From 9cc8f6adf8237e18832c1892cbddf25086df11f8 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Tue, 3 Jul 2012 11:37:57 -0400
Subject: [PATCH] * Tue Jul 03 2012 Paul Wouters <pwouters@redhat.com> -
 1.4.17-3 - unbound FIPS patches for lack of md5, and randomness

---
 unbound-1.4.17-fips.patch | 109 ++++++++++++++++++++++++++++++++++++++
 unbound.spec              |   9 ++--
 2 files changed, 115 insertions(+), 3 deletions(-)
 create mode 100644 unbound-1.4.17-fips.patch

diff --git a/unbound-1.4.17-fips.patch b/unbound-1.4.17-fips.patch
new file mode 100644
index 0000000..c35cfd4
--- /dev/null
+++ b/unbound-1.4.17-fips.patch
@@ -0,0 +1,109 @@
+diff -Naur unbound-1.4.17-orig/config.h.in unbound-1.4.17/config.h.in
+--- unbound-1.4.17-orig/config.h.in	2012-02-13 05:42:22.000000000 -0500
++++ unbound-1.4.17/config.h.in	2012-07-03 11:08:53.440318529 -0400
+@@ -106,6 +106,9 @@
+ /* Define to 1 if you have the `fcntl' function. */
+ #undef HAVE_FCNTL
+ 
++/* Define to 1 if you have the `FIPS_mode' function. */
++#undef HAVE_FIPS_MODE
++
+ /* Define to 1 if you have the `fork' function. */
+ #undef HAVE_FORK
+ 
+diff -Naur unbound-1.4.17-orig/configure unbound-1.4.17/configure
+--- unbound-1.4.17-orig/configure	2012-05-24 04:37:55.000000000 -0400
++++ unbound-1.4.17/configure	2012-07-03 11:08:53.445318575 -0400
+@@ -16376,7 +16376,7 @@
+ 
+ done
+ 
+-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
++for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
+ do :
+   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+diff -Naur unbound-1.4.17-orig/configure.ac unbound-1.4.17/configure.ac
+--- unbound-1.4.17-orig/configure.ac	2012-05-15 10:50:21.000000000 -0400
++++ unbound-1.4.17/configure.ac	2012-07-03 11:08:53.447318592 -0400
+@@ -515,7 +515,7 @@
+ ACX_LIB_SSL
+ AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
+ AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
+-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
++AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
+ AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
+ AC_INCLUDES_DEFAULT
+ #ifdef HAVE_OPENSSL_ERR_H
+diff -Naur unbound-1.4.17-orig/util/random.c unbound-1.4.17/util/random.c
+--- unbound-1.4.17-orig/util/random.c	2012-05-09 05:13:57.000000000 -0400
++++ unbound-1.4.17/util/random.c	2012-07-03 11:08:53.440318529 -0400
+@@ -140,6 +140,16 @@
+ 			return;
+ 		}
+ 	}
++#ifdef HAVE_FIPS_MODE
++	if(FIPS_mode()) {
++		/* RC4 is not allowed, get some trustworthy randomness */
++		/* double certainty here, this routine should not be
++		 * called in FIPS_mode */
++		memset(rand_buf, 0, sizeof(rand_buf));
++		s->rc4_ready = REKEY_BYTES;
++		return;
++	}
++#endif /* FIPS_MODE */
+ 	RC4_set_key(&s->rc4, SEED_SIZE, (unsigned char*)rand_buf);
+ 
+ 	/*
+@@ -164,6 +174,9 @@
+ 		return NULL;
+ 	}
+ 	ub_systemseed(seed);
++#ifdef HAVE_FIPS_MODE
++	if(!FIPS_mode())
++#endif
+ 	ub_arc4random_stir(s, from);
+ 	return s;
+ }
+@@ -172,6 +185,20 @@
+ ub_random(struct ub_randstate* s)
+ {
+ 	unsigned int r = 0;
++#ifdef HAVE_FIPS_MODE
++	if(FIPS_mode()) {
++		/* RC4 is not allowed, get some trustworthy randomness */
++		/* we use pseudo bytes: it tries to return secure randomness
++		 * but returns 'something' if that fails.  We need something
++		 * else if it fails, because we cannot block here */
++		if(RAND_pseudo_bytes((unsigned char*)&r, (int)sizeof(r))
++			== -1) {
++			log_err("FIPSmode, no arc4random but RAND failed "
++				"(error %ld)", ERR_get_error());
++		}
++		return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
++	}
++#endif /* FIPS_MODE */
+ 	if (s->rc4_ready <= 0) {
+ 		ub_arc4random_stir(s, NULL);
+ 	}
+diff -Naur unbound-1.4.17-orig/validator/val_sigcrypt.c unbound-1.4.17/validator/val_sigcrypt.c
+--- unbound-1.4.17-orig/validator/val_sigcrypt.c	2012-02-16 05:08:07.000000000 -0500
++++ unbound-1.4.17/validator/val_sigcrypt.c	2012-07-03 11:15:31.724850996 -0400
+@@ -417,11 +417,16 @@
+ dnskey_algo_id_is_supported(int id)
+ {
+ 	switch(id) {
++	case LDNS_RSAMD5:
++#ifdef HAVE_FIPS_MODE
++		return !FIPS_mode();
++#else
++		return 1;
++#endif
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
+ 	case LDNS_RSASHA1_NSEC3:
+-	case LDNS_RSAMD5:
+ #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ 	case LDNS_RSASHA256:
+ #endif
diff --git a/unbound.spec b/unbound.spec
index 80d59a8..d34d7b0 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -14,7 +14,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.4.17
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -27,7 +27,7 @@ Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Patch1: unbound-1.2-glob.patch
-
+Patch2: unbound-1.4.17-fips.patch
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
 BuildRequires: libevent-devel expat-devel
@@ -103,7 +103,7 @@ Python modules and extensions for unbound
 %prep
 %setup -q 
 %patch1 -p1
-#%patch2 -p1
+%patch2 -p1
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -238,6 +238,9 @@ fi
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
 %changelog
+* Tue Jul 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-3
+- unbound FIPS patches for lack of md5, and randomness
+
 * Fri Jun 15 2012 Adam Tkac <atkac redhat com> - 1.4.17-2
 - don't build unbound-munin on RHEL