Ubuntu
keyutils package

Merge ~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records into ubuntu/+source/keyutils:ubuntu/devel

  1. Git
  2. lp:~utkarsh/ubuntu/+source/keyutils
  3. apply-default-ttl-to-records
  4. Merge into ubuntu/devel
Proposed by Utkarsh Gupta
Status: Merged
Merged at revision: ddb1907a1432347cbbbe527fe3fcbf7f032f5779
Proposed branch: ~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records
Merge into: ubuntu/+source/keyutils:ubuntu/devel
Diff against target: 553 lines (+531/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Utkarsh Gupta Pending
Chris Newcomer Pending
git-ubuntu import Pending
Review via email: mp+416126@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 2b581f6..da0ccdd 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+keyutils (1.6.1-2ubuntu3) jammy; urgency=medium
7+
8+ * d/p/apply-default-ttl-to-records.patch: Add patch
9+ to apply default TTL to records obtained from
10+ getaddrinfo(). (LP: #1962453)
11+
12+ -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Mon, 28 Feb 2022 15:14:45 +0530
13+
14 keyutils (1.6.1-2ubuntu2) impish; urgency=medium
15
16 * No-change rebuild to build packages with zstd compression.
17diff --git a/debian/patches/apply-default-ttl-to-records.patch b/debian/patches/apply-default-ttl-to-records.patch
18new file mode 100644
19index 0000000..d0776ce
20--- /dev/null
21+++ b/debian/patches/apply-default-ttl-to-records.patch
22@@ -0,0 +1,522 @@
23+From 75e7568dc516db698093b33ea273e1b4a30b70be Mon Sep 17 00:00:00 2001
24+From: David Howells <dhowells@redhat.com>
25+Date: Tue, 14 Apr 2020 16:07:26 +0100
26+Subject: dns: Apply a default TTL to records obtained from getaddrinfo()
27+ Address records obtained from getaddrinfo() don't come with any TTL
28+ information, even if they're obtained from the DNS, with the result that
29+ key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
30+ records unless they include a component obtained directly from the DNS,
31+ such as an SRV or AFSDB record.
32+ .
33+ Fix this to apply a default TTL of 10mins in the event that we haven't got
34+ one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
35+ adding the line:
36+ .
37+ default_ttl = <number-of-seconds>
38+ .
39+ to the file.
40+ .
41+ Signed-off-by: David Howells <dhowells@redhat.com>
42+ Reviewed-by: Ben Boeckel <me@benboeckel.net>
43+ Reviewed-by: Jeff Layton <jlayton@kernel.org>
44+Origin: upstream, https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?id=75e7568dc516db698093b33ea273e1b4a30b70be
45+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/keyutils/+bug/1962453
46+Last-Updated: 2022-02-28
47+
48+---
49+ Makefile | 1 +
50+ dns.afsdb.c | 16 ++--
51+ key.dns.h | 4 +
52+ key.dns_resolver.c | 208 +++++++++++++++++++++++++++++++++++++++++---
53+ man/key.dns_resolver.8 | 25 ++++--
54+ man/key.dns_resolver.conf.5 | 48 ++++++++++
55+ 6 files changed, 277 insertions(+), 25 deletions(-)
56+ create mode 100644 man/key.dns_resolver.conf.5
57+
58+--- a/Makefile
59++++ b/Makefile
60+@@ -204,6 +204,7 @@
61+ $(INSTALL) -D key.dns_resolver $(DESTDIR)$(SBINDIR)/key.dns_resolver
62+ $(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf
63+ mkdir -p $(DESTDIR)$(ETCDIR)/request-key.d
64++ mkdir -p $(DESTDIR)$(ETCDIR)/keyutils
65+ mkdir -p $(DESTDIR)$(MAN1)
66+ $(INSTALL) -m 0644 $(wildcard man/*.1) $(DESTDIR)$(MAN1)
67+ mkdir -p $(DESTDIR)$(MAN3)
68+--- a/dns.afsdb.c
69++++ b/dns.afsdb.c
70+@@ -37,8 +37,6 @@
71+ */
72+ #include "key.dns.h"
73+
74+-static unsigned long afs_ttl = ULONG_MAX;
75+-
76+ /*
77+ *
78+ */
79+@@ -114,8 +112,8 @@
80+ }
81+ }
82+
83+- afs_ttl = ttl;
84+- info("ttl: %u", ttl);
85++ key_expiry = ttl;
86++ info("ttl: %u", key_expiry);
87+ }
88+
89+ /*
90+@@ -203,8 +201,8 @@
91+ }
92+ }
93+
94+- afs_ttl = ttl;
95+- info("ttl: %u", ttl);
96++ key_expiry = ttl;
97++ info("ttl: %u", key_expiry);
98+ }
99+
100+ /*
101+@@ -240,7 +238,7 @@
102+ /* look up the hostnames we've obtained to get the actual addresses */
103+ afsdb_hosts_to_addrs(handle, ns_s_an);
104+
105+- info("DNS query AFSDB RR results:%u ttl:%lu", payload_index, afs_ttl);
106++ info("DNS query AFSDB RR results:%u ttl:%u", payload_index, key_expiry);
107+ return 0;
108+ }
109+
110+@@ -279,7 +277,7 @@
111+ /* look up the hostnames we've obtained to get the actual addresses */
112+ srv_hosts_to_addrs(handle, ns_s_an);
113+
114+- info("DNS query VL SRV RR results:%u ttl:%lu", payload_index, afs_ttl);
115++ info("DNS query VL SRV RR results:%u ttl:%u", payload_index, key_expiry);
116+ return 0;
117+ }
118+
119+@@ -293,7 +291,7 @@
120+
121+ /* set the key's expiry time from the minimum TTL encountered */
122+ if (!debug_mode) {
123+- ret = keyctl_set_timeout(key, afs_ttl);
124++ ret = keyctl_set_timeout(key, key_expiry);
125+ if (ret == -1)
126+ error("%s: keyctl_set_timeout: %m", __func__);
127+ }
128+--- a/key.dns.h
129++++ b/key.dns.h
130+@@ -29,6 +29,7 @@
131+ #include <stdlib.h>
132+ #include <unistd.h>
133+ #include <time.h>
134++#include <ctype.h>
135+
136+ #define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
137+ #define INET_IP4_ONLY 0x1
138+@@ -42,6 +43,7 @@
139+ extern key_serial_t key;
140+ extern int debug_mode;
141+ extern unsigned mask;
142++extern unsigned int key_expiry;
143+
144+ #define N_PAYLOAD 256
145+ extern struct iovec payload[N_PAYLOAD];
146+@@ -52,6 +54,8 @@
147+ extern __attribute__((format(printf, 1, 2)))
148+ void _error(const char *fmt, ...);
149+ extern __attribute__((format(printf, 1, 2)))
150++void warning(const char *fmt, ...);
151++extern __attribute__((format(printf, 1, 2)))
152+ void info(const char *fmt, ...);
153+ extern __attribute__((noreturn))
154+ void nsError(int err, const char *domain);
155+--- a/key.dns_resolver.c
156++++ b/key.dns_resolver.c
157+@@ -46,10 +46,13 @@
158+ static const char a_query_type[] = "a";
159+ static const char aaaa_query_type[] = "aaaa";
160+ static const char afsdb_query_type[] = "afsdb";
161++static const char *config_file = "/etc/keyutils/key.dns_resolver.conf";
162++static bool config_specified = false;
163+ key_serial_t key;
164+ static int verbose;
165+ int debug_mode;
166+ unsigned mask = INET_ALL;
167++unsigned int key_expiry = 5;
168+
169+
170+ /*
171+@@ -106,6 +109,23 @@
172+ }
173+
174+ /*
175++ * Print a warning to stderr or the syslog
176++ */
177++void warning(const char *fmt, ...)
178++{
179++ va_list va;
180++
181++ va_start(va, fmt);
182++ if (isatty(2)) {
183++ vfprintf(stderr, fmt, va);
184++ fputc('\n', stderr);
185++ } else {
186++ vsyslog(LOG_WARNING, fmt, va);
187++ }
188++ va_end(va);
189++}
190++
191++/*
192+ * Print status information
193+ */
194+ void info(const char *fmt, ...)
195+@@ -272,6 +292,7 @@
196+ }
197+
198+ info("The key instantiation data is '%s'", buf);
199++ info("The expiry time is %us", key_expiry);
200+ free(buf);
201+ }
202+
203+@@ -412,6 +433,9 @@
204+
205+ /* load the key with data key */
206+ if (!debug_mode) {
207++ ret = keyctl_set_timeout(key, key_expiry);
208++ if (ret == -1)
209++ error("%s: keyctl_set_timeout: %m", __func__);
210+ ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
211+ if (ret == -1)
212+ error("%s: keyctl_instantiate: %m", __func__);
213+@@ -421,6 +445,157 @@
214+ }
215+
216+ /*
217++ * Read the config file.
218++ */
219++static void read_config(void)
220++{
221++ FILE *f;
222++ char buf[4096], *b, *p, *k, *v;
223++ unsigned int line = 0, u;
224++ int n;
225++
226++ info("READ CONFIG %s", config_file);
227++
228++ f = fopen(config_file, "r");
229++ if (!f) {
230++ if (errno == ENOENT && !config_specified) {
231++ debug("%s: %m", config_file);
232++ return;
233++ }
234++ error("%s: %m", config_file);
235++ }
236++
237++ while (fgets(buf, sizeof(buf) - 1, f)) {
238++ line++;
239++
240++ /* Trim off leading and trailing spaces and discard whole-line
241++ * comments.
242++ */
243++ b = buf;
244++ while (isspace(*b))
245++ b++;
246++ if (!*b || *b == '#')
247++ continue;
248++ p = strchr(b, '\n');
249++ if (!p)
250++ error("%s:%u: line missing newline or too long", config_file, line);
251++ while (p > buf && isspace(p[-1]))
252++ p--;
253++ *p = 0;
254++
255++ /* Split into key[=value] pairs and trim spaces. */
256++ k = b;
257++ v = NULL;
258++ b = strchr(b, '=');
259++ if (b) {
260++ char quote = 0;
261++ bool esc = false;
262++
263++ if (b == k)
264++ error("%s:%u: Unspecified key",
265++ config_file, line);
266++
267++ /* NUL-terminate the key. */
268++ for (p = b - 1; isspace(*p); p--)
269++ ;
270++ p[1] = 0;
271++
272++ /* Strip leading spaces */
273++ b++;
274++ while (isspace(*b))
275++ b++;
276++ if (!*b)
277++ goto missing_value;
278++
279++ if (*b == '"' || *b == '\'') {
280++ quote = *b;
281++ b++;
282++ }
283++ v = p = b;
284++ while (*b) {
285++ if (esc) {
286++ switch (*b) {
287++ case ' ':
288++ case '\t':
289++ case '"':
290++ case '\'':
291++ case '\\':
292++ break;
293++ default:
294++ goto invalid_escape_char;
295++ }
296++ esc = false;
297++ *p++ = *b++;
298++ continue;
299++ }
300++ if (*b == '\\') {
301++ esc = true;
302++ b++;
303++ continue;
304++ }
305++ if (*b == quote) {
306++ b++;
307++ if (*b)
308++ goto post_quote_data;
309++ quote = 0;
310++ break;
311++ }
312++ if (!quote && *b == '#')
313++ break; /* Terminal comment */
314++ *p++ = *b++;
315++ }
316++
317++ if (esc)
318++ error("%s:%u: Incomplete escape", config_file, line);
319++ if (quote)
320++ error("%s:%u: Unclosed quotes", config_file, line);
321++ *p = 0;
322++ }
323++
324++ if (strcmp(k, "default_ttl") == 0) {
325++ if (!v)
326++ goto missing_value;
327++ if (sscanf(v, "%u%n", &u, &n) != 1)
328++ goto bad_value;
329++ if (v[n])
330++ goto extra_data;
331++ if (u < 1 || u > INT_MAX)
332++ goto out_of_range;
333++ key_expiry = u;
334++ } else {
335++ warning("%s:%u: Unknown option '%s'", config_file, line, k);
336++ }
337++ }
338++
339++ if (ferror(f) || fclose(f) == EOF)
340++ error("%s: %m", config_file);
341++ return;
342++
343++missing_value:
344++ error("%s:%u: %s: Missing value", config_file, line, k);
345++invalid_escape_char:
346++ error("%s:%u: %s: Invalid char in escape", config_file, line, k);
347++post_quote_data:
348++ error("%s:%u: %s: Data after closing quote", config_file, line, k);
349++bad_value:
350++ error("%s:%u: %s: Bad value", config_file, line, k);
351++extra_data:
352++ error("%s:%u: %s: Extra data supplied", config_file, line, k);
353++out_of_range:
354++ error("%s:%u: %s: Value out of range", config_file, line, k);
355++}
356++
357++/*
358++ * Dump the configuration after parsing the config file.
359++ */
360++static __attribute__((noreturn))
361++void config_dumper(void)
362++{
363++ printf("default_ttl = %u\n", key_expiry);
364++ exit(0);
365++}
366++
367++/*
368+ * Print usage details,
369+ */
370+ static __attribute__((noreturn))
371+@@ -428,22 +603,24 @@
372+ {
373+ if (isatty(2)) {
374+ fprintf(stderr,
375+- "Usage: %s [-vv] key_serial\n",
376++ "Usage: %s [-vv] [-c config] key_serial\n",
377+ prog);
378+ fprintf(stderr,
379+- "Usage: %s -D [-vv] <desc> <calloutinfo>\n",
380++ "Usage: %s -D [-vv] [-c config] <desc> <calloutinfo>\n",
381+ prog);
382+ } else {
383+- info("Usage: %s [-vv] key_serial", prog);
384++ info("Usage: %s [-vv] [-c config] key_serial", prog);
385+ }
386+ exit(2);
387+ }
388+
389+-const struct option long_options[] = {
390+- { "debug", 0, NULL, 'D' },
391+- { "verbose", 0, NULL, 'v' },
392+- { "version", 0, NULL, 'V' },
393+- { NULL, 0, NULL, 0 }
394++static const struct option long_options[] = {
395++ { "config", 0, NULL, 'c' },
396++ { "debug", 0, NULL, 'D' },
397++ { "dump-config", 0, NULL, 2 },
398++ { "verbose", 0, NULL, 'v' },
399++ { "version", 0, NULL, 'V' },
400++ { NULL, 0, NULL, 0 }
401+ };
402+
403+ /*
404+@@ -455,11 +632,19 @@
405+ char *keyend, *p;
406+ char *callout_info = NULL;
407+ char *buf = NULL, *name;
408++ bool dump_config = false;
409+
410+ openlog(prog, 0, LOG_DAEMON);
411+
412+- while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
413++ while ((ret = getopt_long(argc, argv, "c:vDV", long_options, NULL)) != -1) {
414+ switch (ret) {
415++ case 'c':
416++ config_file = optarg;
417++ config_specified = true;
418++ continue;
419++ case 2:
420++ dump_config = true;
421++ continue;
422+ case 'D':
423+ debug_mode = 1;
424+ continue;
425+@@ -481,6 +666,9 @@
426+
427+ argc -= optind;
428+ argv += optind;
429++ read_config();
430++ if (dump_config)
431++ config_dumper();
432+
433+ if (!debug_mode) {
434+ if (argc != 1)
435+@@ -542,7 +730,7 @@
436+ name++;
437+
438+ info("Query type: '%*.*s'", qtlen, qtlen, keyend);
439+-
440++
441+ if ((qtlen == sizeof(a_query_type) - 1 &&
442+ memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
443+ (qtlen == sizeof(aaaa_query_type) - 1 &&
444+--- a/man/key.dns_resolver.8
445++++ b/man/key.dns_resolver.8
446+@@ -7,28 +7,41 @@
447+ .\" as published by the Free Software Foundation; either version
448+ .\" 2 of the License, or (at your option) any later version.
449+ .\"
450+-.TH KEY.DNS_RESOLVER 8 "04 Mar 2011" Linux "Linux Key Management Utilities"
451++.TH KEY.DNS_RESOLVER 8 "18 May 2020" Linux "Linux Key Management Utilities"
452+ .SH NAME
453+ key.dns_resolver \- upcall for request\-key to handle dns_resolver keys
454+ .SH SYNOPSIS
455+ \fB/sbin/key.dns_resolver \fR<key>
456+ .br
457+-\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] <keydesc> <calloutinfo>
458++\fB/sbin/key.dns_resolver \fR--dump-config [\-c <configfile>]
459++.br
460++\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] [\-c <configfile>] <desc>
461++.br
462++<calloutinfo>
463+ .SH DESCRIPTION
464+ This program is invoked by request\-key on behalf of the kernel when kernel
465+ services (such as NFS, CIFS and AFS) want to perform a hostname lookup and the
466+ kernel does not have the key cached. It is not ordinarily intended to be
467+ called directly.
468+ .P
469+-It can be called in debugging mode to test its functionality by passing a
470+-\fB\-D\fR flag on the command line. For this to work, the key description and
471+-the callout information must be supplied. Verbosity can be increased by
472+-supplying one or more \fB\-v\fR flags.
473++There program has internal parameters that can be changed with a configuration
474++file (see key.dns_resolver.conf(5) for more information). The default
475++configuration file is in /etc, but this can be overridden with the \fB-c\fR
476++flag.
477++.P
478++The program can be called in debugging mode to test its functionality by
479++passing a \fB\-D\fR or \fB\--debug\fR flag on the command line. For this to
480++work, the key description and the callout information must be supplied.
481++Verbosity can be increased by supplying one or more \fB\-v\fR flags.
482++.P
483++The program may also be called with \fB--dump-config\fR to show the values that
484++configurable parameters will have after parsing the config file.
485+ .SH ERRORS
486+ All errors will be logged to the syslog.
487+ .SH SEE ALSO
488+ .ad l
489+ .nh
490++.BR key.dns_resolver.conf (5),
491+ .BR request\-key.conf (5),
492+ .BR keyrings (7),
493+ .BR request\-key (8)
494+--- /dev/null
495++++ b/man/key.dns_resolver.conf.5
496+@@ -0,0 +1,48 @@
497++.\" -*- nroff -*-
498++.\" Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
499++.\" Written by David Howells (dhowells@redhat.com)
500++.\"
501++.\" This program is free software; you can redistribute it and/or
502++.\" modify it under the terms of the GNU General Public License
503++.\" as published by the Free Software Foundation; either version
504++.\" 2 of the License, or (at your option) any later version.
505++.\"
506++.TH KEY.DNS_RESOLVER.CONF 5 "18 May 2020" Linux "Linux Key Management Utilities"
507++.SH NAME
508++key.dns_resolver.conf \- Kernel DNS resolver config
509++.SH DESCRIPTION
510++This file is used by the key.dns_resolver(5) program to set parameters.
511++Unless otherwise overridden with the \fB\-c\fR flag, the program reads:
512++.IP
513++/etc/key.dns_resolver.conf
514++.P
515++Configuration options are given in \fBkey[=value]\fR form, where \fBvalue\fR is
516++optional. If present, the value may be surrounded by a pair of single ('') or
517++double quotes ("") which will be stripped off. The special characters in the
518++value may be escaped with a backslash to turn them into ordinary characters.
519++.P
520++Lines beginning with a '#' are considered comments and ignored. A '#' symbol
521++anywhere after the '=' makes the rest of the line into a comment unless the '#'
522++is inside a quoted section or is escaped.
523++.P
524++Leading and trailing spaces and spaces around the '=' symbol will be stripped
525++off.
526++.P
527++Available options include:
528++.TP
529++.B default_ttl=<number>
530++The number of seconds to set as the expiration on a cached record. This will
531++be overridden if the program manages to retrieve TTL information along with
532++the addresses (if, for example, it accesses the DNS directly). The default is
533++5 seconds. The value must be in the range 1 to INT_MAX.
534++.P
535++The file can also include comments beginning with a '#' character unless
536++otherwise suppressed by being inside a quoted value or being escaped with a
537++backslash.
538++
539++.SH FILES
540++.ul
541++/etc/key.dns_resolver.conf
542++.ul 0
543++.SH SEE ALSO
544++\fBkey.dns_resolver\fR(8)
545diff --git a/debian/patches/series b/debian/patches/series
546index 5631eeb..5f4637c 100644
547--- a/debian/patches/series
548+++ b/debian/patches/series
549@@ -8,3 +8,4 @@ pkg-config-install-tweaks.patch
550 man-page-fixes.patch
551 Tests-for-KEYCTL_MOVE-require-kernel-5.3-or-above.patch
552 private-priv.patch
553+apply-default-ttl-to-records.patch

Subscribers

People subscribed via source and target branches