|
 |
5136d3 |
From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
|
|
|
5136d3 |
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
5136d3 |
Date: Fri, 2 Mar 2018 13:17:04 +0100
|
|
|
5136d3 |
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
|
|
|
5136d3 |
has no proper FIPS 140-2 compliant implementation.
|
|
|
5136d3 |
|
|
|
5136d3 |
---
|
|
|
5136d3 |
src/dnsmasq.c | 6 +++++-
|
|
|
5136d3 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
5136d3 |
|
|
|
5136d3 |
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
|
|
5136d3 |
index 480c5f9..5fd229e 100644
|
|
|
5136d3 |
--- a/src/dnsmasq.c
|
|
|
5136d3 |
+++ b/src/dnsmasq.c
|
|
|
5136d3 |
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
|
|
|
5136d3 |
|
|
|
5136d3 |
if (daemon->cachesize < CACHESIZ)
|
|
|
5136d3 |
die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
|
|
|
5136d3 |
+
|
|
|
5136d3 |
#else
|
|
|
5136d3 |
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
|
|
|
5136d3 |
#endif
|
|
|
5136d3 |
@@ -786,7 +787,10 @@ int main (int argc, char **argv)
|
|
|
5136d3 |
my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
|
|
|
5136d3 |
else
|
|
|
5136d3 |
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
|
|
|
5136d3 |
-
|
|
|
5136d3 |
+
|
|
|
5136d3 |
+ if (access("/etc/system-fips", F_OK) == 0)
|
|
|
5136d3 |
+ my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
|
|
|
5136d3 |
+
|
|
|
5136d3 |
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
|
|
|
5136d3 |
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
|
|
|
5136d3 |
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
|
|
|
5136d3 |
--
|
|
|
5136d3 |
2.14.4
|
|
|
5136d3 |
|