Auto sync2gitlab import of keyutils-1.5.10-9.el8.src.rpm

This commit is contained in:
James Antill 2022-05-26 10:04:27 -04:00
parent 0efc17a852
commit 6b2cae6631
9 changed files with 1028 additions and 1 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/keyutils-1.5.10.tar.bz2

1
EMPTY
View File

@ -1 +0,0 @@

150
afs-srv.patch Normal file
View File

@ -0,0 +1,150 @@
commit 0d71523ab58493e1b40e1c80d569ff8ebc5ea27d
Author: David Howells <dhowells@redhat.com>
Date: Wed, 9 May 2018 10:37:03 +0100
DNS: Support AFS SRV records and cell db config files
[dhowells: Cut down to only include generic changes as a prereq for the
next patch]
Signed-off-by: David Howells <dhowells@redhat.com>
---
key.dns_resolver.c | 47 +++++++++++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 16 deletions(-)
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index 9c9d458..849c8fe 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -74,6 +74,7 @@ static int debug_mode;
#define INET_IP6_ONLY 0x2
#define INET_ALL 0xFF
#define ONE_ADDR_ONLY 0x100
+unsigned mask = INET_ALL;
/*
* segmental payload
@@ -164,14 +165,10 @@ static const int ns_errno_map[] = {
[NO_DATA] = ENODATA,
};
-static __attribute__((noreturn))
-void nsError(int err, const char *domain)
+void _nsError(int err, const char *domain)
{
- unsigned timeout = 1 * 60;
- int ret;
-
if (isatty(2))
- fprintf(stderr, "%s: %s.\n", domain, hstrerror(err));
+ fprintf(stderr, "NS:%s: %s.\n", domain, hstrerror(err));
else
syslog(LOG_INFO, "%s: %s", domain, hstrerror(err));
@@ -181,11 +178,28 @@ void nsError(int err, const char *domain)
err = ns_errno_map[err];
info("Reject the key with error %d", err);
+}
+
+static __attribute__((noreturn))
+void nsError(int err, const char *domain)
+{
+ unsigned timeout;
+ int ret;
+
+ _nsError(err, domain);
- if (err == EAGAIN)
+ switch (err) {
+ case TRY_AGAIN:
timeout = 1;
- else if (err == ECONNREFUSED)
+ break;
+ case 0:
+ case NO_RECOVERY:
timeout = 10;
+ break;
+ default:
+ timeout = 1 * 60;
+ break;
+ }
if (!debug_mode) {
ret = keyctl_reject(key, timeout, err, KEY_REQKEY_DEFL_DEFAULT);
@@ -296,10 +310,10 @@ static void dump_payload(void)
* string to the list of payload segments.
*/
static int
-dns_resolver(const char *server_name, unsigned mask)
+dns_resolver(const char *server_name, const char *port)
{
struct addrinfo hints, *addr, *ai;
- char buf[INET6_ADDRSTRLEN + 1];
+ char buf[INET6_ADDRSTRLEN + 8 + 1];
int ret, len;
void *sa;
@@ -320,8 +334,6 @@ dns_resolver(const char *server_name, unsigned mask)
return -1;
}
- debug("getaddrinfo = %d", ret);
-
for (ai = addr; ai; ai = ai->ai_next) {
debug("RR: %x,%x,%x,%x,%x,%s",
ai->ai_flags, ai->ai_family,
@@ -350,6 +362,8 @@ dns_resolver(const char *server_name, unsigned mask)
if (!inet_ntop(ai->ai_family, sa, buf, len))
error("%s: inet_ntop: %m", __func__);
+ if (port)
+ strcat(buf, port);
append_address_to_payload(buf);
if (mask & ONE_ADDR_ONLY)
break;
@@ -413,7 +427,7 @@ static void afsdb_hosts_to_addrs(ns_msg handle,
goto next_one;
/* Turn the hostname into IP addresses */
- ret = dns_resolver(vllist[vlsnum], mask);
+ ret = dns_resolver(vllist[vlsnum], NULL);
if (ret) {
debug("AFSDB RR can't resolve."
"subtype:%d, server name:%s, netmask:%u",
@@ -523,7 +537,6 @@ int dns_query_afsdb(const char *cell, char *options)
static __attribute__((noreturn))
int dns_query_a_or_aaaa(const char *hostname, char *options)
{
- unsigned mask;
int ret;
debug("Get A/AAAA RR for hostname:'%s', options:'%s'",
@@ -569,7 +582,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
}
/* Turn the hostname into IP addresses */
- ret = dns_resolver(hostname, mask);
+ ret = dns_resolver(hostname, NULL);
if (ret)
nsError(NO_DATA, hostname);
@@ -630,7 +643,7 @@ int main(int argc, char *argv[])
openlog(prog, 0, LOG_DAEMON);
- while ((ret = getopt_long(argc, argv, "vD", long_options, NULL)) != -1) {
+ while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
switch (ret) {
case 'D':
debug_mode = 1;
@@ -713,6 +726,8 @@ int main(int argc, char *argv[])
qtlen = name - keyend;
name++;
+ info("Query type: '%*.*s'", qtlen, qtlen, keyend);
+
if ((qtlen == sizeof(a_query_type) - 1 &&
memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
(qtlen == sizeof(aaaa_query_type) - 1 &&

58
fix-ci-strcat.patch Normal file
View File

@ -0,0 +1,58 @@
commit d8106bbb5348591968722e14fe4ee4b81e7902aa
Author: David Howells <dhowells@redhat.com>
Date: Wed Jun 16 15:06:36 2021 +0100
Fix issue found by Coverity
This isn't something that can actually be triggered. The port parameter is
always NULL, so just drop the parameter and the call to strcat().
Error: STRING_OVERFLOW (CWE-120):
keyutils-1.5.10/key.dns_resolver.c:388: fixed_size_dest: You might overrun the 55-character fixed-size string "buf" by copying "port" without checking the length.
keyutils-1.5.10/key.dns_resolver.c:388: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
Signed-off-by: David Howells <dhowells@redhat.com>
---
key.dns_resolver.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index f3052e6..2743119 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -332,7 +332,7 @@ static void dump_payload(void)
* string to the list of payload segments.
*/
static int
-dns_resolver(const char *server_name, const char *port)
+dns_resolver(const char *server_name)
{
struct addrinfo hints, *addr, *ai;
char buf[INET6_ADDRSTRLEN + 8 + 1];
@@ -384,8 +384,6 @@ dns_resolver(const char *server_name, const char *port)
if (!inet_ntop(ai->ai_family, sa, buf, len))
error("%s: inet_ntop: %m", __func__);
- if (port)
- strcat(buf, port);
append_address_to_payload(buf);
if (mask & ONE_ADDR_ONLY)
break;
@@ -449,7 +447,7 @@ static void afsdb_hosts_to_addrs(ns_msg handle,
goto next_one;
/* Turn the hostname into IP addresses */
- ret = dns_resolver(vllist[vlsnum], NULL);
+ ret = dns_resolver(vllist[vlsnum]);
if (ret) {
debug("AFSDB RR can't resolve."
"subtype:%d, server name:%s, netmask:%u",
@@ -604,7 +602,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
}
/* Turn the hostname into IP addresses */
- ret = dns_resolver(hostname, NULL);
+ ret = dns_resolver(hostname);
if (ret)
nsError(NO_DATA, hostname);

320
keyutils.spec Normal file
View File

@ -0,0 +1,320 @@
%define vermajor 1
%define verminor 5.10
%define version %{vermajor}.%{verminor}
%define libapivermajor 1
%define libapiversion %{libapivermajor}.6
# % define buildid .local
Summary: Linux Key Management Utilities
Name: keyutils
Version: %{version}
Release: 9%{?buildid}%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Base
ExclusiveOS: Linux
Url: http://people.redhat.com/~dhowells/keyutils/
Source0: http://people.redhat.com/~dhowells/keyutils/keyutils-%{version}.tar.bz2
Patch1: test-endianness-check.patch
Patch2: test-rhel8.patch
Patch3: afs-srv.patch
Patch4: ttl.patch
Patch5: fix-ci-strcat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: glibc-kernheaders >= 2.4-9.1.92
Requires: keyutils-libs == %{version}-%{release}
%description
Utilities to control the kernel key management facility and to provide
a mechanism by which the kernel call back to user space to get a key
instantiated.
%package libs
Summary: Key utilities library
Group: System Environment/Base
%description libs
This package provides a wrapper library for the key management facility system
calls.
%package libs-devel
Summary: Development package for building Linux key management utilities
Group: System Environment/Base
Requires: keyutils-libs == %{version}-%{release}
%description libs-devel
This package provides headers and libraries for building key utilities.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%define datadir %{_datarootdir}/keyutils
%build
make \
NO_ARLIB=1 \
ETCDIR=%{_sysconfdir} \
LIBDIR=%{_libdir} \
USRLIBDIR=%{_libdir} \
BINDIR=%{_bindir} \
SBINDIR=%{_sbindir} \
MANDIR=%{_mandir} \
INCLUDEDIR=%{_includedir} \
SHAREDIR=%{datadir} \
RELEASE=.%{release} \
NO_GLIBC_KEYERR=1 \
CFLAGS="-Wall $RPM_OPT_FLAGS" \
LDFLAGS="%{?__global_ldflags}"
%install
make \
NO_ARLIB=1 \
DESTDIR=$RPM_BUILD_ROOT \
ETCDIR=%{_sysconfdir} \
LIBDIR=%{_libdir} \
USRLIBDIR=%{_libdir} \
BINDIR=%{_bindir} \
SBINDIR=%{_sbindir} \
MANDIR=%{_mandir} \
INCLUDEDIR=%{_includedir} \
SHAREDIR=%{datadir} \
install
%ldconfig_scriptlets libs
%files
%doc README
%license LICENCE.GPL
%{_sbindir}/*
%{_bindir}/*
%{datadir}
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%config(noreplace) %{_sysconfdir}/*
%files libs
%license LICENCE.LGPL
%{_mandir}/man7/*
%{_libdir}/libkeyutils.so.%{libapiversion}
%{_libdir}/libkeyutils.so.%{libapivermajor}
%files libs-devel
%{_libdir}/libkeyutils.so
%{_includedir}/*
%{_mandir}/man3/*
%changelog
* Wed Jun 16 2021 David Howells <dhowells@redhat.com> - 1.5.10-9
- Fix potential strcat overflow found by Coverity in CI test (#1661674).
* Thu Jun 3 2021 David Howells <dhowells@redhat.com> - 1.5.10-8
- Fix TTL handling on DNS lookups (#1661674).
* Thu Apr 18 2019 David Howells <dhowells@redhat.com> - 1.5.10-7
- Fix testsuite for rhel-8 (#1681963).
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5.10-6
- Escape macros in %%changelog
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5.10-4
- Switch to %%ldconfig_scriptlets
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 15 2017 David Howells <dhowells@redhat.com> - 1.5.10-1
- Include sys/types.h in keyutils.h.
- The dns resolver needs limits.h.
- Overhaul of all manual pages.
- Some manual pages moved to Linux man-pages project.
- Add Diffie-Helman keyctl function.
* Fri Aug 14 2015 Adam Jackson <ajax@redhat.com> 1.5.9-7
- Pass ldflags into the build so hardening works
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 1.5.9-3
- Fix license handling
* Fri Feb 21 2014 David Howells <dhowells@redhat.com> - 1.5.9-1
- Add manpages for get_persistent.
- Fix memory leaks in keyctl_describe/read/get_security_alloc().
- Use keyctl_describe_alloc in dump_key_tree_aux rather than open coding it.
- Exit rather than returning from act_xxx() functions.
- Fix memory leak in dump_key_tree_aux.
- Only get the groups list if we need it.
- Don't trust sscanf's %%n argument.
- Use the correct path macros in the specfile.
- Avoid use realloc when the memory has no content.
- Fix a bunch of issues in key.dns_resolver.
- Fix command table searching in keyctl utility.
- Fix a typo in the permissions mask constants.
- Improve the keyctl_read manpage.
- Add man7 pages describing various keyrings concepts.
* Fri Oct 4 2013 David Howells <dhowells@redhat.com> - 1.5.8-1
- New lib symbols should go in a new library minor version.
* Wed Oct 2 2013 David Howells <dhowells@redhat.com> - 1.5.7-1
- Provide a utility function to find a key by type and name.
- Allow keyctl commands to take a type+name arg instead of a key-id arg.
- Add per-UID get_persistent keyring function.
* Thu Aug 29 2013 David Howells <dhowells@redhat.com> - 1.5.6-1
- Fix the request-key.conf.5 manpage.
- Fix the max depth of key tree dump (keyctl show).
- The input buffer size for keyctl padd and pinstantiate should be larger.
- Add keyctl_invalidate.3 manpage.
* Wed Nov 30 2011 David Howells <dhowells@redhat.com> - 1.5.5-1
- Fix a Makefile error.
* Wed Nov 30 2011 David Howells <dhowells@redhat.com> - 1.5.4-1
- Fix the keyctl padd command and similar to handle binary input.
- Make keyctl show able to take a keyring to dump.
- Make keyctl show able to take a flag to request hex key IDs.
- Make keyctl show print the real ID of the root keyring.
* Tue Nov 15 2011 David Howells <dhowells@redhat.com>
- Allow /sbin/request-key to have multiple config files.
* Wed Aug 31 2011 David Howells <dhowells@redhat.com>
- Adjust the manual page for 'keyctl unlink' to show keyring is optional.
- Add --version support for the keyutils version and build date.
* Thu Aug 11 2011 David Howells <dhowells@redhat.com> - 1.5.3-1
- Make the keyutils rpm depend on the same keyutils-libs rpm version.
* Tue Jul 26 2011 David Howells <dhowells@redhat.com> - 1.5.2-1
- Use correct format spec for printing pointer subtraction results.
* Tue Jul 19 2011 David Howells <dhowells@redhat.com> - 1.5.1-1
- Fix unread variables.
- Licence file update.
* Thu Mar 10 2011 David Howells <dhowells@redhat.com> - 1.5-1
- Disable RPATH setting in Makefile.
- Add -I. to build to get this keyutils.h.
- Make CFLAGS override on make command line work right.
- Make specfile UTF-8.
- Support KEYCTL_REJECT.
- Support KEYCTL_INSTANTIATE_IOV.
- Add AFSDB DNS lookup program from Wang Lei.
- Generalise DNS lookup program.
- Add recursive scan utility function.
- Add bad key reap command to keyctl.
- Add multi-unlink variant to keyctl unlink command.
- Add multi key purge command to keyctl.
- Handle multi-line commands in keyctl command table.
- Move the package to version to 1.5.
* Tue Mar 1 2011 David Howells <dhowells@redhat.com> - 1.4-4
- Make build guess at default libdirs and word size.
- Make program build depend on library in Makefile.
- Don't include $(DESTDIR) in MAN* macros.
- Remove NO_GLIBC_KEYSYS as it is obsolete.
- Have Makefile extract version info from specfile and version script.
- Provide RPM build rule in Makefile.
- Provide distclean rule in Makefile.
* Fri Dec 17 2010 Diego Elio Pettenò <flameeyes@hosting.flameeyes.eu> - 1.4-3
- Fix local linking and RPATH.
* Thu Jun 10 2010 David Howells <dhowells@redhat.com> - 1.4-2
- Fix prototypes in manual pages (some char* should be void*).
- Rename the keyctl_security.3 manpage to keyctl_get_security.3.
* Fri Mar 19 2010 David Howells <dhowells@redhat.com> - 1.4-1
- Fix the library naming wrt the version.
- Move the package to version to 1.4.
* Fri Mar 19 2010 David Howells <dhowells@redhat.com> - 1.3-3
- Fix spelling mistakes in manpages.
- Add an index manpage for all the keyctl functions.
* Thu Mar 11 2010 David Howells <dhowells@redhat.com> - 1.3-2
- Fix rpmlint warnings.
* Fri Feb 26 2010 David Howells <dhowells@redhat.com> - 1.3-1
- Fix compiler warnings in request-key.
- Expose the kernel function to get a key's security context.
- Expose the kernel function to set a processes keyring onto its parent.
- Move libkeyutils library version to 1.3.
* Tue Aug 22 2006 David Howells <dhowells@redhat.com> - 1.2-1
- Remove syscall manual pages (section 2) to man-pages package [BZ 203582]
- Don't write to serial port in debugging script
* Mon Jun 5 2006 David Howells <dhowells@redhat.com> - 1.1-4
- Call ldconfig during (un)installation.
* Fri May 5 2006 David Howells <dhowells@redhat.com> - 1.1-3
- Don't include the release number in the shared library filename
- Don't build static library
* Fri May 5 2006 David Howells <dhowells@redhat.com> - 1.1-2
- More bug fixes from Fedora reviewer.
* Thu May 4 2006 David Howells <dhowells@redhat.com> - 1.1-1
- Fix rpmlint errors
* Mon Dec 5 2005 David Howells <dhowells@redhat.com> - 1.0-2
- Add build dependency on glibc-kernheaders with key management syscall numbers
* Tue Nov 29 2005 David Howells <dhowells@redhat.com> - 1.0-1
- Add data pipe-in facility for keyctl request2
* Mon Nov 28 2005 David Howells <dhowells@redhat.com> - 1.0-1
- Rename library and header file "keyutil" -> "keyutils" for consistency
- Fix shared library version naming to same way as glibc.
- Add versioning for shared library symbols
- Create new keyutils-libs package and install library and main symlink there
- Install base library symlink in /usr/lib and place in devel package
- Added a keyutils archive library
- Shorten displayed key permissions list to just those we actually have
* Thu Nov 24 2005 David Howells <dhowells@redhat.com> - 0.3-4
- Add data pipe-in facilities for keyctl add, update and instantiate
* Fri Nov 18 2005 David Howells <dhowells@redhat.com> - 0.3-3
- Added stdint.h inclusion in keyutils.h
- Made request-key.c use request_key() rather than keyctl_search()
- Added piping facility to request-key
* Thu Nov 17 2005 David Howells <dhowells@redhat.com> - 0.3-2
- Added timeout keyctl option
- request_key auth keys must now be assumed
- Fix keyctl argument ordering for debug negate line in request-key.conf
* Thu Jul 28 2005 David Howells <dhowells@redhat.com> - 0.3-1
- Must invoke initialisation from perror() override in libkeyutils
- Minor UI changes
* Wed Jul 20 2005 David Howells <dhowells@redhat.com> - 0.2-2
- Bump version to permit building in main repositories.
* Tue Jul 12 2005 David Howells <dhowells@redhat.com> - 0.2-1
- Don't attempt to define the error codes in the header file.
- Pass the release ID through to the makefile to affect the shared library name.
* Tue Jul 12 2005 David Howells <dhowells@redhat.com> - 0.1-3
- Build in the perror() override to get the key error strings displayed.
* Tue Jul 12 2005 David Howells <dhowells@redhat.com> - 0.1-2
- Need a defattr directive after each files directive.
* Tue Jul 12 2005 David Howells <dhowells@redhat.com> - 0.1-1
- Package creation.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (keyutils-1.5.10.tar.bz2) = 7f6f956c7e76cdc2aeb52e74fe670b20a5f9a5d9b543fd2ce971d80c48745f37d05235a42f0a8f152b1128a109c7d8bf07e751282a20d2d3f433a99a5308ae8d

View File

@ -0,0 +1,23 @@
commit d0fedbf9257a0fed18030527fd094588df5873aa
Author: David Howells <dhowells@redhat.com>
Date: Tue Aug 21 23:24:03 2018 +0100
TEST: Add a missing backslash
Add a missing backslash into a regular expression in the toolbox.
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
index 140be66..0ce6db0 100644
--- a/tests/toolbox.inc.sh
+++ b/tests/toolbox.inc.sh
@@ -13,7 +13,7 @@
echo === $OUTPUTFILE ===
endian=`file -L /proc/$$/exe`
-if expr "$endian" : '.* MSB \+\(executable\|shared object).*' >&/dev/null
+if expr "$endian" : '.* MSB \+\(executable\|shared object\).*' >&/dev/null
then
endian=BE
elif expr "$endian" : '.* LSB \+\(executable\|shared object\).*' >&/dev/null

27
test-rhel8.patch Normal file
View File

@ -0,0 +1,27 @@
commit 0b1654506039e614954e141aad3ceddb7018a2cb
Author: David Howells <dhowells@redhat.com>
Date: Wed Apr 17 15:42:30 2019 +0100
TEST: Apply test exclusions for RHEL-8
RHEL-8 doesn't enable the DH/KDF code, so disable the tests on all RHEL
distributions for now.
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/tests/prepare.inc.sh b/tests/prepare.inc.sh
index ab9ae4d..9c4adda 100644
--- a/tests/prepare.inc.sh
+++ b/tests/prepare.inc.sh
@@ -96,7 +96,10 @@ fi
# Work out whether Diffie-Hellman is supported by the kernel
#
have_dh_compute=0
-if keyutils_at_or_later_than 1.5.10 && kernel_at_or_later_than 4.7-rc1
+if [ $OSDIST = RHEL ]
+then
+ :
+elif keyutils_at_or_later_than 1.5.10 && kernel_at_or_later_than 4.7-rc1
then
have_dh_compute=1
fi

448
ttl.patch Normal file
View File

@ -0,0 +1,448 @@
commit 75e7568dc516db698093b33ea273e1b4a30b70be
Author: David Howells <dhowells@redhat.com>
Date: Tue, 14 Apr 2020 16:07:26 +0100
dns: Apply a default TTL to records obtained from getaddrinfo()
Address records obtained from getaddrinfo() don't come with any TTL
information, even if they're obtained from the DNS, with the result that
key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
records unless they include a component obtained directly from the DNS,
such as an SRV or AFSDB record.
Fix this to apply a default TTL of 10mins in the event that we haven't got
one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
adding the line:
default_ttl = <number-of-seconds>
to the file.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ben Boeckel <me@benboeckel.net>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
[dhowells: Cut down to remove kafs-specific bits]
Signed-off-by: David Howells <dhowells@redhat.com>
---
Makefile | 1
key.dns_resolver.c | 209 +++++++++++++++++++++++++++++++++++++++++---
man/key.dns_resolver.8 | 25 ++++-
man/key.dns_resolver.conf.5 | 48 ++++++++++
4 files changed, 267 insertions(+), 16 deletions(-)
diff --git a/Makefile b/Makefile
index 824bbbf..c2b2460 100644
--- a/Makefile
+++ b/Makefile
@@ -175,6 +175,7 @@ endif
$(INSTALL) -D key.dns_resolver $(DESTDIR)$(SBINDIR)/key.dns_resolver
$(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf
mkdir -p $(DESTDIR)$(ETCDIR)/request-key.d
+ mkdir -p $(DESTDIR)$(ETCDIR)/keyutils
mkdir -p $(DESTDIR)$(MAN1)
$(INSTALL) -m 0644 $(wildcard man/*.1) $(DESTDIR)$(MAN1)
mkdir -p $(DESTDIR)$(MAN3)
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index 849c8fe..f3052e6 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -53,10 +53,12 @@
#include <string.h>
#include <stdio.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <keyutils.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
+#include <ctype.h>
static const char *DNS_PARSE_VERSION = "1.0";
static const char prog[] = "key.dns_resolver";
@@ -64,11 +66,13 @@ static const char key_type[] = "dns_resolver";
static const char a_query_type[] = "a";
static const char aaaa_query_type[] = "aaaa";
static const char afsdb_query_type[] = "afsdb";
+static const char *config_file = "/etc/keyutils/key.dns_resolver.conf";
static key_serial_t key;
+static unsigned int key_expiry = 5;
+static bool config_specified = false;
static int verbose;
static int debug_mode;
-
#define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
#define INET_IP4_ONLY 0x1
#define INET_IP6_ONLY 0x2
@@ -132,6 +136,23 @@ void _error(const char *fmt, ...)
va_end(va);
}
+/*
+ * Print a warning to stderr or the syslog
+ */
+void warning(const char *fmt, ...)
+{
+ va_list va;
+
+ va_start(va, fmt);
+ if (isatty(2)) {
+ vfprintf(stderr, fmt, va);
+ fputc('\n', stderr);
+ } else {
+ vsyslog(LOG_WARNING, fmt, va);
+ }
+ va_end(va);
+}
+
/*
* Print status information
*/
@@ -302,6 +323,7 @@ static void dump_payload(void)
}
info("The key instantiation data is '%s'", buf);
+ info("The expiry time is %us", key_expiry);
free(buf);
}
@@ -597,6 +619,9 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
/* load the key with data key */
if (!debug_mode) {
+ ret = keyctl_set_timeout(key, key_expiry);
+ if (ret == -1)
+ error("%s: keyctl_set_timeout: %m", __func__);
ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
if (ret == -1)
error("%s: keyctl_instantiate: %m", __func__);
@@ -605,6 +630,157 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
exit(0);
}
+/*
+ * Read the config file.
+ */
+static void read_config(void)
+{
+ FILE *f;
+ char buf[4096], *b, *p, *k, *v;
+ unsigned int line = 0, u;
+ int n;
+
+ info("READ CONFIG %s", config_file);
+
+ f = fopen(config_file, "r");
+ if (!f) {
+ if (errno == ENOENT && !config_specified) {
+ debug("%s: %m", config_file);
+ return;
+ }
+ error("%s: %m", config_file);
+ }
+
+ while (fgets(buf, sizeof(buf) - 1, f)) {
+ line++;
+
+ /* Trim off leading and trailing spaces and discard whole-line
+ * comments.
+ */
+ b = buf;
+ while (isspace(*b))
+ b++;
+ if (!*b || *b == '#')
+ continue;
+ p = strchr(b, '\n');
+ if (!p)
+ error("%s:%u: line missing newline or too long", config_file, line);
+ while (p > buf && isspace(p[-1]))
+ p--;
+ *p = 0;
+
+ /* Split into key[=value] pairs and trim spaces. */
+ k = b;
+ v = NULL;
+ b = strchr(b, '=');
+ if (b) {
+ char quote = 0;
+ bool esc = false;
+
+ if (b == k)
+ error("%s:%u: Unspecified key",
+ config_file, line);
+
+ /* NUL-terminate the key. */
+ for (p = b - 1; isspace(*p); p--)
+ ;
+ p[1] = 0;
+
+ /* Strip leading spaces */
+ b++;
+ while (isspace(*b))
+ b++;
+ if (!*b)
+ goto missing_value;
+
+ if (*b == '"' || *b == '\'') {
+ quote = *b;
+ b++;
+ }
+ v = p = b;
+ while (*b) {
+ if (esc) {
+ switch (*b) {
+ case ' ':
+ case '\t':
+ case '"':
+ case '\'':
+ case '\\':
+ break;
+ default:
+ goto invalid_escape_char;
+ }
+ esc = false;
+ *p++ = *b++;
+ continue;
+ }
+ if (*b == '\\') {
+ esc = true;
+ b++;
+ continue;
+ }
+ if (*b == quote) {
+ b++;
+ if (*b)
+ goto post_quote_data;
+ quote = 0;
+ break;
+ }
+ if (!quote && *b == '#')
+ break; /* Terminal comment */
+ *p++ = *b++;
+ }
+
+ if (esc)
+ error("%s:%u: Incomplete escape", config_file, line);
+ if (quote)
+ error("%s:%u: Unclosed quotes", config_file, line);
+ *p = 0;
+ }
+
+ if (strcmp(k, "default_ttl") == 0) {
+ if (!v)
+ goto missing_value;
+ if (sscanf(v, "%u%n", &u, &n) != 1)
+ goto bad_value;
+ if (v[n])
+ goto extra_data;
+ if (u < 1 || u > INT_MAX)
+ goto out_of_range;
+ key_expiry = u;
+ } else {
+ warning("%s:%u: Unknown option '%s'", config_file, line, k);
+ }
+ }
+
+ if (ferror(f) || fclose(f) == EOF)
+ error("%s: %m", config_file);
+ return;
+
+missing_value:
+ error("%s:%u: %s: Missing value", config_file, line, k);
+invalid_escape_char:
+ error("%s:%u: %s: Invalid char in escape", config_file, line, k);
+post_quote_data:
+ error("%s:%u: %s: Data after closing quote", config_file, line, k);
+bad_value:
+ error("%s:%u: %s: Bad value", config_file, line, k);
+extra_data:
+ error("%s:%u: %s: Extra data supplied", config_file, line, k);
+out_of_range:
+ error("%s:%u: %s: Value out of range", config_file, line, k);
+}
+
+/*
+ * Dump the configuration after parsing the config file.
+ */
+static __attribute__((noreturn))
+void config_dumper(void)
+{
+ printf("default_ttl = %u\n", key_expiry);
+ exit(0);
+}
+
/*
* Print usage details,
*/
@@ -613,22 +789,24 @@ void usage(void)
{
if (isatty(2)) {
fprintf(stderr,
- "Usage: %s [-vv] key_serial\n",
+ "Usage: %s [-vv] [-c config] key_serial\n",
prog);
fprintf(stderr,
- "Usage: %s -D [-vv] <desc> <calloutinfo>\n",
+ "Usage: %s -D [-vv] [-c config] <desc> <calloutinfo>\n",
prog);
} else {
- info("Usage: %s [-vv] key_serial", prog);
+ info("Usage: %s [-vv] [-c config] key_serial", prog);
}
exit(2);
}
-const struct option long_options[] = {
- { "debug", 0, NULL, 'D' },
- { "verbose", 0, NULL, 'v' },
- { "version", 0, NULL, 'V' },
- { NULL, 0, NULL, 0 }
+static const struct option long_options[] = {
+ { "config", 0, NULL, 'c' },
+ { "debug", 0, NULL, 'D' },
+ { "dump-config", 0, NULL, 2 },
+ { "verbose", 0, NULL, 'v' },
+ { "version", 0, NULL, 'V' },
+ { NULL, 0, NULL, 0 }
};
/*
@@ -640,11 +818,19 @@ int main(int argc, char *argv[])
char *keyend, *p;
char *callout_info = NULL;
char *buf = NULL, *name;
+ bool dump_config = false;
openlog(prog, 0, LOG_DAEMON);
- while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
+ while ((ret = getopt_long(argc, argv, "c:vDV", long_options, NULL)) != -1) {
switch (ret) {
+ case 'c':
+ config_file = optarg;
+ config_specified = true;
+ continue;
+ case 2:
+ dump_config = true;
+ continue;
case 'D':
debug_mode = 1;
continue;
@@ -666,6 +852,9 @@ int main(int argc, char *argv[])
argc -= optind;
argv += optind;
+ read_config();
+ if (dump_config)
+ config_dumper();
if (!debug_mode) {
if (argc != 1)
diff --git a/man/key.dns_resolver.8 b/man/key.dns_resolver.8
index e1882e0..0b17edd 100644
--- a/man/key.dns_resolver.8
+++ b/man/key.dns_resolver.8
@@ -7,28 +7,41 @@
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\"
-.TH KEY.DNS_RESOLVER 8 "04 Mar 2011" Linux "Linux Key Management Utilities"
+.TH KEY.DNS_RESOLVER 8 "18 May 2020" Linux "Linux Key Management Utilities"
.SH NAME
key.dns_resolver \- upcall for request\-key to handle dns_resolver keys
.SH SYNOPSIS
\fB/sbin/key.dns_resolver \fR<key>
.br
-\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] <keydesc> <calloutinfo>
+\fB/sbin/key.dns_resolver \fR--dump-config [\-c <configfile>]
+.br
+\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] [\-c <configfile>] <desc>
+.br
+<calloutinfo>
.SH DESCRIPTION
This program is invoked by request\-key on behalf of the kernel when kernel
services (such as NFS, CIFS and AFS) want to perform a hostname lookup and the
kernel does not have the key cached. It is not ordinarily intended to be
called directly.
.P
-It can be called in debugging mode to test its functionality by passing a
-\fB\-D\fR flag on the command line. For this to work, the key description and
-the callout information must be supplied. Verbosity can be increased by
-supplying one or more \fB\-v\fR flags.
+There program has internal parameters that can be changed with a configuration
+file (see key.dns_resolver.conf(5) for more information). The default
+configuration file is in /etc, but this can be overridden with the \fB-c\fR
+flag.
+.P
+The program can be called in debugging mode to test its functionality by
+passing a \fB\-D\fR or \fB\--debug\fR flag on the command line. For this to
+work, the key description and the callout information must be supplied.
+Verbosity can be increased by supplying one or more \fB\-v\fR flags.
+.P
+The program may also be called with \fB--dump-config\fR to show the values that
+configurable parameters will have after parsing the config file.
.SH ERRORS
All errors will be logged to the syslog.
.SH SEE ALSO
.ad l
.nh
+.BR key.dns_resolver.conf (5),
.BR request\-key.conf (5),
.BR keyrings (7),
.BR request\-key (8)
diff --git a/man/key.dns_resolver.conf.5 b/man/key.dns_resolver.conf.5
new file mode 100644
index 0000000..c944ad5
--- /dev/null
+++ b/man/key.dns_resolver.conf.5
@@ -0,0 +1,48 @@
+.\" -*- nroff -*-
+.\" Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEY.DNS_RESOLVER.CONF 5 "18 May 2020" Linux "Linux Key Management Utilities"
+.SH NAME
+key.dns_resolver.conf \- Kernel DNS resolver config
+.SH DESCRIPTION
+This file is used by the key.dns_resolver(5) program to set parameters.
+Unless otherwise overridden with the \fB\-c\fR flag, the program reads:
+.IP
+/etc/key.dns_resolver.conf
+.P
+Configuration options are given in \fBkey[=value]\fR form, where \fBvalue\fR is
+optional. If present, the value may be surrounded by a pair of single ('') or
+double quotes ("") which will be stripped off. The special characters in the
+value may be escaped with a backslash to turn them into ordinary characters.
+.P
+Lines beginning with a '#' are considered comments and ignored. A '#' symbol
+anywhere after the '=' makes the rest of the line into a comment unless the '#'
+is inside a quoted section or is escaped.
+.P
+Leading and trailing spaces and spaces around the '=' symbol will be stripped
+off.
+.P
+Available options include:
+.TP
+.B default_ttl=<number>
+The number of seconds to set as the expiration on a cached record. This will
+be overridden if the program manages to retrieve TTL information along with
+the addresses (if, for example, it accesses the DNS directly). The default is
+5 seconds. The value must be in the range 1 to INT_MAX.
+.P
+The file can also include comments beginning with a '#' character unless
+otherwise suppressed by being inside a quoted value or being escaped with a
+backslash.
+
+.SH FILES
+.ul
+/etc/key.dns_resolver.conf
+.ul 0
+.SH SEE ALSO
+\fBkey.dns_resolver\fR(8)