CVS commit: pkgsrc/security/opendnssec2

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/opendnssec2
From: "Havard Eidnes" <he%netbsd.org@localhost>
Date: Tue, 5 Dec 2023 12:20:40 +0000

Module Name:    pkgsrc
Committed By:   he
Date:           Tue Dec  5 12:20:40 UTC 2023

Modified Files:
        pkgsrc/security/opendnssec2: Makefile distinfo
Added Files:
        pkgsrc/security/opendnssec2/patches:
            patch-enforcer_src_keystate_keystate__ds.c patch-signer_src_hsm.c
            patch-signer_src_wire_query.c

Log Message:
security/opendnssec2: Work around a concurrency error + two cosmetic fixes.

 * Adopt the suggested patch from
   https://issues.opendnssec.org/browse/SUPPORT-278
   for what looks like a concurrency error in interfacing
   to the HSM module.
 * Give correct upper-case/lower-case hint if command
   is not configured in the error message.
 * Be a bit more verbose about which zone isn't found if
   indeed it isn't found.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 pkgsrc/security/opendnssec2/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/security/opendnssec2/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__ds.c \
    pkgsrc/security/opendnssec2/patches/patch-signer_src_hsm.c \
    pkgsrc/security/opendnssec2/patches/patch-signer_src_wire_query.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/opendnssec2/Makefile
diff -u pkgsrc/security/opendnssec2/Makefile:1.27 pkgsrc/security/opendnssec2/Makefile:1.28
--- pkgsrc/security/opendnssec2/Makefile:1.27   Wed Nov  8 13:20:48 2023
+++ pkgsrc/security/opendnssec2/Makefile        Tue Dec  5 12:20:40 2023
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.27 2023/11/08 13:20:48 wiz Exp $
+# $NetBSD: Makefile,v 1.28 2023/12/05 12:20:40 he Exp $
 #
 
 DISTNAME=      opendnssec-2.1.12
 PKGNAME=       ${DISTNAME:S/opendnssec/opendnssec2/}
-PKGREVISION=   6
+PKGREVISION=   7
 CATEGORIES=    security net
 MASTER_SITES=  https://www.opendnssec.org/files/source/
 

Index: pkgsrc/security/opendnssec2/distinfo
diff -u pkgsrc/security/opendnssec2/distinfo:1.10 pkgsrc/security/opendnssec2/distinfo:1.11
--- pkgsrc/security/opendnssec2/distinfo:1.10   Wed Nov  9 11:39:43 2022
+++ pkgsrc/security/opendnssec2/distinfo        Tue Dec  5 12:20:40 2023
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.10 2022/11/09 11:39:43 he Exp $
+$NetBSD: distinfo,v 1.11 2023/12/05 12:20:40 he Exp $
 
-BLAKE2s (opendnssec-2.1.12.tar.gz) = 3adb1fe7d7a0326ed367f536b78d1d3e9333343cd68937881c502fa2c4d8819a
-SHA512 (opendnssec-2.1.12.tar.gz) = 6b3a7458c8a1e73d5d35320c48f81b37cb8ed7939ea2bd05335cd1b710bcf99c0b461e44dd66e14068ee77fe43af6fb91e7466bc4e3ba135a8fb37bc03919bb7
-Size (opendnssec-2.1.12.tar.gz) = 1157828 bytes
 SHA1 (patch-conf_Makefile.in) = b0a782916a9603138c09b484cc1534b938bf8330
+SHA1 (patch-enforcer_src_keystate_keystate__ds.c) = 0f000dc6a37cb05776a1361726082f4db35e3a45
+SHA1 (patch-signer_src_hsm.c) = da5d35b22e189c7eef0b6344e7137662fe439c3e
+SHA1 (patch-signer_src_wire_query.c) = c026ae230ad6bcb73800700823ca33be00d26fcb

Added files:

Index: pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__ds.c
diff -u /dev/null pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__ds.c:1.1
--- /dev/null   Tue Dec  5 12:20:40 2023
+++ pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__ds.c      Tue Dec  5 12:20:40 2023
@@ -0,0 +1,25 @@
+$NetBSD: patch-enforcer_src_keystate_keystate__ds.c,v 1.1 2023/12/05 12:20:40 he Exp $
+
+Give correct upper/lower-case hint if command isn't configured
+in the error message in the log and/or console.
+
+--- enforcer/src/keystate/keystate_ds.c.orig   2020-02-10 17:25:11.000000000 +0000
++++ enforcer/src/keystate/keystate_ds.c
+@@ -217,7 +217,7 @@ submit_dnskey_by_id(int sockfd, key_data
+ {
+       const char* ds_submit_command;
+       ds_submit_command = engine->config->delegation_signer_submit_command;
+-      return exec_dnskey_by_id(sockfd, key, ds_submit_command, "submit");
++      return exec_dnskey_by_id(sockfd, key, ds_submit_command, "Submit");
+ }
+ 
+ static int
+@@ -225,7 +225,7 @@ retract_dnskey_by_id(int sockfd, key_dat
+ {
+       const char* ds_retract_command;
+       ds_retract_command = engine->config->delegation_signer_retract_command;
+-      return exec_dnskey_by_id(sockfd, key, ds_retract_command, "retract");
++      return exec_dnskey_by_id(sockfd, key, ds_retract_command, "Retract");
+ }
+ 
+ static int
Index: pkgsrc/security/opendnssec2/patches/patch-signer_src_hsm.c
diff -u /dev/null pkgsrc/security/opendnssec2/patches/patch-signer_src_hsm.c:1.1
--- /dev/null   Tue Dec  5 12:20:40 2023
+++ pkgsrc/security/opendnssec2/patches/patch-signer_src_hsm.c  Tue Dec  5 12:20:40 2023
@@ -0,0 +1,29 @@
+$NetBSD: patch-signer_src_hsm.c,v 1.1 2023/12/05 12:20:40 he Exp $
+
+Work around possible concurrency error and
+"[hsm] hsm_get_dnskey(): Got NULL key"
+Ref. https://issues.opendnssec.org/browse/SUPPORT-278
+
+--- signer/src/hsm.c.orig      2022-11-08 08:46:49.000000000 +0000
++++ signer/src/hsm.c
+@@ -34,6 +34,10 @@
+ #include "log.h"
+ #include "cryptoki_compat/pkcs11.h"
+ 
++#include <pthread.h>
++
++pthread_mutex_t _hsm_get_dnskey_mutex = PTHREAD_MUTEX_INITIALIZER;
++
+ static const char* hsm_str = "hsm";
+ 
+ /**
+@@ -109,7 +113,9 @@ llibhsm_key_start:
+ 
+     /* get dnskey */
+     if (!key_id->dnskey) {
++      pthread_mutex_lock(&_hsm_get_dnskey_mutex);
+         key_id->dnskey = hsm_get_dnskey(ctx, keylookup(ctx, key_id->locator), key_id->params);
++      pthread_mutex_unlock(&_hsm_get_dnskey_mutex);
+     }
+     if (!key_id->dnskey) {
+         error = hsm_get_error(ctx);
Index: pkgsrc/security/opendnssec2/patches/patch-signer_src_wire_query.c
diff -u /dev/null pkgsrc/security/opendnssec2/patches/patch-signer_src_wire_query.c:1.1
--- /dev/null   Tue Dec  5 12:20:40 2023
+++ pkgsrc/security/opendnssec2/patches/patch-signer_src_wire_query.c   Tue Dec  5 12:20:40 2023
@@ -0,0 +1,21 @@
+$NetBSD: patch-signer_src_wire_query.c,v 1.1 2023/12/05 12:20:40 he Exp $
+
+Be a bit more verbose about which zone isn't found...
+
+--- signer/src/wire/query.c.orig       2021-02-20 21:04:47.000000000 +0000
++++ signer/src/wire/query.c
+@@ -886,7 +886,13 @@ query_process(query_type* q, engine_type
+     }
+     pthread_mutex_unlock(&engine->zonelist->zl_lock);
+     if (!q->zone) {
+-        ods_log_debug("[%s] zone not found", query_str);
++      char *zn = ldns_rdf2str(ldns_rr_owner(rr));
++      if (zn) {
++            ods_log_debug("[%s] zone %s not found", query_str, zn);
++          free(zn);
++      } else {
++            ods_log_debug("[%s] zone (unknown?) not found", query_str);
++      }
+         ldns_pkt_free(pkt);
+         return query_servfail(q);
+     }

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index