From 144c414c6792bdddbdb92529a4186ebb27afb28f Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Mar 02 2018 12:18:01 +0000
Subject: Emit warning with dnssec enabled on FIPS system (#1549507)
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.78-fips.patch b/dnsmasq-2.78-fips.patch
new file mode 100644
index 0000000..a341796
--- /dev/null
+++ b/dnsmasq-2.78-fips.patch
@@ -0,0 +1,47 @@
+From c7d5a6a968fa2bd7412c913adf274aaa7174303a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Fri, 2 Mar 2018 13:17:04 +0100
+Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
+ has no proper FIPS 140-2 compliant implementation.
+
+---
+ src/dnsmasq.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 771bec1..1cb69b7 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -182,6 +182,7 @@ int main (int argc, char **argv)
+
+ if (daemon->cachesize < CACHESIZ)
+ die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL,
EC_BADCONF);
++
+ #else
+ die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL,
EC_BADCONF);
+ #endif
+@@ -741,6 +742,7 @@ int main (int argc, char **argv)
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
+ int rc;
++ int fips;
+
+ /* Delay creating the timestamp file until here, after we've changed user, so
that
+ it has the correct owner to allow updating the mtime later.
+@@ -752,6 +754,13 @@ int main (int argc, char **argv)
+ }
+
+ my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
++
++ fips = open("/etc/system-fips", O_RDONLY);
++ if (fips != -1)
++ {
++ close(fips);
++ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2
compliant"));
++ }
+
+ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
+--
+2.14.3
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index cb4fca5..b135676 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -13,7 +13,7 @@
Name: dnsmasq
Version: 2.78
-Release: 6%{?extraversion:.%{extraversion}}%{?dist}
+Release: 7%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -25,6 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf
#
https://bugzilla.redhat.com/show_bug.cgi?id=1495409
Patch1: dnsmasq-2.77-underflow.patch
Patch2: dnsmasq-2.78-CVE-2017-15107.patch
+Patch3: dnsmasq-2.78-fips.patch
BuildRequires: dbus-devel
@@ -58,6 +59,7 @@ server's leases.
%setup -q -n %{name}-%{version}%{?extraversion}
%patch1 -p1 -b .underflow
%patch2 -p1 -b .CVE-2017-15107
+%patch3 -p1 -b .fips
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -157,6 +159,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Fri Mar 02 2018 Petr Menšík <pemensik(a)redhat.com> - 2.78-7
+- Emit warning with dnssec enabled on FIPS system (#1549507)
+
* Sun Feb 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl> - 2.78-6
- Create user before installing files (#1548050)
https://src.fedoraproject.org/rpms/dnsmasq/c/144c414c6792bdddbdb92529a418...