Compare commits
No commits in common. "c9-beta" and "c8s" have entirely different histories.
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
||||
SOURCES/keyutils-1.6.3.tar.gz
|
||||
SOURCES/keyutils-1.5.10.tar.bz2
|
||||
/keyutils-1.5.10.tar.bz2
|
||||
|
@ -1 +0,0 @@
|
||||
7e5112d68eef5677e474d062282a0e1d1f19904c SOURCES/keyutils-1.6.3.tar.gz
|
150
afs-srv.patch
Normal file
150
afs-srv.patch
Normal file
@ -0,0 +1,150 @@
|
||||
commit 0d71523ab58493e1b40e1c80d569ff8ebc5ea27d
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 9 May 2018 10:37:03 +0100
|
||||
|
||||
DNS: Support AFS SRV records and cell db config files
|
||||
|
||||
[dhowells: Cut down to only include generic changes as a prereq for the
|
||||
next patch]
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
key.dns_resolver.c | 47 +++++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 31 insertions(+), 16 deletions(-)
|
||||
|
||||
|
||||
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
|
||||
index 9c9d458..849c8fe 100644
|
||||
--- a/key.dns_resolver.c
|
||||
+++ b/key.dns_resolver.c
|
||||
@@ -74,6 +74,7 @@ static int debug_mode;
|
||||
#define INET_IP6_ONLY 0x2
|
||||
#define INET_ALL 0xFF
|
||||
#define ONE_ADDR_ONLY 0x100
|
||||
+unsigned mask = INET_ALL;
|
||||
|
||||
/*
|
||||
* segmental payload
|
||||
@@ -164,14 +165,10 @@ static const int ns_errno_map[] = {
|
||||
[NO_DATA] = ENODATA,
|
||||
};
|
||||
|
||||
-static __attribute__((noreturn))
|
||||
-void nsError(int err, const char *domain)
|
||||
+void _nsError(int err, const char *domain)
|
||||
{
|
||||
- unsigned timeout = 1 * 60;
|
||||
- int ret;
|
||||
-
|
||||
if (isatty(2))
|
||||
- fprintf(stderr, "%s: %s.\n", domain, hstrerror(err));
|
||||
+ fprintf(stderr, "NS:%s: %s.\n", domain, hstrerror(err));
|
||||
else
|
||||
syslog(LOG_INFO, "%s: %s", domain, hstrerror(err));
|
||||
|
||||
@@ -181,11 +178,28 @@ void nsError(int err, const char *domain)
|
||||
err = ns_errno_map[err];
|
||||
|
||||
info("Reject the key with error %d", err);
|
||||
+}
|
||||
+
|
||||
+static __attribute__((noreturn))
|
||||
+void nsError(int err, const char *domain)
|
||||
+{
|
||||
+ unsigned timeout;
|
||||
+ int ret;
|
||||
+
|
||||
+ _nsError(err, domain);
|
||||
|
||||
- if (err == EAGAIN)
|
||||
+ switch (err) {
|
||||
+ case TRY_AGAIN:
|
||||
timeout = 1;
|
||||
- else if (err == ECONNREFUSED)
|
||||
+ break;
|
||||
+ case 0:
|
||||
+ case NO_RECOVERY:
|
||||
timeout = 10;
|
||||
+ break;
|
||||
+ default:
|
||||
+ timeout = 1 * 60;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
if (!debug_mode) {
|
||||
ret = keyctl_reject(key, timeout, err, KEY_REQKEY_DEFL_DEFAULT);
|
||||
@@ -296,10 +310,10 @@ static void dump_payload(void)
|
||||
* string to the list of payload segments.
|
||||
*/
|
||||
static int
|
||||
-dns_resolver(const char *server_name, unsigned mask)
|
||||
+dns_resolver(const char *server_name, const char *port)
|
||||
{
|
||||
struct addrinfo hints, *addr, *ai;
|
||||
- char buf[INET6_ADDRSTRLEN + 1];
|
||||
+ char buf[INET6_ADDRSTRLEN + 8 + 1];
|
||||
int ret, len;
|
||||
void *sa;
|
||||
|
||||
@@ -320,8 +334,6 @@ dns_resolver(const char *server_name, unsigned mask)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- debug("getaddrinfo = %d", ret);
|
||||
-
|
||||
for (ai = addr; ai; ai = ai->ai_next) {
|
||||
debug("RR: %x,%x,%x,%x,%x,%s",
|
||||
ai->ai_flags, ai->ai_family,
|
||||
@@ -350,6 +362,8 @@ dns_resolver(const char *server_name, unsigned mask)
|
||||
if (!inet_ntop(ai->ai_family, sa, buf, len))
|
||||
error("%s: inet_ntop: %m", __func__);
|
||||
|
||||
+ if (port)
|
||||
+ strcat(buf, port);
|
||||
append_address_to_payload(buf);
|
||||
if (mask & ONE_ADDR_ONLY)
|
||||
break;
|
||||
@@ -413,7 +427,7 @@ static void afsdb_hosts_to_addrs(ns_msg handle,
|
||||
goto next_one;
|
||||
|
||||
/* Turn the hostname into IP addresses */
|
||||
- ret = dns_resolver(vllist[vlsnum], mask);
|
||||
+ ret = dns_resolver(vllist[vlsnum], NULL);
|
||||
if (ret) {
|
||||
debug("AFSDB RR can't resolve."
|
||||
"subtype:%d, server name:%s, netmask:%u",
|
||||
@@ -523,7 +537,6 @@ int dns_query_afsdb(const char *cell, char *options)
|
||||
static __attribute__((noreturn))
|
||||
int dns_query_a_or_aaaa(const char *hostname, char *options)
|
||||
{
|
||||
- unsigned mask;
|
||||
int ret;
|
||||
|
||||
debug("Get A/AAAA RR for hostname:'%s', options:'%s'",
|
||||
@@ -569,7 +582,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
|
||||
}
|
||||
|
||||
/* Turn the hostname into IP addresses */
|
||||
- ret = dns_resolver(hostname, mask);
|
||||
+ ret = dns_resolver(hostname, NULL);
|
||||
if (ret)
|
||||
nsError(NO_DATA, hostname);
|
||||
|
||||
@@ -630,7 +643,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
openlog(prog, 0, LOG_DAEMON);
|
||||
|
||||
- while ((ret = getopt_long(argc, argv, "vD", long_options, NULL)) != -1) {
|
||||
+ while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
|
||||
switch (ret) {
|
||||
case 'D':
|
||||
debug_mode = 1;
|
||||
@@ -713,6 +726,8 @@ int main(int argc, char *argv[])
|
||||
qtlen = name - keyend;
|
||||
name++;
|
||||
|
||||
+ info("Query type: '%*.*s'", qtlen, qtlen, keyend);
|
||||
+
|
||||
if ((qtlen == sizeof(a_query_type) - 1 &&
|
||||
memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
|
||||
(qtlen == sizeof(aaaa_query_type) - 1 &&
|
58
fix-ci-strcat.patch
Normal file
58
fix-ci-strcat.patch
Normal file
@ -0,0 +1,58 @@
|
||||
commit d8106bbb5348591968722e14fe4ee4b81e7902aa
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Wed Jun 16 15:06:36 2021 +0100
|
||||
|
||||
Fix issue found by Coverity
|
||||
|
||||
This isn't something that can actually be triggered. The port parameter is
|
||||
always NULL, so just drop the parameter and the call to strcat().
|
||||
|
||||
Error: STRING_OVERFLOW (CWE-120):
|
||||
keyutils-1.5.10/key.dns_resolver.c:388: fixed_size_dest: You might overrun the 55-character fixed-size string "buf" by copying "port" without checking the length.
|
||||
keyutils-1.5.10/key.dns_resolver.c:388: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
key.dns_resolver.c | 8 +++-----
|
||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
|
||||
index f3052e6..2743119 100644
|
||||
--- a/key.dns_resolver.c
|
||||
+++ b/key.dns_resolver.c
|
||||
@@ -332,7 +332,7 @@ static void dump_payload(void)
|
||||
* string to the list of payload segments.
|
||||
*/
|
||||
static int
|
||||
-dns_resolver(const char *server_name, const char *port)
|
||||
+dns_resolver(const char *server_name)
|
||||
{
|
||||
struct addrinfo hints, *addr, *ai;
|
||||
char buf[INET6_ADDRSTRLEN + 8 + 1];
|
||||
@@ -384,8 +384,6 @@ dns_resolver(const char *server_name, const char *port)
|
||||
if (!inet_ntop(ai->ai_family, sa, buf, len))
|
||||
error("%s: inet_ntop: %m", __func__);
|
||||
|
||||
- if (port)
|
||||
- strcat(buf, port);
|
||||
append_address_to_payload(buf);
|
||||
if (mask & ONE_ADDR_ONLY)
|
||||
break;
|
||||
@@ -449,7 +447,7 @@ static void afsdb_hosts_to_addrs(ns_msg handle,
|
||||
goto next_one;
|
||||
|
||||
/* Turn the hostname into IP addresses */
|
||||
- ret = dns_resolver(vllist[vlsnum], NULL);
|
||||
+ ret = dns_resolver(vllist[vlsnum]);
|
||||
if (ret) {
|
||||
debug("AFSDB RR can't resolve."
|
||||
"subtype:%d, server name:%s, netmask:%u",
|
||||
@@ -604,7 +602,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
|
||||
}
|
||||
|
||||
/* Turn the hostname into IP addresses */
|
||||
- ret = dns_resolver(hostname, NULL);
|
||||
+ ret = dns_resolver(hostname);
|
||||
if (ret)
|
||||
nsError(NO_DATA, hostname);
|
||||
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-8
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
@ -1,22 +1,30 @@
|
||||
%define vermajor 1
|
||||
%define verminor 5.10
|
||||
%define version %{vermajor}.%{verminor}
|
||||
%define libapivermajor 1
|
||||
%define libapiversion %{libapivermajor}.10
|
||||
%define libapiversion %{libapivermajor}.6
|
||||
|
||||
# % define buildid .local
|
||||
|
||||
Name: keyutils
|
||||
Version: 1.6.3
|
||||
Release: 1%{?buildid}%{?dist}
|
||||
Summary: Linux Key Management Utilities
|
||||
Name: keyutils
|
||||
Version: %{version}
|
||||
Release: 9%{?buildid}%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Url: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
|
||||
Group: System Environment/Base
|
||||
ExclusiveOS: Linux
|
||||
Url: http://people.redhat.com/~dhowells/keyutils/
|
||||
|
||||
Source0: %{url}/snapshot/keyutils-%{version}.tar.gz
|
||||
Source0: http://people.redhat.com/~dhowells/keyutils/keyutils-%{version}.tar.bz2
|
||||
Patch1: test-endianness-check.patch
|
||||
Patch2: test-rhel8.patch
|
||||
Patch3: afs-srv.patch
|
||||
Patch4: ttl.patch
|
||||
Patch5: fix-ci-strcat.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: glibc-kernheaders >= 2.4-9.1.92
|
||||
BuildRequires: make
|
||||
BuildRequires: g++
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: keyutils-libs == %{version}-%{release}
|
||||
|
||||
%description
|
||||
Utilities to control the kernel key management facility and to provide
|
||||
@ -25,6 +33,7 @@ instantiated.
|
||||
|
||||
%package libs
|
||||
Summary: Key utilities library
|
||||
Group: System Environment/Base
|
||||
|
||||
%description libs
|
||||
This package provides a wrapper library for the key management facility system
|
||||
@ -32,13 +41,21 @@ calls.
|
||||
|
||||
%package libs-devel
|
||||
Summary: Development package for building Linux key management utilities
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Group: System Environment/Base
|
||||
Requires: keyutils-libs == %{version}-%{release}
|
||||
|
||||
%description libs-devel
|
||||
This package provides headers and libraries for building key utilities.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%define datadir %{_datarootdir}/keyutils
|
||||
|
||||
%build
|
||||
make \
|
||||
@ -50,7 +67,7 @@ make \
|
||||
SBINDIR=%{_sbindir} \
|
||||
MANDIR=%{_mandir} \
|
||||
INCLUDEDIR=%{_includedir} \
|
||||
SHAREDIR=%{_datadir}/%{name} \
|
||||
SHAREDIR=%{datadir} \
|
||||
RELEASE=.%{release} \
|
||||
NO_GLIBC_KEYERR=1 \
|
||||
CFLAGS="-Wall $RPM_OPT_FLAGS" \
|
||||
@ -67,7 +84,7 @@ make \
|
||||
SBINDIR=%{_sbindir} \
|
||||
MANDIR=%{_mandir} \
|
||||
INCLUDEDIR=%{_includedir} \
|
||||
SHAREDIR=%{_datadir}/%{name} \
|
||||
SHAREDIR=%{datadir} \
|
||||
install
|
||||
|
||||
%ldconfig_scriptlets libs
|
||||
@ -75,83 +92,50 @@ make \
|
||||
%files
|
||||
%doc README
|
||||
%license LICENCE.GPL
|
||||
%config(noreplace) %{_sysconfdir}/*
|
||||
%{_bindir}/keyctl
|
||||
%{_sbindir}/key.dns_resolver
|
||||
%{_sbindir}/request-key
|
||||
%{_datadir}/%{name}
|
||||
%{_sbindir}/*
|
||||
%{_bindir}/*
|
||||
%{datadir}
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man8/*
|
||||
%config(noreplace) %{_sysconfdir}/*
|
||||
|
||||
%files libs
|
||||
%license LICENCE.LGPL
|
||||
%{_mandir}/man7/*
|
||||
%{_libdir}/libkeyutils.so.%{libapiversion}
|
||||
%{_libdir}/libkeyutils.so.%{libapivermajor}
|
||||
%{_mandir}/man7/*
|
||||
|
||||
%files libs-devel
|
||||
%{_libdir}/libkeyutils.so
|
||||
%{_includedir}/keyutils.h
|
||||
%{_libdir}/pkgconfig/libkeyutils.pc
|
||||
%{_includedir}/*
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Fri Oct 14 2022 Pavel Reichl <preichl@redhat.com> - 1.6.3-1
|
||||
- Update to upstream version 1.6.3
|
||||
Related: rhbz#2119105
|
||||
* Wed Jun 16 2021 David Howells <dhowells@redhat.com> - 1.5.10-9
|
||||
- Fix potential strcat overflow found by Coverity in CI test (#1661674).
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-4
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
* Thu Jun 3 2021 David Howells <dhowells@redhat.com> - 1.5.10-8
|
||||
- Fix TTL handling on DNS lookups (#1661674).
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue Jan 5 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 1.6.1-1
|
||||
- Update to 1.6.1
|
||||
- Spec cleanups
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Tue Nov 13 2018 David Howells <dhowells@redhat.com> - 1.6-1
|
||||
- Apply various specfile cleanups from Fedora.
|
||||
- request-key: Provide a command line option to suppress helper execution.
|
||||
- request-key: Find least-wildcard match rather than first match.
|
||||
- Remove the dependency on MIT Kerberos.
|
||||
- Fix some error messages
|
||||
- keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
|
||||
- Fix doc and comment typos.
|
||||
- Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
|
||||
- Add pkg-config support for finding libkeyutils.
|
||||
|
||||
* Tue Aug 28 2018 David Howells <dhowells@redhat.com> 1.5.11-1
|
||||
- Add keyring restriction support.
|
||||
- Add KDF support to the Diffie-Helman function.
|
||||
- DNS: Add support for AFS config files and SRV records
|
||||
|
||||
* Sat Jul 21 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.5.10-8
|
||||
- Spec cleanups, add gcc build requires
|
||||
* Thu Apr 18 2019 David Howells <dhowells@redhat.com> - 1.5.10-7
|
||||
- Fix testsuite for rhel-8 (#1681963).
|
||||
|
||||
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5.10-6
|
||||
- Escape macros in %%changelog
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.5.10-4
|
||||
- Switch to %%ldconfig_scriptlets
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.10-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Wed Mar 15 2017 David Howells <dhowells@redhat.com> - 1.5.10-1
|
||||
- Include sys/types.h in keyutils.h.
|
||||
- The dns resolver needs limits.h.
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (keyutils-1.5.10.tar.bz2) = 7f6f956c7e76cdc2aeb52e74fe670b20a5f9a5d9b543fd2ce971d80c48745f37d05235a42f0a8f152b1128a109c7d8bf07e751282a20d2d3f433a99a5308ae8d
|
23
test-endianness-check.patch
Normal file
23
test-endianness-check.patch
Normal file
@ -0,0 +1,23 @@
|
||||
commit d0fedbf9257a0fed18030527fd094588df5873aa
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Tue Aug 21 23:24:03 2018 +0100
|
||||
|
||||
TEST: Add a missing backslash
|
||||
|
||||
Add a missing backslash into a regular expression in the toolbox.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
|
||||
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
|
||||
index 140be66..0ce6db0 100644
|
||||
--- a/tests/toolbox.inc.sh
|
||||
+++ b/tests/toolbox.inc.sh
|
||||
@@ -13,7 +13,7 @@
|
||||
echo === $OUTPUTFILE ===
|
||||
|
||||
endian=`file -L /proc/$$/exe`
|
||||
-if expr "$endian" : '.* MSB \+\(executable\|shared object).*' >&/dev/null
|
||||
+if expr "$endian" : '.* MSB \+\(executable\|shared object\).*' >&/dev/null
|
||||
then
|
||||
endian=BE
|
||||
elif expr "$endian" : '.* LSB \+\(executable\|shared object\).*' >&/dev/null
|
27
test-rhel8.patch
Normal file
27
test-rhel8.patch
Normal file
@ -0,0 +1,27 @@
|
||||
commit 0b1654506039e614954e141aad3ceddb7018a2cb
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Wed Apr 17 15:42:30 2019 +0100
|
||||
|
||||
TEST: Apply test exclusions for RHEL-8
|
||||
|
||||
RHEL-8 doesn't enable the DH/KDF code, so disable the tests on all RHEL
|
||||
distributions for now.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
|
||||
diff --git a/tests/prepare.inc.sh b/tests/prepare.inc.sh
|
||||
index ab9ae4d..9c4adda 100644
|
||||
--- a/tests/prepare.inc.sh
|
||||
+++ b/tests/prepare.inc.sh
|
||||
@@ -96,7 +96,10 @@ fi
|
||||
# Work out whether Diffie-Hellman is supported by the kernel
|
||||
#
|
||||
have_dh_compute=0
|
||||
-if keyutils_at_or_later_than 1.5.10 && kernel_at_or_later_than 4.7-rc1
|
||||
+if [ $OSDIST = RHEL ]
|
||||
+then
|
||||
+ :
|
||||
+elif keyutils_at_or_later_than 1.5.10 && kernel_at_or_later_than 4.7-rc1
|
||||
then
|
||||
have_dh_compute=1
|
||||
fi
|
448
ttl.patch
Normal file
448
ttl.patch
Normal file
@ -0,0 +1,448 @@
|
||||
commit 75e7568dc516db698093b33ea273e1b4a30b70be
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 14 Apr 2020 16:07:26 +0100
|
||||
|
||||
dns: Apply a default TTL to records obtained from getaddrinfo()
|
||||
|
||||
Address records obtained from getaddrinfo() don't come with any TTL
|
||||
information, even if they're obtained from the DNS, with the result that
|
||||
key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
|
||||
records unless they include a component obtained directly from the DNS,
|
||||
such as an SRV or AFSDB record.
|
||||
|
||||
Fix this to apply a default TTL of 10mins in the event that we haven't got
|
||||
one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
|
||||
adding the line:
|
||||
|
||||
default_ttl = <number-of-seconds>
|
||||
|
||||
to the file.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Reviewed-by: Ben Boeckel <me@benboeckel.net>
|
||||
Reviewed-by: Jeff Layton <jlayton@kernel.org>
|
||||
|
||||
[dhowells: Cut down to remove kafs-specific bits]
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
Makefile | 1
|
||||
key.dns_resolver.c | 209 +++++++++++++++++++++++++++++++++++++++++---
|
||||
man/key.dns_resolver.8 | 25 ++++-
|
||||
man/key.dns_resolver.conf.5 | 48 ++++++++++
|
||||
4 files changed, 267 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 824bbbf..c2b2460 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -175,6 +175,7 @@ endif
|
||||
$(INSTALL) -D key.dns_resolver $(DESTDIR)$(SBINDIR)/key.dns_resolver
|
||||
$(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf
|
||||
mkdir -p $(DESTDIR)$(ETCDIR)/request-key.d
|
||||
+ mkdir -p $(DESTDIR)$(ETCDIR)/keyutils
|
||||
mkdir -p $(DESTDIR)$(MAN1)
|
||||
$(INSTALL) -m 0644 $(wildcard man/*.1) $(DESTDIR)$(MAN1)
|
||||
mkdir -p $(DESTDIR)$(MAN3)
|
||||
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
|
||||
index 849c8fe..f3052e6 100644
|
||||
--- a/key.dns_resolver.c
|
||||
+++ b/key.dns_resolver.c
|
||||
@@ -53,10 +53,12 @@
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
+#include <stdbool.h>
|
||||
#include <keyutils.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
+#include <ctype.h>
|
||||
|
||||
static const char *DNS_PARSE_VERSION = "1.0";
|
||||
static const char prog[] = "key.dns_resolver";
|
||||
@@ -64,11 +66,13 @@ static const char key_type[] = "dns_resolver";
|
||||
static const char a_query_type[] = "a";
|
||||
static const char aaaa_query_type[] = "aaaa";
|
||||
static const char afsdb_query_type[] = "afsdb";
|
||||
+static const char *config_file = "/etc/keyutils/key.dns_resolver.conf";
|
||||
static key_serial_t key;
|
||||
+static unsigned int key_expiry = 5;
|
||||
+static bool config_specified = false;
|
||||
static int verbose;
|
||||
static int debug_mode;
|
||||
|
||||
-
|
||||
#define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
|
||||
#define INET_IP4_ONLY 0x1
|
||||
#define INET_IP6_ONLY 0x2
|
||||
@@ -132,6 +136,23 @@ void _error(const char *fmt, ...)
|
||||
va_end(va);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Print a warning to stderr or the syslog
|
||||
+ */
|
||||
+void warning(const char *fmt, ...)
|
||||
+{
|
||||
+ va_list va;
|
||||
+
|
||||
+ va_start(va, fmt);
|
||||
+ if (isatty(2)) {
|
||||
+ vfprintf(stderr, fmt, va);
|
||||
+ fputc('\n', stderr);
|
||||
+ } else {
|
||||
+ vsyslog(LOG_WARNING, fmt, va);
|
||||
+ }
|
||||
+ va_end(va);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Print status information
|
||||
*/
|
||||
@@ -302,6 +323,7 @@ static void dump_payload(void)
|
||||
}
|
||||
|
||||
info("The key instantiation data is '%s'", buf);
|
||||
+ info("The expiry time is %us", key_expiry);
|
||||
free(buf);
|
||||
}
|
||||
|
||||
@@ -597,6 +619,9 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
|
||||
|
||||
/* load the key with data key */
|
||||
if (!debug_mode) {
|
||||
+ ret = keyctl_set_timeout(key, key_expiry);
|
||||
+ if (ret == -1)
|
||||
+ error("%s: keyctl_set_timeout: %m", __func__);
|
||||
ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
|
||||
if (ret == -1)
|
||||
error("%s: keyctl_instantiate: %m", __func__);
|
||||
@@ -605,6 +630,157 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
|
||||
exit(0);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Read the config file.
|
||||
+ */
|
||||
+static void read_config(void)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ char buf[4096], *b, *p, *k, *v;
|
||||
+ unsigned int line = 0, u;
|
||||
+ int n;
|
||||
+
|
||||
+ info("READ CONFIG %s", config_file);
|
||||
+
|
||||
+ f = fopen(config_file, "r");
|
||||
+ if (!f) {
|
||||
+ if (errno == ENOENT && !config_specified) {
|
||||
+ debug("%s: %m", config_file);
|
||||
+ return;
|
||||
+ }
|
||||
+ error("%s: %m", config_file);
|
||||
+ }
|
||||
+
|
||||
+ while (fgets(buf, sizeof(buf) - 1, f)) {
|
||||
+ line++;
|
||||
+
|
||||
+ /* Trim off leading and trailing spaces and discard whole-line
|
||||
+ * comments.
|
||||
+ */
|
||||
+ b = buf;
|
||||
+ while (isspace(*b))
|
||||
+ b++;
|
||||
+ if (!*b || *b == '#')
|
||||
+ continue;
|
||||
+ p = strchr(b, '\n');
|
||||
+ if (!p)
|
||||
+ error("%s:%u: line missing newline or too long", config_file, line);
|
||||
+ while (p > buf && isspace(p[-1]))
|
||||
+ p--;
|
||||
+ *p = 0;
|
||||
+
|
||||
+ /* Split into key[=value] pairs and trim spaces. */
|
||||
+ k = b;
|
||||
+ v = NULL;
|
||||
+ b = strchr(b, '=');
|
||||
+ if (b) {
|
||||
+ char quote = 0;
|
||||
+ bool esc = false;
|
||||
+
|
||||
+ if (b == k)
|
||||
+ error("%s:%u: Unspecified key",
|
||||
+ config_file, line);
|
||||
+
|
||||
+ /* NUL-terminate the key. */
|
||||
+ for (p = b - 1; isspace(*p); p--)
|
||||
+ ;
|
||||
+ p[1] = 0;
|
||||
+
|
||||
+ /* Strip leading spaces */
|
||||
+ b++;
|
||||
+ while (isspace(*b))
|
||||
+ b++;
|
||||
+ if (!*b)
|
||||
+ goto missing_value;
|
||||
+
|
||||
+ if (*b == '"' || *b == '\'') {
|
||||
+ quote = *b;
|
||||
+ b++;
|
||||
+ }
|
||||
+ v = p = b;
|
||||
+ while (*b) {
|
||||
+ if (esc) {
|
||||
+ switch (*b) {
|
||||
+ case ' ':
|
||||
+ case '\t':
|
||||
+ case '"':
|
||||
+ case '\'':
|
||||
+ case '\\':
|
||||
+ break;
|
||||
+ default:
|
||||
+ goto invalid_escape_char;
|
||||
+ }
|
||||
+ esc = false;
|
||||
+ *p++ = *b++;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (*b == '\\') {
|
||||
+ esc = true;
|
||||
+ b++;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (*b == quote) {
|
||||
+ b++;
|
||||
+ if (*b)
|
||||
+ goto post_quote_data;
|
||||
+ quote = 0;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (!quote && *b == '#')
|
||||
+ break; /* Terminal comment */
|
||||
+ *p++ = *b++;
|
||||
+ }
|
||||
+
|
||||
+ if (esc)
|
||||
+ error("%s:%u: Incomplete escape", config_file, line);
|
||||
+ if (quote)
|
||||
+ error("%s:%u: Unclosed quotes", config_file, line);
|
||||
+ *p = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(k, "default_ttl") == 0) {
|
||||
+ if (!v)
|
||||
+ goto missing_value;
|
||||
+ if (sscanf(v, "%u%n", &u, &n) != 1)
|
||||
+ goto bad_value;
|
||||
+ if (v[n])
|
||||
+ goto extra_data;
|
||||
+ if (u < 1 || u > INT_MAX)
|
||||
+ goto out_of_range;
|
||||
+ key_expiry = u;
|
||||
+ } else {
|
||||
+ warning("%s:%u: Unknown option '%s'", config_file, line, k);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (ferror(f) || fclose(f) == EOF)
|
||||
+ error("%s: %m", config_file);
|
||||
+ return;
|
||||
+
|
||||
+missing_value:
|
||||
+ error("%s:%u: %s: Missing value", config_file, line, k);
|
||||
+invalid_escape_char:
|
||||
+ error("%s:%u: %s: Invalid char in escape", config_file, line, k);
|
||||
+post_quote_data:
|
||||
+ error("%s:%u: %s: Data after closing quote", config_file, line, k);
|
||||
+bad_value:
|
||||
+ error("%s:%u: %s: Bad value", config_file, line, k);
|
||||
+extra_data:
|
||||
+ error("%s:%u: %s: Extra data supplied", config_file, line, k);
|
||||
+out_of_range:
|
||||
+ error("%s:%u: %s: Value out of range", config_file, line, k);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Dump the configuration after parsing the config file.
|
||||
+ */
|
||||
+static __attribute__((noreturn))
|
||||
+void config_dumper(void)
|
||||
+{
|
||||
+ printf("default_ttl = %u\n", key_expiry);
|
||||
+ exit(0);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Print usage details,
|
||||
*/
|
||||
@@ -613,22 +789,24 @@ void usage(void)
|
||||
{
|
||||
if (isatty(2)) {
|
||||
fprintf(stderr,
|
||||
- "Usage: %s [-vv] key_serial\n",
|
||||
+ "Usage: %s [-vv] [-c config] key_serial\n",
|
||||
prog);
|
||||
fprintf(stderr,
|
||||
- "Usage: %s -D [-vv] <desc> <calloutinfo>\n",
|
||||
+ "Usage: %s -D [-vv] [-c config] <desc> <calloutinfo>\n",
|
||||
prog);
|
||||
} else {
|
||||
- info("Usage: %s [-vv] key_serial", prog);
|
||||
+ info("Usage: %s [-vv] [-c config] key_serial", prog);
|
||||
}
|
||||
exit(2);
|
||||
}
|
||||
|
||||
-const struct option long_options[] = {
|
||||
- { "debug", 0, NULL, 'D' },
|
||||
- { "verbose", 0, NULL, 'v' },
|
||||
- { "version", 0, NULL, 'V' },
|
||||
- { NULL, 0, NULL, 0 }
|
||||
+static const struct option long_options[] = {
|
||||
+ { "config", 0, NULL, 'c' },
|
||||
+ { "debug", 0, NULL, 'D' },
|
||||
+ { "dump-config", 0, NULL, 2 },
|
||||
+ { "verbose", 0, NULL, 'v' },
|
||||
+ { "version", 0, NULL, 'V' },
|
||||
+ { NULL, 0, NULL, 0 }
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -640,11 +818,19 @@ int main(int argc, char *argv[])
|
||||
char *keyend, *p;
|
||||
char *callout_info = NULL;
|
||||
char *buf = NULL, *name;
|
||||
+ bool dump_config = false;
|
||||
|
||||
openlog(prog, 0, LOG_DAEMON);
|
||||
|
||||
- while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
|
||||
+ while ((ret = getopt_long(argc, argv, "c:vDV", long_options, NULL)) != -1) {
|
||||
switch (ret) {
|
||||
+ case 'c':
|
||||
+ config_file = optarg;
|
||||
+ config_specified = true;
|
||||
+ continue;
|
||||
+ case 2:
|
||||
+ dump_config = true;
|
||||
+ continue;
|
||||
case 'D':
|
||||
debug_mode = 1;
|
||||
continue;
|
||||
@@ -666,6 +852,9 @@ int main(int argc, char *argv[])
|
||||
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
+ read_config();
|
||||
+ if (dump_config)
|
||||
+ config_dumper();
|
||||
|
||||
if (!debug_mode) {
|
||||
if (argc != 1)
|
||||
diff --git a/man/key.dns_resolver.8 b/man/key.dns_resolver.8
|
||||
index e1882e0..0b17edd 100644
|
||||
--- a/man/key.dns_resolver.8
|
||||
+++ b/man/key.dns_resolver.8
|
||||
@@ -7,28 +7,41 @@
|
||||
.\" as published by the Free Software Foundation; either version
|
||||
.\" 2 of the License, or (at your option) any later version.
|
||||
.\"
|
||||
-.TH KEY.DNS_RESOLVER 8 "04 Mar 2011" Linux "Linux Key Management Utilities"
|
||||
+.TH KEY.DNS_RESOLVER 8 "18 May 2020" Linux "Linux Key Management Utilities"
|
||||
.SH NAME
|
||||
key.dns_resolver \- upcall for request\-key to handle dns_resolver keys
|
||||
.SH SYNOPSIS
|
||||
\fB/sbin/key.dns_resolver \fR<key>
|
||||
.br
|
||||
-\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] <keydesc> <calloutinfo>
|
||||
+\fB/sbin/key.dns_resolver \fR--dump-config [\-c <configfile>]
|
||||
+.br
|
||||
+\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] [\-c <configfile>] <desc>
|
||||
+.br
|
||||
+<calloutinfo>
|
||||
.SH DESCRIPTION
|
||||
This program is invoked by request\-key on behalf of the kernel when kernel
|
||||
services (such as NFS, CIFS and AFS) want to perform a hostname lookup and the
|
||||
kernel does not have the key cached. It is not ordinarily intended to be
|
||||
called directly.
|
||||
.P
|
||||
-It can be called in debugging mode to test its functionality by passing a
|
||||
-\fB\-D\fR flag on the command line. For this to work, the key description and
|
||||
-the callout information must be supplied. Verbosity can be increased by
|
||||
-supplying one or more \fB\-v\fR flags.
|
||||
+There program has internal parameters that can be changed with a configuration
|
||||
+file (see key.dns_resolver.conf(5) for more information). The default
|
||||
+configuration file is in /etc, but this can be overridden with the \fB-c\fR
|
||||
+flag.
|
||||
+.P
|
||||
+The program can be called in debugging mode to test its functionality by
|
||||
+passing a \fB\-D\fR or \fB\--debug\fR flag on the command line. For this to
|
||||
+work, the key description and the callout information must be supplied.
|
||||
+Verbosity can be increased by supplying one or more \fB\-v\fR flags.
|
||||
+.P
|
||||
+The program may also be called with \fB--dump-config\fR to show the values that
|
||||
+configurable parameters will have after parsing the config file.
|
||||
.SH ERRORS
|
||||
All errors will be logged to the syslog.
|
||||
.SH SEE ALSO
|
||||
.ad l
|
||||
.nh
|
||||
+.BR key.dns_resolver.conf (5),
|
||||
.BR request\-key.conf (5),
|
||||
.BR keyrings (7),
|
||||
.BR request\-key (8)
|
||||
diff --git a/man/key.dns_resolver.conf.5 b/man/key.dns_resolver.conf.5
|
||||
new file mode 100644
|
||||
index 0000000..c944ad5
|
||||
--- /dev/null
|
||||
+++ b/man/key.dns_resolver.conf.5
|
||||
@@ -0,0 +1,48 @@
|
||||
+.\" -*- nroff -*-
|
||||
+.\" Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
|
||||
+.\" Written by David Howells (dhowells@redhat.com)
|
||||
+.\"
|
||||
+.\" This program is free software; you can redistribute it and/or
|
||||
+.\" modify it under the terms of the GNU General Public License
|
||||
+.\" as published by the Free Software Foundation; either version
|
||||
+.\" 2 of the License, or (at your option) any later version.
|
||||
+.\"
|
||||
+.TH KEY.DNS_RESOLVER.CONF 5 "18 May 2020" Linux "Linux Key Management Utilities"
|
||||
+.SH NAME
|
||||
+key.dns_resolver.conf \- Kernel DNS resolver config
|
||||
+.SH DESCRIPTION
|
||||
+This file is used by the key.dns_resolver(5) program to set parameters.
|
||||
+Unless otherwise overridden with the \fB\-c\fR flag, the program reads:
|
||||
+.IP
|
||||
+/etc/key.dns_resolver.conf
|
||||
+.P
|
||||
+Configuration options are given in \fBkey[=value]\fR form, where \fBvalue\fR is
|
||||
+optional. If present, the value may be surrounded by a pair of single ('') or
|
||||
+double quotes ("") which will be stripped off. The special characters in the
|
||||
+value may be escaped with a backslash to turn them into ordinary characters.
|
||||
+.P
|
||||
+Lines beginning with a '#' are considered comments and ignored. A '#' symbol
|
||||
+anywhere after the '=' makes the rest of the line into a comment unless the '#'
|
||||
+is inside a quoted section or is escaped.
|
||||
+.P
|
||||
+Leading and trailing spaces and spaces around the '=' symbol will be stripped
|
||||
+off.
|
||||
+.P
|
||||
+Available options include:
|
||||
+.TP
|
||||
+.B default_ttl=<number>
|
||||
+The number of seconds to set as the expiration on a cached record. This will
|
||||
+be overridden if the program manages to retrieve TTL information along with
|
||||
+the addresses (if, for example, it accesses the DNS directly). The default is
|
||||
+5 seconds. The value must be in the range 1 to INT_MAX.
|
||||
+.P
|
||||
+The file can also include comments beginning with a '#' character unless
|
||||
+otherwise suppressed by being inside a quoted value or being escaped with a
|
||||
+backslash.
|
||||
+
|
||||
+.SH FILES
|
||||
+.ul
|
||||
+/etc/key.dns_resolver.conf
|
||||
+.ul 0
|
||||
+.SH SEE ALSO
|
||||
+\fBkey.dns_resolver\fR(8)
|
Loading…
Reference in New Issue
Block a user