Ubuntu
keyutils package

Merge ~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-impish into ubuntu/+source/keyutils:ubuntu/impish-devel

  1. Git
  2. lp:~utkarsh/ubuntu/+source/keyutils
  3. apply-default-ttl-to-records-impish
  4. Merge into ubuntu/impish-devel
Proposed by Utkarsh Gupta
Status: Needs review
Proposed branch: ~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-impish
Merge into: ubuntu/+source/keyutils:ubuntu/impish-devel
Diff against target: 553 lines (+531/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+522/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Chris Newcomer Pending
Utkarsh Gupta Pending
git-ubuntu import Pending
Review via email: mp+416129@code.launchpad.net
To post a comment you must log in.

Unmerged commits

7b0f7a2... by Utkarsh Gupta

Update d/ch for 1.6.1-2ubuntu2.1 release

3f83464... by Utkarsh Gupta

  * d/p/apply-default-ttl-to-records.patch: Add patch
    to apply default TTL to records obtained from
    getaddrinfo(). (LP: #1962453)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 2b581f6..52c1765 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1keyutils (1.6.1-2ubuntu2.1) impish; urgency=medium
2
3 * d/p/apply-default-ttl-to-records.patch: Add patch
4 to apply default TTL to records obtained from
5 getaddrinfo(). (LP: #1962453)
6
7 -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Mon, 28 Feb 2022 16:20:06 +0530
8
1keyutils (1.6.1-2ubuntu2) impish; urgency=medium9keyutils (1.6.1-2ubuntu2) impish; urgency=medium
210
3 * No-change rebuild to build packages with zstd compression.11 * No-change rebuild to build packages with zstd compression.
diff --git a/debian/patches/apply-default-ttl-to-records.patch b/debian/patches/apply-default-ttl-to-records.patch
4new file mode 10064412new file mode 100644
index 0000000..d0776ce
--- /dev/null
+++ b/debian/patches/apply-default-ttl-to-records.patch
@@ -0,0 +1,522 @@
1From 75e7568dc516db698093b33ea273e1b4a30b70be Mon Sep 17 00:00:00 2001
2From: David Howells <dhowells@redhat.com>
3Date: Tue, 14 Apr 2020 16:07:26 +0100
4Subject: dns: Apply a default TTL to records obtained from getaddrinfo()
5 Address records obtained from getaddrinfo() don't come with any TTL
6 information, even if they're obtained from the DNS, with the result that
7 key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
8 records unless they include a component obtained directly from the DNS,
9 such as an SRV or AFSDB record.
10 .
11 Fix this to apply a default TTL of 10mins in the event that we haven't got
12 one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
13 adding the line:
14 .
15 default_ttl = <number-of-seconds>
16 .
17 to the file.
18 .
19 Signed-off-by: David Howells <dhowells@redhat.com>
20 Reviewed-by: Ben Boeckel <me@benboeckel.net>
21 Reviewed-by: Jeff Layton <jlayton@kernel.org>
22Origin: upstream, https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?id=75e7568dc516db698093b33ea273e1b4a30b70be
23Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/keyutils/+bug/1962453
24Last-Updated: 2022-02-28
25
26---
27 Makefile | 1 +
28 dns.afsdb.c | 16 ++--
29 key.dns.h | 4 +
30 key.dns_resolver.c | 208 +++++++++++++++++++++++++++++++++++++++++---
31 man/key.dns_resolver.8 | 25 ++++--
32 man/key.dns_resolver.conf.5 | 48 ++++++++++
33 6 files changed, 277 insertions(+), 25 deletions(-)
34 create mode 100644 man/key.dns_resolver.conf.5
35
36--- a/Makefile
37+++ b/Makefile
38@@ -204,6 +204,7 @@
39 $(INSTALL) -D key.dns_resolver $(DESTDIR)$(SBINDIR)/key.dns_resolver
40 $(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf
41 mkdir -p $(DESTDIR)$(ETCDIR)/request-key.d
42+ mkdir -p $(DESTDIR)$(ETCDIR)/keyutils
43 mkdir -p $(DESTDIR)$(MAN1)
44 $(INSTALL) -m 0644 $(wildcard man/*.1) $(DESTDIR)$(MAN1)
45 mkdir -p $(DESTDIR)$(MAN3)
46--- a/dns.afsdb.c
47+++ b/dns.afsdb.c
48@@ -37,8 +37,6 @@
49 */
50 #include "key.dns.h"
51
52-static unsigned long afs_ttl = ULONG_MAX;
53-
54 /*
55 *
56 */
57@@ -114,8 +112,8 @@
58 }
59 }
60
61- afs_ttl = ttl;
62- info("ttl: %u", ttl);
63+ key_expiry = ttl;
64+ info("ttl: %u", key_expiry);
65 }
66
67 /*
68@@ -203,8 +201,8 @@
69 }
70 }
71
72- afs_ttl = ttl;
73- info("ttl: %u", ttl);
74+ key_expiry = ttl;
75+ info("ttl: %u", key_expiry);
76 }
77
78 /*
79@@ -240,7 +238,7 @@
80 /* look up the hostnames we've obtained to get the actual addresses */
81 afsdb_hosts_to_addrs(handle, ns_s_an);
82
83- info("DNS query AFSDB RR results:%u ttl:%lu", payload_index, afs_ttl);
84+ info("DNS query AFSDB RR results:%u ttl:%u", payload_index, key_expiry);
85 return 0;
86 }
87
88@@ -279,7 +277,7 @@
89 /* look up the hostnames we've obtained to get the actual addresses */
90 srv_hosts_to_addrs(handle, ns_s_an);
91
92- info("DNS query VL SRV RR results:%u ttl:%lu", payload_index, afs_ttl);
93+ info("DNS query VL SRV RR results:%u ttl:%u", payload_index, key_expiry);
94 return 0;
95 }
96
97@@ -293,7 +291,7 @@
98
99 /* set the key's expiry time from the minimum TTL encountered */
100 if (!debug_mode) {
101- ret = keyctl_set_timeout(key, afs_ttl);
102+ ret = keyctl_set_timeout(key, key_expiry);
103 if (ret == -1)
104 error("%s: keyctl_set_timeout: %m", __func__);
105 }
106--- a/key.dns.h
107+++ b/key.dns.h
108@@ -29,6 +29,7 @@
109 #include <stdlib.h>
110 #include <unistd.h>
111 #include <time.h>
112+#include <ctype.h>
113
114 #define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
115 #define INET_IP4_ONLY 0x1
116@@ -42,6 +43,7 @@
117 extern key_serial_t key;
118 extern int debug_mode;
119 extern unsigned mask;
120+extern unsigned int key_expiry;
121
122 #define N_PAYLOAD 256
123 extern struct iovec payload[N_PAYLOAD];
124@@ -52,6 +54,8 @@
125 extern __attribute__((format(printf, 1, 2)))
126 void _error(const char *fmt, ...);
127 extern __attribute__((format(printf, 1, 2)))
128+void warning(const char *fmt, ...);
129+extern __attribute__((format(printf, 1, 2)))
130 void info(const char *fmt, ...);
131 extern __attribute__((noreturn))
132 void nsError(int err, const char *domain);
133--- a/key.dns_resolver.c
134+++ b/key.dns_resolver.c
135@@ -46,10 +46,13 @@
136 static const char a_query_type[] = "a";
137 static const char aaaa_query_type[] = "aaaa";
138 static const char afsdb_query_type[] = "afsdb";
139+static const char *config_file = "/etc/keyutils/key.dns_resolver.conf";
140+static bool config_specified = false;
141 key_serial_t key;
142 static int verbose;
143 int debug_mode;
144 unsigned mask = INET_ALL;
145+unsigned int key_expiry = 5;
146
147
148 /*
149@@ -106,6 +109,23 @@
150 }
151
152 /*
153+ * Print a warning to stderr or the syslog
154+ */
155+void warning(const char *fmt, ...)
156+{
157+ va_list va;
158+
159+ va_start(va, fmt);
160+ if (isatty(2)) {
161+ vfprintf(stderr, fmt, va);
162+ fputc('\n', stderr);
163+ } else {
164+ vsyslog(LOG_WARNING, fmt, va);
165+ }
166+ va_end(va);
167+}
168+
169+/*
170 * Print status information
171 */
172 void info(const char *fmt, ...)
173@@ -272,6 +292,7 @@
174 }
175
176 info("The key instantiation data is '%s'", buf);
177+ info("The expiry time is %us", key_expiry);
178 free(buf);
179 }
180
181@@ -412,6 +433,9 @@
182
183 /* load the key with data key */
184 if (!debug_mode) {
185+ ret = keyctl_set_timeout(key, key_expiry);
186+ if (ret == -1)
187+ error("%s: keyctl_set_timeout: %m", __func__);
188 ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
189 if (ret == -1)
190 error("%s: keyctl_instantiate: %m", __func__);
191@@ -421,6 +445,157 @@
192 }
193
194 /*
195+ * Read the config file.
196+ */
197+static void read_config(void)
198+{
199+ FILE *f;
200+ char buf[4096], *b, *p, *k, *v;
201+ unsigned int line = 0, u;
202+ int n;
203+
204+ info("READ CONFIG %s", config_file);
205+
206+ f = fopen(config_file, "r");
207+ if (!f) {
208+ if (errno == ENOENT && !config_specified) {
209+ debug("%s: %m", config_file);
210+ return;
211+ }
212+ error("%s: %m", config_file);
213+ }
214+
215+ while (fgets(buf, sizeof(buf) - 1, f)) {
216+ line++;
217+
218+ /* Trim off leading and trailing spaces and discard whole-line
219+ * comments.
220+ */
221+ b = buf;
222+ while (isspace(*b))
223+ b++;
224+ if (!*b || *b == '#')
225+ continue;
226+ p = strchr(b, '\n');
227+ if (!p)
228+ error("%s:%u: line missing newline or too long", config_file, line);
229+ while (p > buf && isspace(p[-1]))
230+ p--;
231+ *p = 0;
232+
233+ /* Split into key[=value] pairs and trim spaces. */
234+ k = b;
235+ v = NULL;
236+ b = strchr(b, '=');
237+ if (b) {
238+ char quote = 0;
239+ bool esc = false;
240+
241+ if (b == k)
242+ error("%s:%u: Unspecified key",
243+ config_file, line);
244+
245+ /* NUL-terminate the key. */
246+ for (p = b - 1; isspace(*p); p--)
247+ ;
248+ p[1] = 0;
249+
250+ /* Strip leading spaces */
251+ b++;
252+ while (isspace(*b))
253+ b++;
254+ if (!*b)
255+ goto missing_value;
256+
257+ if (*b == '"' || *b == '\'') {
258+ quote = *b;
259+ b++;
260+ }
261+ v = p = b;
262+ while (*b) {
263+ if (esc) {
264+ switch (*b) {
265+ case ' ':
266+ case '\t':
267+ case '"':
268+ case '\'':
269+ case '\\':
270+ break;
271+ default:
272+ goto invalid_escape_char;
273+ }
274+ esc = false;
275+ *p++ = *b++;
276+ continue;
277+ }
278+ if (*b == '\\') {
279+ esc = true;
280+ b++;
281+ continue;
282+ }
283+ if (*b == quote) {
284+ b++;
285+ if (*b)
286+ goto post_quote_data;
287+ quote = 0;
288+ break;
289+ }
290+ if (!quote && *b == '#')
291+ break; /* Terminal comment */
292+ *p++ = *b++;
293+ }
294+
295+ if (esc)
296+ error("%s:%u: Incomplete escape", config_file, line);
297+ if (quote)
298+ error("%s:%u: Unclosed quotes", config_file, line);
299+ *p = 0;
300+ }
301+
302+ if (strcmp(k, "default_ttl") == 0) {
303+ if (!v)
304+ goto missing_value;
305+ if (sscanf(v, "%u%n", &u, &n) != 1)
306+ goto bad_value;
307+ if (v[n])
308+ goto extra_data;
309+ if (u < 1 || u > INT_MAX)
310+ goto out_of_range;
311+ key_expiry = u;
312+ } else {
313+ warning("%s:%u: Unknown option '%s'", config_file, line, k);
314+ }
315+ }
316+
317+ if (ferror(f) || fclose(f) == EOF)
318+ error("%s: %m", config_file);
319+ return;
320+
321+missing_value:
322+ error("%s:%u: %s: Missing value", config_file, line, k);
323+invalid_escape_char:
324+ error("%s:%u: %s: Invalid char in escape", config_file, line, k);
325+post_quote_data:
326+ error("%s:%u: %s: Data after closing quote", config_file, line, k);
327+bad_value:
328+ error("%s:%u: %s: Bad value", config_file, line, k);
329+extra_data:
330+ error("%s:%u: %s: Extra data supplied", config_file, line, k);
331+out_of_range:
332+ error("%s:%u: %s: Value out of range", config_file, line, k);
333+}
334+
335+/*
336+ * Dump the configuration after parsing the config file.
337+ */
338+static __attribute__((noreturn))
339+void config_dumper(void)
340+{
341+ printf("default_ttl = %u\n", key_expiry);
342+ exit(0);
343+}
344+
345+/*
346 * Print usage details,
347 */
348 static __attribute__((noreturn))
349@@ -428,22 +603,24 @@
350 {
351 if (isatty(2)) {
352 fprintf(stderr,
353- "Usage: %s [-vv] key_serial\n",
354+ "Usage: %s [-vv] [-c config] key_serial\n",
355 prog);
356 fprintf(stderr,
357- "Usage: %s -D [-vv] <desc> <calloutinfo>\n",
358+ "Usage: %s -D [-vv] [-c config] <desc> <calloutinfo>\n",
359 prog);
360 } else {
361- info("Usage: %s [-vv] key_serial", prog);
362+ info("Usage: %s [-vv] [-c config] key_serial", prog);
363 }
364 exit(2);
365 }
366
367-const struct option long_options[] = {
368- { "debug", 0, NULL, 'D' },
369- { "verbose", 0, NULL, 'v' },
370- { "version", 0, NULL, 'V' },
371- { NULL, 0, NULL, 0 }
372+static const struct option long_options[] = {
373+ { "config", 0, NULL, 'c' },
374+ { "debug", 0, NULL, 'D' },
375+ { "dump-config", 0, NULL, 2 },
376+ { "verbose", 0, NULL, 'v' },
377+ { "version", 0, NULL, 'V' },
378+ { NULL, 0, NULL, 0 }
379 };
380
381 /*
382@@ -455,11 +632,19 @@
383 char *keyend, *p;
384 char *callout_info = NULL;
385 char *buf = NULL, *name;
386+ bool dump_config = false;
387
388 openlog(prog, 0, LOG_DAEMON);
389
390- while ((ret = getopt_long(argc, argv, "vDV", long_options, NULL)) != -1) {
391+ while ((ret = getopt_long(argc, argv, "c:vDV", long_options, NULL)) != -1) {
392 switch (ret) {
393+ case 'c':
394+ config_file = optarg;
395+ config_specified = true;
396+ continue;
397+ case 2:
398+ dump_config = true;
399+ continue;
400 case 'D':
401 debug_mode = 1;
402 continue;
403@@ -481,6 +666,9 @@
404
405 argc -= optind;
406 argv += optind;
407+ read_config();
408+ if (dump_config)
409+ config_dumper();
410
411 if (!debug_mode) {
412 if (argc != 1)
413@@ -542,7 +730,7 @@
414 name++;
415
416 info("Query type: '%*.*s'", qtlen, qtlen, keyend);
417-
418+
419 if ((qtlen == sizeof(a_query_type) - 1 &&
420 memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
421 (qtlen == sizeof(aaaa_query_type) - 1 &&
422--- a/man/key.dns_resolver.8
423+++ b/man/key.dns_resolver.8
424@@ -7,28 +7,41 @@
425 .\" as published by the Free Software Foundation; either version
426 .\" 2 of the License, or (at your option) any later version.
427 .\"
428-.TH KEY.DNS_RESOLVER 8 "04 Mar 2011" Linux "Linux Key Management Utilities"
429+.TH KEY.DNS_RESOLVER 8 "18 May 2020" Linux "Linux Key Management Utilities"
430 .SH NAME
431 key.dns_resolver \- upcall for request\-key to handle dns_resolver keys
432 .SH SYNOPSIS
433 \fB/sbin/key.dns_resolver \fR<key>
434 .br
435-\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] <keydesc> <calloutinfo>
436+\fB/sbin/key.dns_resolver \fR--dump-config [\-c <configfile>]
437+.br
438+\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] [\-c <configfile>] <desc>
439+.br
440+<calloutinfo>
441 .SH DESCRIPTION
442 This program is invoked by request\-key on behalf of the kernel when kernel
443 services (such as NFS, CIFS and AFS) want to perform a hostname lookup and the
444 kernel does not have the key cached. It is not ordinarily intended to be
445 called directly.
446 .P
447-It can be called in debugging mode to test its functionality by passing a
448-\fB\-D\fR flag on the command line. For this to work, the key description and
449-the callout information must be supplied. Verbosity can be increased by
450-supplying one or more \fB\-v\fR flags.
451+There program has internal parameters that can be changed with a configuration
452+file (see key.dns_resolver.conf(5) for more information). The default
453+configuration file is in /etc, but this can be overridden with the \fB-c\fR
454+flag.
455+.P
456+The program can be called in debugging mode to test its functionality by
457+passing a \fB\-D\fR or \fB\--debug\fR flag on the command line. For this to
458+work, the key description and the callout information must be supplied.
459+Verbosity can be increased by supplying one or more \fB\-v\fR flags.
460+.P
461+The program may also be called with \fB--dump-config\fR to show the values that
462+configurable parameters will have after parsing the config file.
463 .SH ERRORS
464 All errors will be logged to the syslog.
465 .SH SEE ALSO
466 .ad l
467 .nh
468+.BR key.dns_resolver.conf (5),
469 .BR request\-key.conf (5),
470 .BR keyrings (7),
471 .BR request\-key (8)
472--- /dev/null
473+++ b/man/key.dns_resolver.conf.5
474@@ -0,0 +1,48 @@
475+.\" -*- nroff -*-
476+.\" Copyright (C) 2020 Red Hat, Inc. All Rights Reserved.
477+.\" Written by David Howells (dhowells@redhat.com)
478+.\"
479+.\" This program is free software; you can redistribute it and/or
480+.\" modify it under the terms of the GNU General Public License
481+.\" as published by the Free Software Foundation; either version
482+.\" 2 of the License, or (at your option) any later version.
483+.\"
484+.TH KEY.DNS_RESOLVER.CONF 5 "18 May 2020" Linux "Linux Key Management Utilities"
485+.SH NAME
486+key.dns_resolver.conf \- Kernel DNS resolver config
487+.SH DESCRIPTION
488+This file is used by the key.dns_resolver(5) program to set parameters.
489+Unless otherwise overridden with the \fB\-c\fR flag, the program reads:
490+.IP
491+/etc/key.dns_resolver.conf
492+.P
493+Configuration options are given in \fBkey[=value]\fR form, where \fBvalue\fR is
494+optional. If present, the value may be surrounded by a pair of single ('') or
495+double quotes ("") which will be stripped off. The special characters in the
496+value may be escaped with a backslash to turn them into ordinary characters.
497+.P
498+Lines beginning with a '#' are considered comments and ignored. A '#' symbol
499+anywhere after the '=' makes the rest of the line into a comment unless the '#'
500+is inside a quoted section or is escaped.
501+.P
502+Leading and trailing spaces and spaces around the '=' symbol will be stripped
503+off.
504+.P
505+Available options include:
506+.TP
507+.B default_ttl=<number>
508+The number of seconds to set as the expiration on a cached record. This will
509+be overridden if the program manages to retrieve TTL information along with
510+the addresses (if, for example, it accesses the DNS directly). The default is
511+5 seconds. The value must be in the range 1 to INT_MAX.
512+.P
513+The file can also include comments beginning with a '#' character unless
514+otherwise suppressed by being inside a quoted value or being escaped with a
515+backslash.
516+
517+.SH FILES
518+.ul
519+/etc/key.dns_resolver.conf
520+.ul 0
521+.SH SEE ALSO
522+\fBkey.dns_resolver\fR(8)
diff --git a/debian/patches/series b/debian/patches/series
index 5631eeb..5f4637c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ pkg-config-install-tweaks.patch
8man-page-fixes.patch8man-page-fixes.patch
9Tests-for-KEYCTL_MOVE-require-kernel-5.3-or-above.patch9Tests-for-KEYCTL_MOVE-require-kernel-5.3-or-above.patch
10private-priv.patch10private-priv.patch
11apply-default-ttl-to-records.patch

Subscribers

People subscribed via source and target branches