rpms/opendnssec
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:stream-idm-client-rhel-8.9.0
Branches Tags
rpms:c8-stream-DL1
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:stream-idm-DL1-rhel-8.10.0
rpms:c10s
rpms:stream-idm-client-rhel-8.9.0
rpms:stream-idm-DL1-rhel-8.9.0
rpms:c8-beta-stream-client
rpms:c8-beta-stream-DL1
rpms:c8s-stream-client
rpms:c8s-stream-DL1
rpms:c8-stream-client
rpms:imports/c9/opendnssec-2.1.10-4.el9
rpms:imports/c9-beta/opendnssec-2.1.10-4.el9
rpms:imports/c8-stream-DL1/opendnssec-2.1.7-2.el8_10
rpms:imports/c10s/opendnssec-2.1.14-1.el10
rpms:imports/c10s/opendnssec-2.1.14-0.3rc1.el10
rpms:imports/c10s/opendnssec-2.1.14-0.2rc1.el10
rpms:imports/c9/opendnssec-2.1.10-1.el9
rpms:imports/c9-beta/opendnssec-2.1.10-1.el9
rpms:imports/c9/opendnssec-2.1.8-4.el9
rpms:imports/c9-beta/opendnssec-2.1.8-4.el9
rpms:imports/c8-beta-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9008+94c5103b
rpms:imports/c8-beta-stream-DL1/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8-beta-stream-DL1/opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362
rpms:imports/c8-beta-stream-DL1/opendnssec-1.4.14-1.module+el8.1.0+4098+f286395e
rpms:imports/c8-beta-stream-DL1/opendnssec-1.4.14-1.module+el8.1.0+3389+a3c612fa
rpms:imports/c8s-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9008+94c5103b
rpms:imports/c8s-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8s-stream-client/opendnssec-2.1.6-2.module+el8.3.0+6912+d1822d97
rpms:imports/c8s-stream-client/opendnssec-2.1.6-1.module+el8.3.0+6435+48492812
rpms:imports/c8s-stream-DL1/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8s-stream-DL1/opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362
rpms:imports/c8-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9008+94c5103b
rpms:imports/c8-stream-DL1/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8-stream-DL1/opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362
rpms:imports/c8-stream-DL1/opendnssec-1.4.14-1.module+el8+2555+b334d87b
rpms:imports/c8-stream-DL1/opendnssec-1.4.14-1.module+el8.1.0+4098+f286395e
...
pull from: rpms:c8-stream-DL1
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-stream-DL1
rpms:stream-idm-DL1-rhel-8.10.0
rpms:c10s
rpms:stream-idm-client-rhel-8.9.0
rpms:stream-idm-DL1-rhel-8.9.0
rpms:c8-beta-stream-client
rpms:c8-beta-stream-DL1
rpms:c8s-stream-client
rpms:c8s-stream-DL1
rpms:c8-stream-client
rpms:imports/c9/opendnssec-2.1.10-4.el9
rpms:imports/c9-beta/opendnssec-2.1.10-4.el9
rpms:imports/c8-stream-DL1/opendnssec-2.1.7-2.el8_10
rpms:imports/c10s/opendnssec-2.1.14-1.el10
rpms:imports/c10s/opendnssec-2.1.14-0.3rc1.el10
rpms:imports/c10s/opendnssec-2.1.14-0.2rc1.el10
rpms:imports/c9/opendnssec-2.1.10-1.el9
rpms:imports/c9-beta/opendnssec-2.1.10-1.el9
rpms:imports/c9/opendnssec-2.1.8-4.el9
rpms:imports/c9-beta/opendnssec-2.1.8-4.el9
rpms:imports/c8-beta-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9008+94c5103b
rpms:imports/c8-beta-stream-DL1/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8-beta-stream-DL1/opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362
rpms:imports/c8-beta-stream-DL1/opendnssec-1.4.14-1.module+el8.1.0+4098+f286395e
rpms:imports/c8-beta-stream-DL1/opendnssec-1.4.14-1.module+el8.1.0+3389+a3c612fa
rpms:imports/c8s-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9008+94c5103b
rpms:imports/c8s-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8s-stream-client/opendnssec-2.1.6-2.module+el8.3.0+6912+d1822d97
rpms:imports/c8s-stream-client/opendnssec-2.1.6-1.module+el8.3.0+6435+48492812
rpms:imports/c8s-stream-DL1/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8s-stream-DL1/opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362
rpms:imports/c8-stream-client/opendnssec-2.1.7-1.module+el8.4.0+9008+94c5103b
rpms:imports/c8-stream-DL1/opendnssec-2.1.7-1.module+el8.4.0+9007+5084bdd8
rpms:imports/c8-stream-DL1/opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362
rpms:imports/c8-stream-DL1/opendnssec-1.4.14-1.module+el8+2555+b334d87b
rpms:imports/c8-stream-DL1/opendnssec-1.4.14-1.module+el8.1.0+4098+f286395e

No commits in common. "stream-idm-client-rhel-8.9.0" and "c8-stream-DL1" have entirely different histories.
stream-idm ... c8-stream-

20 changed files with 6 additions and 687 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/opendnssec-2.1.7.tar.gz
/opendnssec-2.1.7.tar.gz

1
.opendnssec.metadata Normal file
View File

@ -0,0 +1 @@
0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz

0
conf.xml → SOURCES/conf.xml
View File

0
ods-enforcerd.service → SOURCES/ods-enforcerd.service
View File

0
ods-signerd.service → SOURCES/ods-signerd.service
View File

0
ods.sysconfig → SOURCES/ods.sysconfig
View File

0
opendnssec-2.1.sqlite_convert.sql → SOURCES/opendnssec-2.1.sqlite_convert.sql
View File

0
opendnssec-2.1.sqlite_rpmversion.sql → SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
View File

0
opendnssec.cron → SOURCES/opendnssec.cron
View File

0
tmpfiles-opendnssec.conf → SOURCES/tmpfiles-opendnssec.conf
View File

8
opendnssec.spec → SPECS/opendnssec.spec
View File

@ -4,7 +4,7 @@
Summary: DNSSEC key and zone management software
Name: opendnssec
Version: 2.1.7
Release: 1%{?prever}%{?dist}
Release: 2%{?prever}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@ -77,7 +77,6 @@ install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
mkdir -p %{buildroot}%{_tmpfilesdir}/
install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
mkdir -p %{buildroot}%{_datadir}/opendnssec/
cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
@ -103,7 +102,6 @@ sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
%doc NEWS README.md
%license LICENSE
@ -177,6 +175,10 @@ ods-enforcer update all >/dev/null 2>/dev/null ||:
%systemd_postun_with_restart ods-signerd.service
%changelog
* Mon Mar 10 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.7-2
- Don't creat /var/run/opendnssec directory
- Resolves: RHEL-12163
* Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
- Upstream release 2.1.7
- Resolves: rhbz#1904484

7
gating.yaml
View File

@ -1,7 +0,0 @@
# recipients: abokovoy, frenaud, kaleem, ftrivino
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

106
ods-enforcerd.init
View File

@ -1,106 +0,0 @@
#!/bin/bash
#
# ods-enforcerd: Starts the OpenDNSSEC Enforcer Daemon
#
# chkconfig: - 13 87
# description: ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
# processname: /usr/sbin/ods-enforcerd
# config: /etc/opendnssec/conf.xml
#
### BEGIN INIT INFO
# Provides: ods-enforcerd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Stop: 0 11 89
# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
# Description: control OpenDNSSEC enforcer daemon
### END INIT INFO
# Init script default settings
ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
ODS_ENFORCERD_OPT=""
ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
PIDDIR="/var/run/opendnssec"
# Source function library.
. /etc/rc.d/init.d/functions
[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
# Check that networking is configured.
[ "${NETWORKING}" = "no" ] && exit 0
start() {
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
# Check that networking is up
[ "${NETWORKING}" = "no" ] && exit 1
# Sanity checks.
[ -f $ODS_ENFORCERD_CONF ] || exit 5
[ -x $ODS_ENFORCERD_PROG ] || exit 5
# /var/run could (and should) be tmpfs
[ -d $PIDDIR ] || mkdir -p $PIDDIR
echo -n $"Starting ods-enforcerd:"
$ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
touch /var/lock/subsys/ods-enforcerd;
success
echo
else
failure
echo
exit 7;
fi
return 0;
}
stop() {
echo -n $"Stopping ods-enforcerd: "
killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
retval=$?
if [ $retval -eq 0 ] ; then
rm -f $ODS_ENFORCERD_PIDFILE
rm -f /var/lock/subsys/ods-enforcerd
success
else
failure
fi
echo
return $retval
}
restart() {
stop
start
}
RETVAL=0
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/ods-enforcerd ] && restart || :
;;
status)
status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?

112
ods-signerd.init
View File

@ -1,112 +0,0 @@
#!/bin/bash
#
# ods-signerd: Starts the OpenDNSSEC Signer Daemon
#
# chkconfig: - 13 87
# description: ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
# processname: /usr/sbin/ods-signerd
# config: /etc/opendnssec/conf.xml
#
### BEGIN INIT INFO
# Provides: ods-signerd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Stop: 0 11 89
# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
# Description: control OpenDNSSEC signer daemon
### END INIT INFO
# Init script default settings
ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
ODS_SIGNERD_OPT=""
ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
ODS_SIGNER_PROG="/usr/sbin/ods-signer"
ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
PIDDIR="/var/run/opendnssec"
# Source function library.
. /etc/rc.d/init.d/functions
[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
# Check that networking is configured.
[ "${NETWORKING}" = "no" ] && exit 0
start() {
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
# Check that networking is up
[ "${NETWORKING}" = "no" ] && exit 1
# Sanity checks.
[ -f $ODS_SIGNERD_CONF ] || exit 5
[ -x $ODS_SIGNERD_PROG ] || exit 5
# /var/run could (and should) be tmpfs
[ -d $PIDDIR ] || mkdir -p $PIDDIR
echo -n $"Starting ods-signerd:"
# ods-signerd is lying about supporting -c conf.file option :(
# $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
$ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
touch /var/lock/subsys/ods-signerd;
success
echo
else
failure
echo
exit 7;
fi
return 0;
}
stop() {
echo -n $"Stopping ods-signerd: "
#$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
# seems that this loses our settings :(
/usr/sbin/ods-signer stop
RETVAL=$?
[ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
if [ $RETVAL -eq 0 ] ; then
rm -f $ODS_SIGNERD_PIDFILE
rm -f /var/lock/subsys/ods-signerd
success
else
failure
fi
echo
return $RETVAL
}
restart() {
stop
start
}
RETVAL=0
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/ods-signerd ] && restart || :
;;
status)
status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?

95
opendnssec-1.4.13-openssl1.1.patch
View File

@ -1,95 +0,0 @@
From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
From: Yuri Schaeffer <yuri@nlnetlabs.nl>
Date: Fri, 4 Nov 2016 15:35:06 +0100
Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
---
m4/acx_ssl.m4 | 12 +++++++++---
signer/src/Makefile.am | 4 ++--
signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
3 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
index 1dc6e40..3d64626 100644
--- a/m4/acx_ssl.m4
+++ b/m4/acx_ssl.m4
@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
if test x_$ssldir = x_/usr/sfw; then
SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
fi
- AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
- AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
- ])
+ AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
+ AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
+ SSL_LIBS="$SSL_LIBS -lcrypto";
+ ], [
+ AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+ AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+ ])
+ ] )
AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
fi
AC_SUBST(HAVE_SSL)
+ AC_SUBST(HAVE_SSL_NEW_HMAC)
AC_SUBST(SSL_INCLUDES)
AC_SUBST(SSL_LIBS)
fi
diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
index 60e8877..b39eac8 100644
--- a/signer/src/Makefile.am
+++ b/signer/src/Makefile.am
@@ -133,7 +133,7 @@ ods_signer_SOURCES= ods-signer.c \
wire/xfrd.c wire/xfrd.h
ods_signer_LDADD= $(LIBHSM)
-ods_signer_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ods_signer_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@
ods_signer_LDADD+= $(LIBCOMPAT)
ods_getconf_SOURCES= ods-getconf.c \
@@ -193,5 +193,5 @@ ods_getconf_SOURCES= ods-getconf.c \
wire/xfrd.c wire/xfrd.h
ods_getconf_LDADD= $(LIBHSM)
-ods_getconf_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ods_getconf_LDADD+= @SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
ods_getconf_LDADD+= $(LIBCOMPAT)
diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
index c26b1e7..24fd342 100644
--- a/signer/src/wire/tsig-openssl.c
+++ b/signer/src/wire/tsig-openssl.c
@@ -131,8 +131,11 @@ static void
cleanup_context(void *data)
{
HMAC_CTX* context = (HMAC_CTX*) data;
+#ifdef HAVE_SSL_NEW_HMAC
+ HMAC_CTX_free(context);
+#else
HMAC_CTX_cleanup(context);
- return;
+#endif
}
static void
@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
static void*
create_context(allocator_type* allocator)
{
- HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
- sizeof(HMAC_CTX));
+ HMAC_CTX* context;
+#ifdef HAVE_SSL_NEW_HMAC
+ context = HMAC_CTX_new();
+ if (!context) return NULL;
+ HMAC_CTX_reset(context);
+#else
+ context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
HMAC_CTX_init(context);
+#endif
context_add_cleanup(context);
return context;
}
--
2.9.3

13
opendnssec-1.4.5-serial0.patch
View File

@ -1,13 +0,0 @@
diff -Naur opendnssec-1.4.5-orig/signer/src/adapter/addns.c opendnssec-1.4.5/signer/src/adapter/addns.c
--- opendnssec-1.4.5-orig/signer/src/adapter/addns.c 2014-03-25 06:45:44.000000000 +0000
+++ opendnssec-1.4.5/signer/src/adapter/addns.c 2014-04-18 16:26:39.079974120 +0000
@@ -243,7 +243,8 @@
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
old_serial = adapi_get_serial(zone);
- if (!util_serial_gt(tmp_serial, old_serial)) {
+ if (!util_serial_gt(tmp_serial, old_serial)
+ && zone->db->is_initialized) {
ods_log_info("[%s] zone %s is already up to date, have "
"serial %u, got serial %u", adapter_str, zone->name,
old_serial, tmp_serial);

168
opendnssec-1.4.6-extract.patch
View File

@ -1,168 +0,0 @@
commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
Author: Petr Spacek <pspacek@redhat.com>
Date: Fri Jul 18 16:19:36 2014 +0200
add libhsm configuration option <AllowExtraction/>
This option allows user to generate private keys with CKA_EXTRACTABLE
flag set to TRUE. Defaults to FALSE.
diff --git a/NEWS b/NEWS
index 4db7038..2efa176 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
+ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
+ and extracted from HSM.
+
+
OpenDNSSEC 1.4.6 - 2014-07-21
* Signer Engine: Print secondary server address when logging notify reply
diff --git a/conf/conf.rnc b/conf/conf.rnc
index 71d527f..65f837e 100644
--- a/conf/conf.rnc
+++ b/conf/conf.rnc
@@ -50,7 +50,10 @@ start = element Configuration {
element RequireBackup { empty }?,
# Do not maintain public keys in the repository (optional)
- element SkipPublicKey { empty }?
+ element SkipPublicKey { empty }?,
+
+ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
+ element AllowExtraction { empty }?
}*
},
diff --git a/conf/conf.xml.in b/conf/conf.xml.in
index 0ef2ab9..0536681 100644
--- a/conf/conf.xml.in
+++ b/conf/conf.xml.in
@@ -9,6 +9,9 @@
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<SkipPublicKey/>
+ <!--
+ <AllowExtraction/>
+ -->
</Repository>
<!--
diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
index d723b31..1f9720e 100644
--- a/libhsm/src/lib/libhsm.c
+++ b/libhsm/src/lib/libhsm.c
@@ -504,6 +504,7 @@ static void
hsm_config_default(hsm_config_t *config)
{
config->use_pubkey = 1;
+ config->allow_extract = 0;
}
/* creates a session_t structure, and automatically adds and initializes
@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
module_pin = (char *) xmlNodeGetContent(curNode);
if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
module_config.use_pubkey = 0;
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
+ module_config.allow_extract = 1;
curNode = curNode->next;
}
@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
CK_BBOOL ctoken = CK_TRUE;
+ CK_BBOOL cextractable = CK_FALSE;
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
do {
@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
{ CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
{ CKA_TOKEN, &ctrue, sizeof (ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof (ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
CK_OBJECT_HANDLE publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
index 45d110a..08224b8 100644
--- a/libhsm/src/lib/libhsm.h
+++ b/libhsm/src/lib/libhsm.h
@@ -75,6 +75,7 @@
/*! HSM configuration */
typedef struct {
unsigned int use_pubkey; /*!< Maintain public keys in HSM */
+ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
} hsm_config_t;
/*! Data type to describe an HSM */
--- a/conf/conf.rng
+++ b/conf/conf.rng
@@ -71,6 +71,12 @@
<empty/>
</element>
</optional>
+ <optional>
+ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
+ <element name="AllowExtraction">
+ <empty/>
+ </element>
+ </optional>
</element>
</zeroOrMore>
</element>

156
opendnssec-1.4.7-extract.patch
View File

@ -1,156 +0,0 @@
diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
--- opendnssec-1.4.7-orig/conf/conf.rnc 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.rnc 2014-12-08 22:49:16.100212010 -0500
@@ -50,7 +50,10 @@
element RequireBackup { empty }?,
# Do not maintain public keys in the repository (optional)
- element SkipPublicKey { empty }?
+ element SkipPublicKey { empty }?,
+
+ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
+ element AllowExtraction { empty }?
}*
},
diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
--- opendnssec-1.4.7-orig/conf/conf.rng 2014-12-04 10:18:39.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.rng 2014-12-08 22:49:16.105212137 -0500
@@ -71,6 +71,12 @@
<empty/>
</element>
</optional>
+ <optional>
+ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
+ <element name="AllowExtraction">
+ <empty/>
+ </element>
+ </optional>
</element>
</zeroOrMore>
</element>
diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
--- opendnssec-1.4.7-orig/conf/conf.xml.in 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.xml.in 2014-12-08 22:49:16.101212036 -0500
@@ -9,6 +9,9 @@
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<SkipPublicKey/>
+ <!--
+ <AllowExtraction/>
+ -->
</Repository>
<!--
diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c 2014-12-08 22:49:16.102212061 -0500
@@ -504,6 +504,7 @@
hsm_config_default(hsm_config_t *config)
{
config->use_pubkey = 1;
+ config->allow_extract = 0;
}
/* creates a session_t structure, and automatically adds and initializes
@@ -2054,6 +2055,8 @@
module_pin = (char *) xmlNodeGetContent(curNode);
if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
module_config.use_pubkey = 0;
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
+ module_config.allow_extract = 1;
curNode = curNode->next;
}
@@ -2341,10 +2344,12 @@
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
CK_BBOOL ctoken = CK_TRUE;
+ CK_BBOOL cextractable = CK_FALSE;
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
do {
@@ -2380,7 +2385,7 @@
{ CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
{ CKA_TOKEN, &ctrue, sizeof (ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof (ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
@@ -2420,6 +2425,7 @@
CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2466,12 +2472,13 @@
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
@@ -2533,6 +2540,7 @@
CK_OBJECT_HANDLE publicKey, privateKey;
CK_BBOOL ctrue = CK_TRUE;
CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL cextractable = CK_FALSE;
/* ids we create are 16 bytes of data */
unsigned char id[16];
@@ -2569,12 +2577,13 @@
{ CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
{ CKA_TOKEN, &ctrue, sizeof(ctrue) },
{ CKA_PRIVATE, &ctrue, sizeof(ctrue) },
- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
};
if (!ctx) ctx = _hsm_ctx;
session = hsm_find_repository_session(ctx, repository);
if (!session) return NULL;
+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
/* check whether this key doesn't happen to exist already */
diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h 2014-12-08 22:49:16.102212061 -0500
@@ -75,6 +75,7 @@
/*! HSM configuration */
typedef struct {
unsigned int use_pubkey; /*!< Maintain public keys in HSM */
+ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
} hsm_config_t;
/*! Data type to describe an HSM */
diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
--- opendnssec-1.4.7-orig/NEWS 2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/NEWS 2014-12-08 22:50:00.560342544 -0500
@@ -1,3 +1,9 @@
+
+Fedora patch:
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
+ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
+ and extracted from HSM.
+
OpenDNSSEC 1.4.7 - 2014-12-04
Bugfixes:

25
opendnssec-LICENSE
View File

@ -1,25 +0,0 @@
$Id: LICENSE 6226 2012-03-26 17:25:52Z jakob $
Copyright (c) 2012 OpenDNSSEC AB (svb). All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

1
sources
View File

@ -1 +0,0 @@
SHA512 (opendnssec-2.1.7.tar.gz) = 6f2ca2115195fd2fcd0b22186c41c9e64ec24d98b34a10a8a75d64b4671b5afe3a655f32bbd241a0df84affda1f6cecd4daac0e6fa7081e4c9fa02d1bb4ed1eb