diff --git a/nsd-3.2.14-nomd5-fips.patch b/nsd-3.2.14-nomd5-fips.patch new file mode 100644 index 0000000..e3df021 --- /dev/null +++ b/nsd-3.2.14-nomd5-fips.patch @@ -0,0 +1,42 @@ +diff -Naur nsd-3.2.14-orig/tsig-openssl.c nsd-3.2.14/tsig-openssl.c +--- nsd-3.2.14-orig/tsig-openssl.c 2012-05-31 09:48:19.000000000 -0400 ++++ nsd-3.2.14/tsig-openssl.c 2013-01-03 00:19:26.337086846 -0500 +@@ -31,7 +31,9 @@ + + hmac_algorithm = EVP_get_digestbyname(digest); + if (!hmac_algorithm) { +- log_msg(LOG_ERR, "%s digest not available", digest); ++ /* skip, but do not error ++ * log_msg(LOG_ERR, "%s digest not available", digest); ++ */ + return 0; + } + +@@ -58,21 +60,19 @@ + int + tsig_openssl_init(region_type *region) + { ++ int count = 0; + OpenSSL_add_all_digests(); + +- /* TODO: walk lookup supported algorithms table */ +- if (!tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.")) +- return 0; ++ count += !tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int."); ++ + #ifdef HAVE_EVP_SHA1 +- if (!tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1.")) +- return 0; ++ count += !tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1."); + #endif /* HAVE_EVP_SHA1 */ + + #ifdef HAVE_EVP_SHA256 +- if (!tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256.")) +- return 0; ++ count +=!tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256."); + #endif /* HAVE_EVP_SHA256 */ +- return 1; ++ return count; + } + + static void diff --git a/nsd.spec b/nsd.spec index 7ce03b9..b0bde79 100644 --- a/nsd.spec +++ b/nsd.spec @@ -1,7 +1,7 @@ Summary: Fast and lean authoritative DNS Name Server Name: nsd -Version: 3.2.14 -Release: 2%{?dist} +Version: 3.2.15 +Release: 1%{?dist} License: BSD Url: http://www.nlnetlabs.nl/%{name}/ Source: http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz @@ -10,7 +10,6 @@ Source2: nsd.cron Source3: nsd.sysconfig Source4: tmpfiles-nsd.conf Patch0: nsd-install.patch -Patch1: nsd-fixlogfile.patch Group: System Environment/Daemons BuildRequires: flex, openssl-devel BuildRequires: systemd-units @@ -28,15 +27,15 @@ consult the REQUIREMENTS document which is a part of this distribution %prep %setup -q -%patch0 -p1 -%patch1 -p1 +%patch0 -p1 -b .install %build %configure --enable-bind8-stats --enable-checking --enable-nsec3 \ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid --with-ssl \ --with-user=nsd --with-difffile=%{_localstatedir}/lib/%{name}/ixfr.db \ --with-xfrdfile=%{_localstatedir}/lib/%{name}/ixfr.state \ - --with-dbfile=%{_localstatedir}/lib/%{name}/nsd.db + --with-dbfile=%{_localstatedir}/lib/%{name}/nsd.db \ + --enable-ratelimit %{__make} %{?_smp_mflags} #convert to utf8 @@ -119,9 +118,13 @@ fi %changelog +* Fri Feb 01 2013 Paul Wouters - 3.2.15-1 +- Updated to 3.2.15 which includes the rate limit code +- Patch to not fail when MD5 is not available (FIPS mode) + (also be quiet in cron jobs) * Fri Nov 23 2012 Paul Wouters - 3.2.14-2 -- Updated to 32.14 with minor bugfixes and TCP writev support +- Updated to 3.2.14 with minor bugfixes and TCP writev support - Only run nsdc rebuild hourly cronjob when nsd service is running * Fri Jul 27 2012 Paul Wouters - 3.2.13-1