From 981bbce593bab0dc045cfbde0e82613d401ff431 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 2 Jul 2018 13:03:40 +0200
Subject: [PATCH] Emit warning on FIPS without opening the file

---
 dnsmasq-2.78-fips.patch | 34 ++++++++++++----------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/dnsmasq-2.78-fips.patch b/dnsmasq-2.78-fips.patch
index a341796..011433c 100644
--- a/dnsmasq-2.78-fips.patch
+++ b/dnsmasq-2.78-fips.patch
@@ -1,18 +1,18 @@
-From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001
+From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Fri, 2 Mar 2018 13:17:04 +0100
 Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
  has no proper FIPS 140-2 compliant implementation.
 
 ---
- src/dnsmasq.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
+ src/dnsmasq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
 
 diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index 771bec1..1cb69b7 100644
+index ce44809..9f6c020 100644
 --- a/src/dnsmasq.c
 +++ b/src/dnsmasq.c
-@@ -182,6 +182,7 @@ int main (int argc, char **argv)
+@@ -187,6 +187,7 @@ int main (int argc, char **argv)
        
        if (daemon->cachesize < CACHESIZ)
  	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
@@ -20,28 +20,18 @@ index 771bec1..1cb69b7 100644
  #else 
        die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
  #endif
-@@ -741,6 +742,7 @@ int main (int argc, char **argv)
-   if (option_bool(OPT_DNSSEC_VALID))
-     {
-       int rc;
-+      int fips;
- 
-       /* Delay creating the timestamp file until here, after we've changed user, so that
- 	 it has the correct owner to allow updating the mtime later. 
-@@ -752,6 +754,13 @@ int main (int argc, char **argv)
+@@ -769,7 +770,10 @@ int main (int argc, char **argv)
  	}
        
        my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+-      
++
++      if (access("/etc/system-fips", F_OK) == 0)
++        my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
 +
-+      fips = open("/etc/system-fips", O_RDONLY);
-+      if (fips != -1)
-+        {
-+          close(fips);
-+    	  my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant")); 
-+        }
-       
        daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
        if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
 -- 
-2.14.3
+2.14.4