pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/opendnssec2
Module Name: pkgsrc
Committed By: he
Date: Fri Aug 16 15:29:36 UTC 2024
Modified Files:
pkgsrc/security/opendnssec2: Makefile distinfo
Added Files:
pkgsrc/security/opendnssec2/patches:
patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c
patch-enforcer_src_keystate_keystate__list__cmd.c
patch-tools_ods-kasp.5.in
Log Message:
security/opendnssec2: Add a few fixes to this package:
* If for some reason you end up with a key with no attached
zone, "ods-enforcer key list -z <zonename>" would end up
crashing ods-enforcerd. Add a fix to protect against this.
Ref.
https://lists.opendnssec.org/pipermail/opendnssec-user/2024-August/004756.html
* Make "ods-enforcer backup prepare" and "... backup commit"
emit operator messages if no keys were flagged for the requested
state transition. Just doing "return 1" and possibly "exit 1"
is operator-unfriendly if the requested operation didn't do
anything.
* Typo fixes in the xref section of ods-kasp(5) man page:
It's "ods" not "pds", and ods-ksmutil(1) isn't part of
OpenDNSSEC version 2.x.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 pkgsrc/security/opendnssec2/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/security/opendnssec2/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/opendnssec2/patches/patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c \
pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__list__cmd.c \
pkgsrc/security/opendnssec2/patches/patch-tools_ods-kasp.5.in
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/opendnssec2/Makefile
diff -u pkgsrc/security/opendnssec2/Makefile:1.32 pkgsrc/security/opendnssec2/Makefile:1.33
--- pkgsrc/security/opendnssec2/Makefile:1.32 Wed May 29 16:34:17 2024
+++ pkgsrc/security/opendnssec2/Makefile Fri Aug 16 15:29:36 2024
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.32 2024/05/29 16:34:17 adam Exp $
+# $NetBSD: Makefile,v 1.33 2024/08/16 15:29:36 he Exp $
#
DISTNAME= opendnssec-2.1.13
PKGNAME= ${DISTNAME:S/opendnssec/opendnssec2/}
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= security net
MASTER_SITES= https://www.opendnssec.org/files/source/
@@ -68,6 +68,9 @@ SUBST_SED.migrate= -e 's,SCHEMA=../../sr
CXXFLAGS.NetBSD+= -D_NETBSD_SOURCE
+# For debugging...
+#CFLAGS.NetBSD+= -g
+
CONF_FILES+= ${EGDIR}/addns.xml.sample \
${PKG_SYSCONFDIR}/addns.xml
CONF_FILES+= ${EGDIR}/conf.xml.sample \
Index: pkgsrc/security/opendnssec2/distinfo
diff -u pkgsrc/security/opendnssec2/distinfo:1.12 pkgsrc/security/opendnssec2/distinfo:1.13
--- pkgsrc/security/opendnssec2/distinfo:1.12 Wed Dec 6 19:27:20 2023
+++ pkgsrc/security/opendnssec2/distinfo Fri Aug 16 15:29:36 2024
@@ -1,9 +1,12 @@
-$NetBSD: distinfo,v 1.12 2023/12/06 19:27:20 he Exp $
+$NetBSD: distinfo,v 1.13 2024/08/16 15:29:36 he Exp $
BLAKE2s (opendnssec-2.1.13.tar.gz) = d82cf590129f1f37bae7382fbcb9ed87d61182d42315e95a431d755a46dfd0c7
SHA512 (opendnssec-2.1.13.tar.gz) = 5f3926f0f144cf8819895da2ec81fce21e2a05cf0b83dd9174a72ebfdef99badc3bcff2d6685c498485113209e7c73ab9cf55b3e126009ce6cbcc3cde54d6051
Size (opendnssec-2.1.13.tar.gz) = 1161140 bytes
SHA1 (patch-conf_Makefile.in) = b0a782916a9603138c09b484cc1534b938bf8330
+SHA1 (patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c) = f300504098f57d04525f70a80fac7f15f4ffaba3
SHA1 (patch-enforcer_src_keystate_keystate__ds.c) = 0f000dc6a37cb05776a1361726082f4db35e3a45
+SHA1 (patch-enforcer_src_keystate_keystate__list__cmd.c) = 1e18aa22b8a3c2beb1d73337e72383d73cf2c8db
SHA1 (patch-signer_src_hsm.c) = da5d35b22e189c7eef0b6344e7137662fe439c3e
SHA1 (patch-signer_src_wire_query.c) = c026ae230ad6bcb73800700823ca33be00d26fcb
+SHA1 (patch-tools_ods-kasp.5.in) = 83d13a1897368924b53f757e3b7918f9a6a918c1
Added files:
Index: pkgsrc/security/opendnssec2/patches/patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c
diff -u /dev/null pkgsrc/security/opendnssec2/patches/patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c:1.1
--- /dev/null Fri Aug 16 15:29:36 2024
+++ pkgsrc/security/opendnssec2/patches/patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c Fri Aug 16 15:29:36 2024
@@ -0,0 +1,22 @@
+$NetBSD: patch-enforcer_src_hsmkey_backup__hsmkeys__cmd.c,v 1.1 2024/08/16 15:29:36 he Exp $
+
+Provide more diagnostic information to the client.
+
+--- enforcer/src/hsmkey/backup_hsmkeys_cmd.c.orig 2024-03-27 16:53:50.916681905 +0000
++++ enforcer/src/hsmkey/backup_hsmkeys_cmd.c
+@@ -92,6 +92,7 @@ prepare(int sockfd, db_connection_t *dbc
+ int keys_marked = hsmkeys_from_to_state(dbconn, clause_list,
+ HSM_KEY_BACKUP_BACKUP_REQUIRED, HSM_KEY_BACKUP_BACKUP_REQUESTED);
+ if (keys_marked < 0) {
++ client_printf(sockfd, "info: no keys flagged for backup!");
+ return 1;
+ }
+ client_printf(sockfd,"info: keys flagged for backup: %d\n", keys_marked);
+@@ -104,6 +105,7 @@ commit(int sockfd, db_connection_t *dbco
+ int keys_marked = hsmkeys_from_to_state(dbconn, clause_list,
+ HSM_KEY_BACKUP_BACKUP_REQUESTED, HSM_KEY_BACKUP_BACKUP_DONE);
+ if (keys_marked < 0) {
++ client_printf(sockfd, "info: no keys with backup -> commit state change");
+ return 1;
+ }
+ client_printf(sockfd,"info: keys marked backup done: %d\n", keys_marked);
Index: pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__list__cmd.c
diff -u /dev/null pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__list__cmd.c:1.1
--- /dev/null Fri Aug 16 15:29:36 2024
+++ pkgsrc/security/opendnssec2/patches/patch-enforcer_src_keystate_keystate__list__cmd.c Fri Aug 16 15:29:36 2024
@@ -0,0 +1,29 @@
+$NetBSD: patch-enforcer_src_keystate_keystate__list__cmd.c,v 1.1 2024/08/16 15:29:36 he Exp $
+
+Guard against key_data_get_zone() returning NULL (which it can do, for
+multiple reaons), and avoid keeling over in that case.
+
+Should avoid crashes when a key such as this is present:
+
+(null) KSK unknown now 2048 13 43ff9e6e2c011cd6165f25aa7ac6db83 SoftHSM 45696
+
+and you want to list all the keys for a given zone.
+
+Also improve readability of the code by splitting the overly long
+condition over multiple lines & indenting.
+
+--- enforcer/src/keystate/keystate_list_cmd.c.orig 2024-08-16 14:50:50.834836266 +0000
++++ enforcer/src/keystate/keystate_list_cmd.c
+@@ -199,7 +199,11 @@ perform_keystate_list(int sockfd, db_con
+ hsmkey = key_data_get_hsm_key(key);
+ key_data_cache_key_states(key);
+ tchange = map_keytime(zone, key); /* allocs */
+- if ((printkey != NULL) && (!zonename || !strcmp(zone_db_name(zone), zonename)) && (!keytype || !strcasecmp(keytype,key_data_role_text(key))) && (!keystate || !strcasecmp(keystate,
map_keystate(key))))
++ if ((printkey != NULL) &&
++ (!zonename || (zone && !strcmp(zone_db_name(zone), zonename))) &&
++ (!keytype || !strcasecmp(keytype,key_data_role_text(key))) &&
++ (!keystate || !strcasecmp(keystate, map_keystate(key)))
++ )
+ (*printkey)(sockfd, zone, key, tchange, hsmkey);
+ free(tchange);
+ hsm_key_free(hsmkey);
Index: pkgsrc/security/opendnssec2/patches/patch-tools_ods-kasp.5.in
diff -u /dev/null pkgsrc/security/opendnssec2/patches/patch-tools_ods-kasp.5.in:1.1
--- /dev/null Fri Aug 16 15:29:36 2024
+++ pkgsrc/security/opendnssec2/patches/patch-tools_ods-kasp.5.in Fri Aug 16 15:29:36 2024
@@ -0,0 +1,16 @@
+$NetBSD: patch-tools_ods-kasp.5.in,v 1.1 2024/08/16 15:29:36 he Exp $
+
+Fix name of xref, it's ods-, not pds-.
+OpenDNSSEC2 doesn't have ods-ksmutil(1), so remove reference.
+
+--- tools/ods-kasp.5.in.orig 2024-08-16 15:00:40.771449708 +0000
++++ tools/ods-kasp.5.in
+@@ -251,7 +251,7 @@ This should be set to the value of the M
+ .SH "SEE ALSO"
+ .LP
+ ods\-control(8), ods\-enforcerd(8), ods\-enforcer(8),
+-ods\-signerd(8), pds\-signer(8), ods\-ksmutil(1),
++ods\-signerd(8), ods\-signer(8),
+ ods\-kaspcheck(1), ods\-timing(5), ods\-hsmutil(1),
+ ods\-hsmspeed(1), opendnssec(7),
+ ISO 8601,
Home |
Main Index |
Thread Index |
Old Index