Compare commits

..

No commits in common. "c9-beta" and "c8s" have entirely different histories.
c9-beta ... c8s

10 changed files with 766 additions and 69 deletions

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/keyutils-1.6.3.tar.gz
SOURCES/keyutils-1.5.10.tar.bz2
/keyutils-1.5.10.tar.bz2

View File

@ -1 +0,0 @@
7e5112d68eef5677e474d062282a0e1d1f19904c SOURCES/keyutils-1.6.3.tar.gz

150
afs-srv.patch Normal file
View File

@ -0,0 +1,150 @@
commit 0d71523ab58493e1b40e1c80d569ff8ebc5ea27d
Author: David Howells <dhowells@redhat.com>
Date: Wed, 9 May 2018 10:37:03 +0100
DNS: Support AFS SRV records and cell db config files
[dhowells: Cut down to only include generic changes as a prereq for the
next patch]
Signed-off-by: David Howells <dhowells@redhat.com>
---
key.dns_resolver.c | 47 +++++++++++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 16 deletions(-)
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index 9c9d458..849c8fe 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -74,6 +74,7 @@ static int debug_mode;
#define INET_IP6_ONLY 0x2
#define INET_ALL 0xFF
#define ONE_ADDR_ONLY 0x100
+unsigned mask = INET_ALL;
/*
* segmental payload
@@ -164,14 +165,10 @@ static const int ns_errno_map[] = {
[NO_DATA] = ENODATA,
};
-static __attribute__((noreturn))
-void nsError(int err, const char *domain)
+void _nsError(int err, const char *domain)
{
- unsigned timeout = 1 * 60;
- int ret;
-
if (isatty(2))
- fprintf(stderr, "%s: %s.\n", domain, hstrerror(err));
+ fprintf(stderr, "NS:%s: %s.\n", domain, hstrerror(err));
else
syslog(LOG_INFO, "%s: %s", domain, hstrerror(err));
@@ -181,11 +178,28 @@ void nsError(int err, const char *domain)
err = ns_errno_map[err];
info("Reject the key with error %d", err);
+}
+
+static __attribute__((noreturn))
+void nsError(int err, const char *domain)
+{
+ unsigned timeout;
+ int ret;
+
+ _nsError(err, domain);
- if (err == EAGAIN)
+ switch (err) {
+ case TRY_AGAIN:
timeout = 1;
- else if (err == ECONNREFUSED)
+ break;
+ case 0:
+ case NO_RECOVERY:
timeout = 10;
+ break;
+ default:
+ timeout = 1 * 60;
+ break;
+ }
if (!debug_mode) {
ret = keyctl_reject(key, timeout, err, KEY_REQKEY_DEFL_DEFAULT);
@@ -296,10 +310,10 @@ static void dump_payload(void)
* string to the list of payload segments.
*/
static int
-dns_resolver(const char *server_name, unsigned mask)
+dns_resolver(const char *server_name, const char *port)
{
struct addrinfo hints, *addr, *ai;
- char buf[INET6_ADDRSTRLEN + 1];
+ char buf[INET6_ADDRSTRLEN + 8 + 1];
int ret, len;
void *sa;
@@ -320,8 +334,6 @@ dns_resolver(const char *server_name, unsigned mask)
return -1;
}
- debug("getaddrinfo = %d", ret);
-
for (ai = addr; ai; ai = ai->ai_next) {
debug("RR: %x,%x,%x,%x,%x,%s",
ai->ai_flags, ai->ai_family,
@@ -350,6 +362,8 @@ dns_resolver(const char *server_name, unsigned mask)
if (!inet_ntop(ai->ai_family, sa, buf, len))
error("%s: inet_ntop: %m", __func__);
+ if (port)
+ strcat(buf, port);
append_address_to_payload(buf);
if (mask & ONE_ADDR_ONLY)
break;
@@ -413,7 +427,7 @@ static void afsdb_hosts_to_addrs(ns_msg handle,
goto next_one;
/* Turn the hostname into IP addresses */
- ret = dns_resolver(vllist[vlsnum], mask);
+ ret = dns_resolver(vllist[vlsnum], NULL);
if (ret) {
debug("AFSDB RR can't resolve."
"subtype:%d, server name:%s, netmask:%u",
@@ -523,7 +537,6 @@ int dns_query_afsdb(const char *cell, char *options)
static __attribute__((noreturn))
int dns_query_a_or_aaaa(const char *hostname, char *options)
{
- unsigned mask;
int ret;
debug("Get A/AAAA RR for hostname:'%s', options:'%s'",
@@ -569,7 +582,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
}
/* Turn the hostname into IP addresses */
- ret = dns_resolver(hostname, mask);
+ ret = dns_resolver(hostname, NULL);
if (ret)
nsError(NO_DATA, hostname);
@@ -630,7 +643,7 @@ int main(int argc, char *argv[])
openlog(prog, 0, LOG_DAEMON);
- while ((ret = getopt_long(argc, argv, "vD", long_options, NULL)) != -1) {
+ while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
switch (ret) {
case 'D':
debug_mode = 1;
@@ -713,6 +726,8 @@ int main(int argc, char *argv[])
qtlen = name - keyend;
name++;
+ info("Query type: '%*.*s'", qtlen, qtlen, keyend);
+
if ((qtlen == sizeof(a_query_type) - 1 &&
memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
(qtlen == sizeof(aaaa_query_type) - 1 &&

58
fix-ci-strcat.patch Normal file
View File

@ -0,0 +1,58 @@
commit d8106bbb5348591968722e14fe4ee4b81e7902aa
Author: David Howells <dhowells@redhat.com>
Date: Wed Jun 16 15:06:36 2021 +0100
Fix issue found by Coverity
This isn't something that can actually be triggered. The port parameter is
always NULL, so just drop the parameter and the call to strcat().
Error: STRING_OVERFLOW (CWE-120):
keyutils-1.5.10/key.dns_resolver.c:388: fixed_size_dest: You might overrun the 55-character fixed-size string "buf" by copying "port" without checking the length.
keyutils-1.5.10/key.dns_resolver.c:388: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
Signed-off-by: David Howells <dhowells@redhat.com>
---
key.dns_resolver.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index f3052e6..2743119 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -332,7 +332,7 @@ static void dump_payload(void)
* string to the list of payload segments.
*/
static int
-dns_resolver(const char *server_name, const char *port)
+dns_resolver(const char *server_name)
{
struct addrinfo hints, *addr, *ai;
char buf[INET6_ADDRSTRLEN + 8 + 1];
@@ -384,8 +384,6 @@ dns_resolver(const char *server_name, const char *port)
if (!inet_ntop(ai->ai_family, sa, buf, len))
error("%s: inet_ntop: %m", __func__);
- if (port)
- strcat(buf, port);
append_address_to_payload(buf);
if (mask & ONE_ADDR_ONLY)
break;
@@ -449,7 +447,7 @@ static void afsdb_hosts_to_addrs(ns_msg handle,
goto next_one;
/* Turn the hostname into IP addresses */
- ret = dns_resolver(vllist[vlsnum], NULL);
+ ret = dns_resolver(vllist[vlsnum]);
if (ret) {
debug("AFSDB RR can't resolve."
"subtype:%d, server name:%s, netmask:%u",
@@ -604,7 +602,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
}
/* Turn the hostname into IP addresses */
- ret = dns_resolver(hostname, NULL);
+ ret = dns_resolver(hostname);
if (ret)
nsError(NO_DATA, hostname);

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -1,22 +1,30 @@
%define vermajor 1
%define verminor 5.10
%define version %{vermajor}.%{verminor}
%define libapivermajor 1
%define libapiversion %{libapivermajor}.10
%define libapiversion %{libapivermajor}.6
# % define buildid .local
Name: keyutils
Version: 1.6.3
Release: 1%{?buildid}%{?dist}
Summary: Linux Key Management Utilities
Name: keyutils
Version: %{version}
Release: 9%{?buildid}%{?dist}
License: GPLv2+ and LGPLv2+
Url: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
Group: System Environment/Base
ExclusiveOS: Linux
Url: http://people.redhat.com/~dhowells/keyutils/
Source0: %{url}/snapshot/keyutils-%{version}.tar.gz
Source0: http://people.redhat.com/~dhowells/keyutils/keyutils-%{version}.tar.bz2
Patch1: test-endianness-check.patch
Patch2: test-rhel8.patch
Patch3: afs-srv.patch
Patch4: ttl.patch
Patch5: fix-ci-strcat.patch
BuildRequires: gcc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: glibc-kernheaders >= 2.4-9.1.92
BuildRequires: make
BuildRequires: g++
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: keyutils-libs == %{version}-%{release}
%description
Utilities to control the kernel key management facility and to provide
@ -25,6 +33,7 @@ instantiated.
%package libs
Summary: Key utilities library
Group: System Environment/Base
%description libs
This package provides a wrapper library for the key management facility system
@ -32,13 +41,21 @@ calls.
%package libs-devel
Summary: Development package for building Linux key management utilities
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Group: System Environment/Base
Requires: keyutils-libs == %{version}-%{release}
%description libs-devel
This package provides headers and libraries for building key utilities.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%define datadir %{_datarootdir}/keyutils
%build
make \
@ -50,7 +67,7 @@ make \
SBINDIR=%{_sbindir} \
MANDIR=%{_mandir} \
INCLUDEDIR=%{_includedir} \
SHAREDIR=%{_datadir}/%{name} \
SHAREDIR=%{datadir} \
RELEASE=.%{release} \
NO_GLIBC_KEYERR=1 \
CFLAGS="-Wall $RPM_OPT_FLAGS" \
@ -67,7 +84,7 @@ make \
SBINDIR=%{_sbindir} \
MANDIR=%{_mandir} \
INCLUDEDIR=%{_includedir} \
SHAREDIR=%{_datadir}/%{name} \
SHAREDIR=%{datadir} \
install
%ldconfig_scriptlets libs
@ -75,83 +92,50 @@ make \
%files
%doc README
%license LICENCE.GPL
%config(noreplace) %{_sysconfdir}/*
%{_bindir}/keyctl
%{_sbindir}/key.dns_resolver
%{_sbindir}/request-key
%{_datadir}/%{name}
%{_sbindir}/*
%{_bindir}/*
%{datadir}
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%config(noreplace) %{_sysconfdir}/*
%files libs
%license LICENCE.LGPL
%{_mandir}/man7/*
%{_libdir}/libkeyutils.so.%{libapiversion}
%{_libdir}/libkeyutils.so.%{libapivermajor}
%{_mandir}/man7/*
%files libs-devel
%{_libdir}/libkeyutils.so
%{_includedir}/keyutils.h
%{_libdir}/pkgconfig/libkeyutils.pc
%{_includedir}/*
%{_mandir}/man3/*
%changelog
* Fri Oct 14 2022 Pavel Reichl <preichl@redhat.com> - 1.6.3-1
- Update to upstream version 1.6.3
Related: rhbz#2119105
* Wed Jun 16 2021 David Howells <dhowells@redhat.com> - 1.5.10-9
- Fix potential strcat overflow found by Coverity in CI test (#1661674).
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jun 3 2021 David Howells <dhowells@redhat.com> - 1.5.10-8
- Fix TTL handling on DNS lookups (#1661674).
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 5 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 1.6.1-1
- Update to 1.6.1
- Spec cleanups
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Nov 13 2018 David Howells <dhowells@redhat.com> - 1.6-1
- Apply various specfile cleanups from Fedora.
- request-key: Provide a command line option to suppress helper execution.
- request-key: Find least-wildcard match rather than first match.
- Remove the dependency on MIT Kerberos.
- Fix some error messages
- keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
- Fix doc and comment typos.
- Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
- Add pkg-config support for finding libkeyutils.
* Tue Aug 28 2018 David Howells <dhowells@redhat.com> 1.5.11-1
- Add keyring restriction support.
- Add KDF support to the Diffie-Helman function.
- DNS: Add support for AFS config files and SRV records
* Sat Jul 21 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.5.10-8
- Spec cleanups, add gcc build requires
* Thu Apr 18 2019 David Howells <dhowells@redhat.com> - 1.5.10-7
- Fix testsuite for rhel-8 (#1681963).
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5.10-6
- Escape macros in %%changelog
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5.10-4
- Switch to %%ldconfig_scriptlets
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Mar 15 2017 David Howells <dhowells@redhat.com> - 1.5.10-1
- Include sys/types.h in keyutils.h.
- The dns resolver needs limits.h.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (keyutils-1.5.10.tar.bz2) = 7f6f956c7e76cdc2aeb52e74fe670b20a5f9a5d9b543fd2ce971d80c48745f37d05235a42f0a8f152b1128a109c7d8bf07e751282a20d2d3f433a99a5308ae8d

View File

@ -0,0 +1,23 @@
commit d0fedbf9257a0fed18030527fd094588df5873aa
Author: David Howells <dhowells@redhat.com>
Date: Tue Aug 21 23:24:03 2018 +0100
TEST: Add a missing backslash
Add a missing backslash into a regular expression in the toolbox.
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
index 140be66..0ce6db0 100644
--- a/tests/toolbox.inc.sh
+++ b/tests/toolbox.inc.sh
@@ -13,7 +13,7 @@
echo === $OUTPUTFILE ===
endian=`file -L /proc/$$/exe`
-if expr "$endian" : '.* MSB \+\(executable\|shared object).*' >&/dev/null
+if expr "$endian" : '.* MSB \+\(executable\|shared object\).*' >&/dev/null
then
endian=BE
elif expr "$endian" : '.* LSB \+\(executable\|shared object\).*' >&/dev/null

27
test-rhel8.patch Normal file
View File

@ -0,0 +1,27 @@
commit 0b1654506039e614954e141aad3ceddb7018a2cb
Author: David Howells <dhowells@redhat.com>
Date: Wed Apr 17 15:42:30 2019 +0100
TEST: Apply test exclusions for RHEL-8
RHEL-8 doesn't enable the DH/KDF code, so disable the tests on all RHEL
distributions for now.
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/tests/prepare.inc.sh b/tests/prepare.inc.sh
index ab9ae4d..9c4adda 100644
--- a/tests/prepare.inc.sh
+++ b/tests/prepare.inc.sh
@@ -96,7 +96,10 @@ fi
# Work out whether Diffie-Hellman is supported by the kernel
#
have_dh_compute=0
-if keyutils_at_or_later_than 1.5.10 && kernel_at_or_later_than 4.7-rc1
+if [ $OSDIST = RHEL ]
+then
+ :
+elif keyutils_at_or_later_than 1.5.10 && kernel_at_or_later_than 4.7-rc1
then
have_dh_compute=1
fi

448
ttl.patch Normal file
View File

@ -0,0 +1,448 @@
commit 75e7568dc516db698093b33ea273e1b4a30b70be
Author: David Howells <dhowells@redhat.com>
Date: Tue, 14 Apr 2020 16:07:26 +0100
dns: Apply a default TTL to records obtained from getaddrinfo()
Address records obtained from getaddrinfo() don't come with any TTL
information, even if they're obtained from the DNS, with the result that
key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
records unless they include a component obtained directly from the DNS,
such as an SRV or AFSDB record.
Fix this to apply a default TTL of 10mins in the event that we haven't got
one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
adding the line:
default_ttl = <number-of-seconds>
to the file.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Ben Boeckel <me@benboeckel.net>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
[dhowells: Cut down to remove kafs-specific bits]
Signed-off-by: David Howells <dhowells@redhat.com>
---
Makefile | 1
key.dns_resolver.c | 209 +++++++++++++++++++++++++++++++++++++++++---
man/key.dns_resolver.8 | 25 ++++-
man/key.dns_resolver.conf.5 | 48 ++++++++++
4 files changed, 267 insertions(+), 16 deletions(-)
diff --git a/Makefile b/Makefile
index 824bbbf..c2b2460 100644
--- a/Makefile
+++ b/Makefile
@@ -175,6 +175,7 @@ endif
$(INSTALL) -D key.dns_resolver $(DESTDIR)$(SBINDIR)/key.dns_resolver
$(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf
mkdir -p $(DESTDIR)$(ETCDIR)/request-key.d
+ mkdir -p $(DESTDIR)$(ETCDIR)/keyutils
mkdir -p $(DESTDIR)$(MAN1)
$(INSTALL) -m 0644 $(wildcard man/*.1) $(DESTDIR)$(MAN1)
mkdir -p $(DESTDIR)$(MAN3)
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index 849c8fe..f3052e6 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -53,10 +53,12 @@
#include <string.h>
#include <stdio.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <keyutils.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
+#include <ctype.h>
static const char *DNS_PARSE_VERSION = "1.0";
static const char prog[] = "key.dns_resolver";
@@ -64,11 +66,13 @@ static const char key_type[] = "dns_resolver";
static const char a_query_type[] = "a";
static const char aaaa_query_type[] = "aaaa";
static const char afsdb_query_type[] = "afsdb";
+static const char *config_file = "/etc/keyutils/key.dns_resolver.conf";
static key_serial_t key;
+static unsigned int key_expiry = 5;
+static bool config_specified = false;
static int verbose;
static int debug_mode;
-
#define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
#define INET_IP4_ONLY 0x1
#define INET_IP6_ONLY 0x2
@@ -132,6 +136,23 @@ void _error(const char *fmt, ...)
va_end(va);
}
+/*
+ * Print a warning to stderr or the syslog
+ */
+void warning(const char *fmt, ...)
+{
+ va_list va;
+
+ va_start(va, fmt);
+ if (isatty(2)) {
+ vfprintf(stderr, fmt, va);
+ fputc('\n', stderr);
+ } else {
+ vsyslog(LOG_WARNING, fmt, va);
+ }
+ va_end(va);
+}
+
/*
* Print status information
*/
@@ -302,6 +323,7 @@ static void dump_payload(void)
}
info("The key instantiation data is '%s'", buf);
+ info("The expiry time is %us", key_expiry);
free(buf);
}
@@ -597,6 +619,9 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
/* load the key with data key */
if (!debug_mode) {
+ ret = keyctl_set_timeout(key, key_expiry);
+ if (ret == -1)
+ error("%s: keyctl_set_timeout: %m", __func__);
ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
if (ret == -1)
error("%s: keyctl_instantiate: %m", __func__);
@@ -605,6 +630,157 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
exit(0);
}
+/*
+ * Read the config file.
+ */
+static void read_config(void)
+{
+ FILE *f;
+ char buf[4096], *b, *p, *k, *v;
+ unsigned int line = 0, u;
+ int n;
+
+ info("READ CONFIG %s", config_file);
+
+ f = fopen(config_file, "r");
+ if (!f) {
+ if (errno == ENOENT && !config_specified) {
+ debug("%s: %m", config_file);
+ return;
+ }
+ error("%s: %m", config_file);
+ }
+
+ while (fgets(buf, sizeof(buf) - 1, f)) {
+ line++;
+
+ /* Trim off leading and trailing spaces and discard whole-line
+ * comments.
+ */
+ b = buf;
+ while (isspace(*b))
+ b++;
+ if (!*b || *b == '#')
+ continue;
+ p = strchr(b, '\n');
+ if (!p)
+ error("%s:%u: line missing newline or too long", config_file, line);
+ while (p > buf && isspace(p[-1]))
+ p--;
+ *p = 0;
+
+ /* Split into key[=value] pairs and trim spaces. */
+ k = b;
+ v = NULL;
+ b = strchr(b, '=');
+ if (b) {
+ char quote = 0;
+ bool esc = false;
+
+ if (b == k)
+ error("%s:%u: Unspecified key",
+ config_file, line);
+
+ /* NUL-terminate the key. */
+ for (p = b - 1; isspace(*p); p--)
+ ;
+ p[1] = 0;
+
+ /* Strip leading spaces */
+ b++;
+ while (isspace(*b))
+ b++;
+ if (!*b)
+ goto missing_value;
+
+ if (*b == '"' || *b == '\'') {
+ quote = *b;
+ b++;
+ }
+ v = p = b;
+ while (*b) {
+ if (esc) {
+ switch (*b) {
+ case ' ':
+ case '\t':
+ case '"':
+ case '\'':
+ case '\\':
+ break;
+ default:
+ goto invalid_escape_char;
+ }
+ esc = false;
+ *p++ = *b++;
+ continue;
+ }
+ if (*b == '\\') {
+ esc = true;
+ b++;
+ continue;
+ }
+ if (*b == quote) {
+ b++;
+ if (*b)
+ goto post_quote_data;
+ quote = 0;
+ break;
+ }
+ if (!quote && *b == '#')
+ break; /* Terminal comment */
+ *p++ = *b++;
+ }
+
+ if (esc)
+ error("%s:%u: Incomplete escape", config_file, line);
+ if (quote)
+ error("%s:%u: Unclosed quotes", config_file, line);
+ *p = 0;
+ }
+
+ if (strcmp(k, "default_ttl") == 0) {
+ if (!v)
+ goto missing_value;
+ if (sscanf(v, "%u%n", &u, &n) != 1)
+ goto bad_value;
+ if (v[n])
+ goto extra_data;
+ if (u < 1 || u > INT_MAX)
+ goto out_of_range;
+ key_expiry = u;
+ } else {
+ warning("%s:%u: Unknown option '%s'", config_file, line, k);
+ }
+ }
+
+ if (ferror(f) || fclose(f) == EOF)
+ error("%s: %m", config_file);
+ return;
+
+missing_value:
+ error("%s:%u: %s: Missing value", config_file, line, k);
+invalid_escape_char:
+ error("%s:%u: %s: Invalid char in escape", config_file, line, k);
+post_quote_data:
+ error("%s:%u: %s: Data after closing quote", config_file, line, k);
+bad_value:
+ error("%s:%u: %s: Bad value", config_file, line, k);
+extra_data:
+ error("%s:%u: %s: Extra data supplied", config_file, line, k);
+out_of_range:
+ error("%s:%u: %s: Value out of range", config_file, line, k);
+}
+
+/*
+ * Dump the configuration after parsing the config file.
+ */
+static __attribute__((noreturn))
+void config_dumper(void)
+{
+ printf("default_ttl = %u\n", key_expiry);
+ exit(0);
+}
+
/*
* Print usage details,
*/
@@ -613,22 +789,24 @@ void usage(void)
{
if (isatty(2)) {
fprintf(stderr,
- "Usage: %s [-vv] key_serial\n",
+ "Usage: %s [-vv] [-c config] key_serial\n",
prog);
fprintf(stderr,
- "Usage: %s -D [-vv] <desc> <calloutinfo>\n",
+ "Usage: %s -D [-vv] [-c config] <desc> <calloutinfo>\n",
prog);
} else {
- info("Usage: %s [-vv] key_serial", prog);
+ info("Usage: %s [-vv] [-c config] key_serial", prog);
}
exit(2);
}
-const struct option long_options[] = {
- { "debug", 0, NULL, 'D' },
- { "verbose", 0, NULL, 'v' },
- { "version", 0, NULL, 'V' },
- { NULL, 0, NULL, 0 }
+static const struct option long_options[] = {
+ { "config", 0, NULL, 'c' },
+ { "debug", 0, NULL, 'D' },
+ { "dump-config", 0, NULL, 2 },
+ { "verbose", 0, NULL, 'v' },
+ { "version", 0, NULL, 'V' },
+ { NULL, 0, NULL, 0 }
};
/*
@@ -640,11 +818,19 @@ int main(int argc, char *argv[])
char *keyend, *p;
char *callout_info = NULL;
char *buf = NULL, *name;
+ bool dump_config = false;
openlog(prog, 0, LOG_DAEMON);
- while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
+ while ((ret = getopt_long(argc, argv, "c:vDV", long_options, NULL)) != -1) {
switch (ret) {
+ case 'c':
+ config_file = optarg;
+ config_specified = true;
+ continue;
+ case 2:
+ dump_config = true;
+ continue;
case 'D':
debug_mode = 1;
continue;
@@ -666,6 +852,9 @@ int main(int argc, char *argv[])
argc -= optind;
argv += optind;
+ read_config();
+ if (dump_config)
+ config_dumper();
if (!debug_mode) {
if (argc != 1)
diff --git a/man/key.dns_resolver.8 b/man/key.dns_resolver.8
index e1882e0..0b17edd 100644
--- a/man/key.dns_resolver.8
+++ b/man/key.dns_resolver.8
@@ -7,28 +7,41 @@
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\"
-.TH KEY.DNS_RESOLVER 8 "04 Mar 2011" Linux "Linux Key Management Utilities"
+.TH KEY.DNS_RESOLVER 8 "18 May 2020" Linux "Linux Key Management Utilities"
.SH NAME
key.dns_resolver \- upcall for request\-key to handle dns_resolver keys
.SH SYNOPSIS
\fB/sbin/key.dns_resolver \fR<key>
.br
-\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] <keydesc> <calloutinfo>
+\fB/sbin/key.dns_resolver \fR--dump-config [\-c <configfile>]
+.br
+\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] [\-c <configfile>] <desc>
+.br
+<calloutinfo>
.SH DESCRIPTION
This program is invoked by request\-key on behalf of the kernel when kernel
services (such as NFS, CIFS and AFS) want to perform a hostname lookup and the
kernel does not have the key cached. It is not ordinarily intended to be
called directly.
.P
-It can be called in debugging mode to test its functionality by passing a
-\fB\-D\fR flag on the command line. For this to work, the key description and
-the callout information must be supplied. Verbosity can be increased by
-supplying one or more \fB\-v\fR flags.
+There program has internal parameters that can be changed with a configuration
+file (see key.dns_resolver.conf(5) for more information). The default
+configuration file is in /etc, but this can be overridden with the \fB-c\fR
+flag.
+.P
+The program can be called in debugging mode to test its functionality by
+passing a \fB\-D\fR or \fB\--debug\fR flag on the command line. For this to
+work, the key description and the callout information must be supplied.
+Verbosity can be increased by supplying one or more \fB\-v\fR flags.
+.P
+The program may also be called with \fB--dump-config\fR to show the values that
+configurable parameters will have after parsing the config file.
.SH ERRORS
All errors will be logged to the syslog.
.SH SEE ALSO
.ad l
.nh
+.BR key.dns_resolver.conf (5),
.BR request\-key.conf (5),
.BR keyrings (7),
.BR request\-key (8)
diff --git a/man/key.dns_resolver.conf.5 b/man/key.dns_resolver.conf.5
new file mode 100644
index 0000000..c944ad5
--- /dev/null
+++ b/man/key.dns_resolver.conf.5
@@ -0,0 +1,48 @@
+.\" -*- nroff -*-
+.\" Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEY.DNS_RESOLVER.CONF 5 "18 May 2020" Linux "Linux Key Management Utilities"
+.SH NAME
+key.dns_resolver.conf \- Kernel DNS resolver config
+.SH DESCRIPTION
+This file is used by the key.dns_resolver(5) program to set parameters.
+Unless otherwise overridden with the \fB\-c\fR flag, the program reads:
+.IP
+/etc/key.dns_resolver.conf
+.P
+Configuration options are given in \fBkey[=value]\fR form, where \fBvalue\fR is
+optional. If present, the value may be surrounded by a pair of single ('') or
+double quotes ("") which will be stripped off. The special characters in the
+value may be escaped with a backslash to turn them into ordinary characters.
+.P
+Lines beginning with a '#' are considered comments and ignored. A '#' symbol
+anywhere after the '=' makes the rest of the line into a comment unless the '#'
+is inside a quoted section or is escaped.
+.P
+Leading and trailing spaces and spaces around the '=' symbol will be stripped
+off.
+.P
+Available options include:
+.TP
+.B default_ttl=<number>
+The number of seconds to set as the expiration on a cached record. This will
+be overridden if the program manages to retrieve TTL information along with
+the addresses (if, for example, it accesses the DNS directly). The default is
+5 seconds. The value must be in the range 1 to INT_MAX.
+.P
+The file can also include comments beginning with a '#' character unless
+otherwise suppressed by being inside a quoted value or being escaped with a
+backslash.
+
+.SH FILES
+.ul
+/etc/key.dns_resolver.conf
+.ul 0
+.SH SEE ALSO
+\fBkey.dns_resolver\fR(8)