+      int fips;
- 
-       /* Delay creating the timestamp file until here, after we've changed user, so that
- 	 it has the correct owner to allow updating the mtime later. 
-@@ -752,6 +754,13 @@ int main (int argc, char **argv)
+@@ -769,7 +770,10 @@ int main (int argc, char **argv)
 	}
       
       my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+-      
+
+      if (access("/etc/system-fips", F_OK) == 0)
+        my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
 +
-+      fips = open("/etc/system-fips", O_RDONLY);
-+      if (fips != -1)
-+        {
-+          close(fips);
-+    	  my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant")); 
-+        }
-       
       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
 -- 
-2.14.3
+2.14.4