rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Jul 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-3

Browse Source 
- unbound FIPS patches for lack of md5, and randomness
This commit is contained in:
Paul Wouters 2012-07-03 11:37:57 -04:00
parent 0a7dcbe0ca
commit 9cc8f6adf8
2 changed files with 115 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
unbound-1.4.17-fips.patch Normal file
View File

@ -0,0 +1,109 @@
diff -Naur unbound-1.4.17-orig/config.h.in unbound-1.4.17/config.h.in
--- unbound-1.4.17-orig/config.h.in 2012-02-13 05:42:22.000000000 -0500
+++ unbound-1.4.17/config.h.in 2012-07-03 11:08:53.440318529 -0400
@@ -106,6 +106,9 @@
/* Define to 1 if you have the `fcntl' function. */
#undef HAVE_FCNTL
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
/* Define to 1 if you have the `fork' function. */
#undef HAVE_FORK
diff -Naur unbound-1.4.17-orig/configure unbound-1.4.17/configure
--- unbound-1.4.17-orig/configure 2012-05-24 04:37:55.000000000 -0400
+++ unbound-1.4.17/configure 2012-07-03 11:08:53.445318575 -0400
@@ -16376,7 +16376,7 @@
done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff -Naur unbound-1.4.17-orig/configure.ac unbound-1.4.17/configure.ac
--- unbound-1.4.17-orig/configure.ac 2012-05-15 10:50:21.000000000 -0400
+++ unbound-1.4.17/configure.ac 2012-07-03 11:08:53.447318592 -0400
@@ -515,7 +515,7 @@
ACX_LIB_SSL
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
diff -Naur unbound-1.4.17-orig/util/random.c unbound-1.4.17/util/random.c
--- unbound-1.4.17-orig/util/random.c 2012-05-09 05:13:57.000000000 -0400
+++ unbound-1.4.17/util/random.c 2012-07-03 11:08:53.440318529 -0400
@@ -140,6 +140,16 @@
return;
}
}
+#ifdef HAVE_FIPS_MODE
+ if(FIPS_mode()) {
+ /* RC4 is not allowed, get some trustworthy randomness */
+ /* double certainty here, this routine should not be
+ * called in FIPS_mode */
+ memset(rand_buf, 0, sizeof(rand_buf));
+ s->rc4_ready = REKEY_BYTES;
+ return;
+ }
+#endif /* FIPS_MODE */
RC4_set_key(&s->rc4, SEED_SIZE, (unsigned char*)rand_buf);
/*
@@ -164,6 +174,9 @@
return NULL;
}
ub_systemseed(seed);
+#ifdef HAVE_FIPS_MODE
+ if(!FIPS_mode())
+#endif
ub_arc4random_stir(s, from);
return s;
}
@@ -172,6 +185,20 @@
ub_random(struct ub_randstate* s)
{
unsigned int r = 0;
+#ifdef HAVE_FIPS_MODE
+ if(FIPS_mode()) {
+ /* RC4 is not allowed, get some trustworthy randomness */
+ /* we use pseudo bytes: it tries to return secure randomness
+ * but returns 'something' if that fails. We need something
+ * else if it fails, because we cannot block here */
+ if(RAND_pseudo_bytes((unsigned char*)&r, (int)sizeof(r))
+ == -1) {
+ log_err("FIPSmode, no arc4random but RAND failed "
+ "(error %ld)", ERR_get_error());
+ }
+ return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
+ }
+#endif /* FIPS_MODE */
if (s->rc4_ready <= 0) {
ub_arc4random_stir(s, NULL);
}
diff -Naur unbound-1.4.17-orig/validator/val_sigcrypt.c unbound-1.4.17/validator/val_sigcrypt.c
--- unbound-1.4.17-orig/validator/val_sigcrypt.c 2012-02-16 05:08:07.000000000 -0500
+++ unbound-1.4.17/validator/val_sigcrypt.c 2012-07-03 11:15:31.724850996 -0400
@@ -417,11 +417,16 @@
dnskey_algo_id_is_supported(int id)
{
switch(id) {
+ case LDNS_RSAMD5:
+#ifdef HAVE_FIPS_MODE
+ return !FIPS_mode();
+#else
+ return 1;
+#endif
case LDNS_DSA:
case LDNS_DSA_NSEC3:
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
- case LDNS_RSAMD5:
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
case LDNS_RSASHA256:
#endif

9
unbound.spec
View File

@ -14,7 +14,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.4.17 Version: 1.4.17
Release: 2%{?dist} Release: 3%{?dist}
License: BSD License: BSD
Url: http://www.nlnetlabs.nl/unbound/ Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@ -27,7 +27,7 @@ Source6: dlv.isc.org.key
Source7: unbound-keygen.service Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf Source8: tmpfiles-unbound.conf
Patch1: unbound-1.2-glob.patch Patch1: unbound-1.2-glob.patch
Patch2: unbound-1.4.17-fips.patch
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
BuildRequires: libevent-devel expat-devel BuildRequires: libevent-devel expat-devel
@ -103,7 +103,7 @@ Python modules and extensions for unbound
%prep %prep
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
#%patch2 -p1 %patch2 -p1
%build %build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
@ -238,6 +238,9 @@ fi
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%changelog %changelog
* Tue Jul 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-3
- unbound FIPS patches for lack of md5, and randomness
* Fri Jun 15 2012 Adam Tkac <atkac redhat com> - 1.4.17-2 * Fri Jun 15 2012 Adam Tkac <atkac redhat com> - 1.4.17-2
- don't build unbound-munin on RHEL - don't build unbound-munin on RHEL