Emit warning on FIPS without opening the file
This commit is contained in:
Petr Menšík
parent
db0bc30a48
commit
981bbce593
|
|
@ -1,18 +1,18 @@
|
||||||
From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001
|
From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
Date: Fri, 2 Mar 2018 13:17:04 +0100
|
Date: Fri, 2 Mar 2018 13:17:04 +0100
|
||||||
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
||||||
has no proper FIPS 140-2 compliant implementation.
|
has no proper FIPS 140-2 compliant implementation.
|
||||||
|
|
||||||
---
|
---
|
||||||
src/dnsmasq.c | 9 +++++++++
|
src/dnsmasq.c | 6 +++++-
|
||||||
1 file changed, 9 insertions(+)
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
||||||
index 771bec1..1cb69b7 100644
|
index ce44809..9f6c020 100644
|
||||||
--- a/src/dnsmasq.c
|
--- a/src/dnsmasq.c
|
||||||
+++ b/src/dnsmasq.c
|
+++ b/src/dnsmasq.c
|
||||||
@@ -182,6 +182,7 @@ int main (int argc, char **argv)
|
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
if (daemon->cachesize < CACHESIZ)
|
if (daemon->cachesize < CACHESIZ)
|
||||||
die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
|
die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
|
||||||
|
|
@ -20,28 +20,18 @@ index 771bec1..1cb69b7 100644
|
||||||
#else
|
#else
|
||||||
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
|
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
|
||||||
#endif
|
#endif
|
||||||
@@ -741,6 +742,7 @@ int main (int argc, char **argv)
|
@@ -769,7 +770,10 @@ int main (int argc, char **argv)
|
||||||
if (option_bool(OPT_DNSSEC_VALID))
|
|
||||||
{
|
|
||||||
int rc;
|
|
||||||
+ int fips;
|
|
||||||
|
|
||||||
/* Delay creating the timestamp file until here, after we've changed user, so that
|
|
||||||
it has the correct owner to allow updating the mtime later.
|
|
||||||
@@ -752,6 +754,13 @@ int main (int argc, char **argv)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
|
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||||
|
+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
|
||||||
+
|
+
|
||||||
+ fips = open("/etc/system-fips", O_RDONLY);
|
|
||||||
+ if (fips != -1)
|
|
||||||
+ {
|
|
||||||
+ close(fips);
|
|
||||||
+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
|
|
||||||
+ }
|
|
||||||
|
|
||||||
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
|
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
|
||||||
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
|
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
|
||||||
|
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
|
||||||
--
|
--
|
||||||
2.14.3
|
2.14.4
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue