From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 9029c9d056e2251b6c1130b2b3a8f0e5a77bff40
Date: Thu, 12 Mar 2015 13:09:00 +0100 [thread overview]
Message-ID: <20150312120901.67E7721F24@argus.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 24917 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 9029c9d056e2251b6c1130b2b3a8f0e5a77bff40 (commit)
via e5f58910c522420511f793e84282343b2e6506a6 (commit)
via de7abd2cd52e3751ac94d5d56ae9ff510311fc67 (commit)
via 6f67121767baf299bb118da35dfe35732f98a9f7 (commit)
via 6409aa7e549d236eedaeae35c84d5e9c1a10ff18 (commit)
via d0bd5afe1b27020b41d0e7e043578e313a0ebf39 (commit)
via 33bfe91f5b3a332f8a711d00de8f967243daf6c5 (commit)
from a71beeb2342c5dcc3c99c5523e74c3914b9cbee9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9029c9d056e2251b6c1130b2b3a8f0e5a77bff40
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 12 13:07:44 2015 +0100
Add more missing files of Core Update 88
commit e5f58910c522420511f793e84282343b2e6506a6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 10 16:21:58 2015 +0100
dnsmasq: Import more patches from upstream
commit de7abd2cd52e3751ac94d5d56ae9ff510311fc67
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 10 16:22:09 2015 +0100
dnsmasq: Enable DNSSEC timestamp feature
This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.
commit 6f67121767baf299bb118da35dfe35732f98a9f7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 12 12:58:04 2015 +0100
core88: Add ddns.cgi to updater
commit 6409aa7e549d236eedaeae35c84d5e9c1a10ff18
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Sep 7 15:44:19 2014 +0200
ddns.cgi: Add token handling for zzzz.io.
commit d0bd5afe1b27020b41d0e7e043578e313a0ebf39
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 12 12:55:40 2015 +0100
openssl: Disable SSLv3 and SSLv2 by default
This patch will disable SSLv3 and SSLv2 by default but leaves
the protocol compiled in into the library so that applications
can use it when they still need it (e.g. sslscan).
commit 33bfe91f5b3a332f8a711d00de8f967243daf6c5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 12 12:55:05 2015 +0100
Revert "openssl: Disable SSLv2 and SSLv3."
This reverts commit 98a5192ef2f3cde9b9c6867f69f3a400f3c62ec5.
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/88/filelists/files | 11 ++
.../{oldcore/87 => core/88}/filelists/strongswan | 0
.../{oldcore/87 => core/88}/filelists/tzdata | 0
html/cgi-bin/ddns.cgi | 3 +-
lfs/crda | 1 -
lfs/dnsmasq | 2 +
lfs/openssl | 3 +-
src/initscripts/init.d/dnsmasq | 2 +-
src/patches/crda-3.13-crypto_use_optional.patch | 22 ---
.../0056-New-version-of-contrib-reverse-dns.patch | 194 ++++++++++++++++++++
...C-timestamp-code-to-create-file-later-rem.patch | 202 +++++++++++++++++++++
src/patches/openssl-disable-sslv2-sslv3.patch | 13 ++
12 files changed, 426 insertions(+), 27 deletions(-)
copy config/rootfiles/{oldcore/87 => core/88}/filelists/strongswan (100%)
copy config/rootfiles/{oldcore/87 => core/88}/filelists/tzdata (100%)
delete mode 100644 src/patches/crda-3.13-crypto_use_optional.patch
create mode 100644 src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
create mode 100644 src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
create mode 100644 src/patches/openssl-disable-sslv2-sslv3.patch
Difference in files:
diff --git a/config/rootfiles/core/88/filelists/files b/config/rootfiles/core/88/filelists/files
index fb7073e..5ed7194 100644
--- a/config/rootfiles/core/88/filelists/files
+++ b/config/rootfiles/core/88/filelists/files
@@ -1,7 +1,18 @@
etc/system-release
etc/issue
+etc/collectd.conf
+etc/collectd.vpn
+etc/rc.d/init.d/dnsmasq
+srv/web/ipfire/cgi-bin/ddns.cgi
+srv/web/ipfire/cgi-bin/firewall.cgi
srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
+srv/web/ipfire/cgi-bin/netovpnrw.cgi
+srv/web/ipfire/cgi-bin/netovpnsrv.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
var/ipfire/backup/bin/backup.pl
+var/ipfire/graphs.pl
var/ipfire/langs
var/ipfire/lang.pl
+var/ipfire/menu.d/20-status.menu
diff --git a/config/rootfiles/core/88/filelists/strongswan b/config/rootfiles/core/88/filelists/strongswan
new file mode 120000
index 0000000..90c727e
--- /dev/null
+++ b/config/rootfiles/core/88/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/config/rootfiles/core/88/filelists/tzdata b/config/rootfiles/core/88/filelists/tzdata
new file mode 120000
index 0000000..5a6e325
--- /dev/null
+++ b/config/rootfiles/core/88/filelists/tzdata
@@ -0,0 +1 @@
+../../../common/tzdata
\ No newline at end of file
diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
index ea30319..044aa97 100644
--- a/html/cgi-bin/ddns.cgi
+++ b/html/cgi-bin/ddns.cgi
@@ -667,7 +667,8 @@ sub GenerateDDNSConfigFile {
my $use_token = 0;
# Handle token based auth for various providers.
- if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com", "spdns.de"] && $username eq "token") {
+ if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com",
+ "spdns.de", "zzzz.io"] && $username eq "token") {
$use_token = 1;
# Handle token auth for freedns.afraid.org and regfish.com.
diff --git a/lfs/crda b/lfs/crda
index 2b1aff8..8bee258 100644
--- a/lfs/crda
+++ b/lfs/crda
@@ -71,7 +71,6 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/crda-3.13-crypto_use_optional.patch
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index c256f75..4bb7f9f 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -128,6 +128,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
diff --git a/lfs/openssl b/lfs/openssl
index 82f26bd..df068f3 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
@@ -105,8 +106,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
no-mdc2 \
no-rc5 \
no-srp \
- no-ssl2 \
- no-ssl3 \
$(CONFIGURE_ARGS) \
-DSSL_FORBID_ENULL \
-DHAVE_CRYPTODEV \
diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq
index 48b9d19..4e37925 100644
--- a/src/initscripts/init.d/dnsmasq
+++ b/src/initscripts/init.d/dnsmasq
@@ -26,7 +26,7 @@ SHOW_SRV=1
TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
function dnssec_args() {
- local cmdline="--dnssec"
+ local cmdline="--dnssec --dnssec-timestamp"
if [ -n "${TRUST_ANCHOR}" ]; then
cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"
diff --git a/src/patches/crda-3.13-crypto_use_optional.patch b/src/patches/crda-3.13-crypto_use_optional.patch
deleted file mode 100644
index 56ad6b7..0000000
--- a/src/patches/crda-3.13-crypto_use_optional.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Submitted By: hauke from OpenWRT
-Date: 2009-04-17
-Initial Package Version: 1.0.2
-Origin: https://dev.openwrt.org/changeset/15405/trunk/package/crda/patches/101-make_crypto_use_optional.patch
-Description: The patch was modified for version crda-3.13 by Erik Kapfer <erik.kapfer(a)ipfire.org>..
-This patch provides the following improvements:
- * Crypto usage is optional.
-
-diff -Nur crda-3.13.orig/Makefile crda-3.13/Makefile
---- crda-3.13.orig/Makefile 2015-01-12 07:55:08.791183765 +0100
-+++ crda-3.13/Makefile 2015-01-12 07:56:35.437381029 +0100
-@@ -43,7 +43,9 @@
-
- $(LIBREG): keys-ssl.c
-
--else
-+endif
-+
-+ifeq ($(USE_GCRYPT),1)
- CFLAGS += -DUSE_GCRYPT
- LDLIBS += -lgcrypt
-
diff --git a/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
new file mode 100644
index 0000000..9a05215
--- /dev/null
+++ b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
@@ -0,0 +1,194 @@
+From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 4 Mar 2015 20:32:26 +0000
+Subject: [PATCH 56/57] New version of contrib/reverse-dns
+
+---
+ contrib/reverse-dns/README | 22 +++---
+ contrib/reverse-dns/reverse_replace.sh | 131 ++++++++++++++++++++++++++++-----
+ 2 files changed, 125 insertions(+), 28 deletions(-)
+
+diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README
+index f87eb77c4c22..2ec4df1f957e 100644
+--- a/contrib/reverse-dns/README
++++ b/contrib/reverse-dns/README
+@@ -1,18 +1,18 @@
+-Hi.
++The script reads stdin and replaces all IP addresses with names before
++outputting it again. IPs from private networks are reverse looked up
++via dns. Other IP adresses are searched for in the dnsmasq query log.
++This gives names (CNAMEs if I understand DNS correctly) that are closer
++to the name the client originally asked for then the names obtained by
++reverse lookup. Just run
+
+-To translate my routers netstat-nat output into names that actually talk
+-to me I have started writing to simple shell scripts. They require
++netstat -n -4 | ./reverse_replace.sh
++
++to see what it does. It needs
+
+ log-queries
+ log-facility=/var/log/dnsmasq.log
+
+-to be set. With
+-
+-netstat-nat -n -4 | reverse_replace.sh
+-
+-I get retranslated output.
+-
+-Sincerely,
+-Joachim
++in the dnsmasq configuration.
+
++The script runs on debian (with ash installed) and on busybox.
+
+diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh
+index a11c164b7f19..5b4aebd71456 100644
+--- a/contrib/reverse-dns/reverse_replace.sh
++++ b/contrib/reverse-dns/reverse_replace.sh
+@@ -1,28 +1,125 @@
+-#!/bin/bash
+-# $Id: reverse_replace.sh 4 2015-02-17 20:14:59Z jo $
++#!/bin/ash
++# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $
+ #
+ # Usage e.g.: netstat -n -4 | reverse_replace.sh
+ # Parses stdin for IP4 addresses and replaces them
+-# with names retrieved by reverse_dns.sh
++# with names retrieved by parsing the dnsmasq log.
++# This currently only gives CNAMEs. But these
++# usually tell ou more than the mones from reverse
++# lookups.
++#
++# This has been tested on debian and asuswrt. Plese
++# report successful tests on other platforms.
++#
++# Author: Joachim Zobel <jz-2014(a)heute-morgen.de>
++# License: Consider this MIT style licensed. You can
++# do as you ike, but you must not remove my name.
+ #
+
+-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+-DNS=$DIR/reverse_dns.sh
++LOG=/var/log/dnsmasq.log
++MAX_LINES=15000
+
+-# sed regex
++# sed regex do match IPs
+ IP_regex='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
++# private IP ranges
++IP_private='\(^127\.\)\|\(^192\.168\.\)\|\(^10\.\)\|\(^172\.1[6-9]\.\)\|\(^172\.2[0-9]\.\)\|\(^172\.3[0-1]\.\)'
+
+-while read LINE; do
+- if grep --quiet $IP_regex <<< "$LINE"; then
+- IPs=`sed "s#.*\b\($IP_regex\)\b.*#\1 #g" <<< "$LINE"`
+- IPs=($IPs)
+- for IP in "${IPs[@]}"
+- do
+- NAME=`$DNS $IP`
+- # echo "$NAME is $IP";
+- LINE="${LINE/$IP/$NAME}"
+- done
++#######################################################################
++# Find Commands
++
++HOST=nslookup
++if type host > /dev/null 2>&1; then
++ # echo "No need for nslookup, host is there"
++ HOST=host
++fi
++
++#######################################################################
++# Functions
++
++# Use shell variables for an (IP) lookup table
++create_lookup_table()
++{
++ # Parse log into lookup table
++ local CMDS="$( tail -"$MAX_LINES" "$LOG" | \
++ grep " is $IP_regex" | \
++ sed "s#.* \([^ ]*\) is \($IP_regex\).*#set_val \2 \1;#" )"
++
++ local IFS='
++'
++ for CMD in $CMDS
++ do
++ eval $CMD
++ done
++}
++
++set_val()
++{
++ local _IP=$(echo $1 | tr . _)
++ local KEY="__IP__$_IP"
++ eval "$KEY"=$2
++}
++
++get_val()
++{
++ local _IP=$(echo $1 | tr . _)
++ local KEY="__IP__$_IP"
++ eval echo -n '${'"$KEY"'}'
++}
++
++dns_lookup()
++{
++ local IP=$1
++
++ local RTN="$($HOST $IP | \
++ sed 's#\s\+#\n#g' | \
++ grep -v '^$' | \
++ tail -1 | tr -d '\n' | \
++ sed 's#\.$##')"
++ if echo $RTN | grep -q NXDOMAIN; then
++ echo -n $IP
++ else
++ echo -n "$RTN"
++ fi
++}
++
++reverse_dns()
++{
++ local IP=$1
++
++ # Skip if it is not an IP
++ if ! echo $IP | grep -q "^$IP_regex$"; then
++ echo -n $IP
++ return
++ fi
++
++ # Do a dns lookup, if it is a local IP
++ if echo $IP | grep -q $IP_private; then
++ dns_lookup $IP
++ return
+ fi
++
++ local NAME="$(get_val $IP)"
++
++ if [ -z "$NAME" ]; then
++ echo -n $IP
++ else
++ echo -n $NAME
++ fi
++}
++
++#######################################################################
++# Main
++create_lookup_table
++
++while read LINE; do
++ for IP in $(echo "$LINE" | \
++ sed "s#\b\($IP_regex\)\b#\n\1\n#g" | \
++ grep $IP_regex)
++ do
++ NAME=`reverse_dns $IP `
++ # echo "$NAME $IP"
++ LINE=`echo "$LINE" | sed "s#$IP#$NAME#" `
++ done
+ echo $LINE
+-done < /dev/stdin
++done
+
+--
+2.1.0
+
diff --git a/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
new file mode 100644
index 0000000..df47cd0
--- /dev/null
+++ b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
@@ -0,0 +1,202 @@
+From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Sat, 7 Mar 2015 18:28:06 +0000
+Subject: [PATCH 57/57] Tweak DNSSEC timestamp code to create file later,
+ removing need to chown it.
+
+---
+ man/dnsmasq.8 | 3 ++-
+ src/dnsmasq.c | 35 ++++++++++++++++++++++-------------
+ src/dnsmasq.h | 3 ++-
+ src/dnssec.c | 18 ++++++++++--------
+ 4 files changed, 36 insertions(+), 23 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index 097e7d75145c..2db780d90987 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -678,7 +678,8 @@ which have not been throughly checked.
+ Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the
+ system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and
+ its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried
+-over system restarts.
++over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the
++unprivileged user that dnsmasq runs as.
+ .TP
+ .B --proxy-dnssec
+ Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 9e05c0e31569..f3e5bcffec4f 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -58,9 +58,6 @@ int main (int argc, char **argv)
+ struct dhcp_context *context;
+ struct dhcp_relay *relay;
+ #endif
+-#ifdef HAVE_DNSSEC
+- int badtime;
+-#endif
+
+ #ifdef LOCALEDIR
+ setlocale(LC_ALL, "");
+@@ -156,10 +153,10 @@ int main (int argc, char **argv)
+ {
+ #ifdef HAVE_DNSSEC
+ if (!daemon->ds)
+- die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
++ die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
+
+ if (daemon->cachesize < CACHESIZ)
+- die(_("Cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
++ die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
+ #else
+ die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
+ #endif
+@@ -172,10 +169,10 @@ int main (int argc, char **argv)
+
+ #ifdef HAVE_CONNTRACK
+ if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport))
+- die (_("Cannot use --conntrack AND --query-port"), NULL, EC_BADCONF);
++ die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF);
+ #else
+ if (option_bool(OPT_CONNTRACK))
+- die(_("Conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF);
++ die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF);
+ #endif
+
+ #ifdef HAVE_SOLARIS_NETWORK
+@@ -195,7 +192,7 @@ int main (int argc, char **argv)
+
+ #ifndef HAVE_LOOP
+ if (option_bool(OPT_LOOP_DETECT))
+- die(_("Loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
++ die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
+ #endif
+
+ now = dnsmasq_time();
+@@ -373,10 +370,6 @@ int main (int argc, char **argv)
+ if (baduser)
+ die(_("unknown user or group: %s"), baduser, EC_BADCONF);
+
+-#ifdef HAVE_DNSSEC
+- badtime = setup_timestamp(ent_pw);
+-#endif
+-
+ /* implement group defaults, "dip" if available, or group associated with uid */
+ if (!daemon->group_set && !gp)
+ {
+@@ -693,10 +686,23 @@ int main (int argc, char **argv)
+ #ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID))
+ {
++ int rc;
++
++ /* Delay creating the timestamp file until here, after we've changed user, so that
++ it has the correct owner to allow updating the mtime later.
++ This means we have to report fatal errors via the pipe. */
++ if ((rc = setup_timestamp()) == -1)
++ {
++ send_event(err_pipe[1], EVENT_TIME_ERR, errno, daemon->timestamp_file);
++ _exit(0);
++ }
++
+ my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
++
+ if (option_bool(OPT_DNSSEC_TIME))
+ my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
+- if (badtime)
++
++ if (rc == 1)
+ my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
+ }
+ #endif
+@@ -1170,6 +1176,9 @@ static void fatal_event(struct event_desc *ev, char *msg)
+
+ case EVENT_TFTP_ERR:
+ die(_("TFTP directory %s inaccessible: %s"), msg, EC_FILE);
++
++ case EVENT_TIME_ERR:
++ die(_("cannot create timestamp file %s: %s" ), msg, EC_BADCONF);
+ }
+ }
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index a451cb4dd03c..fc7259881358 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -167,6 +167,7 @@ struct event_desc {
+ #define EVENT_INIT 21
+ #define EVENT_NEWADDR 22
+ #define EVENT_NEWROUTE 23
++#define EVENT_TIME_ERR 24
+
+ /* Exit codes. */
+ #define EC_GOOD 0
+@@ -1152,7 +1153,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
+ int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
+ size_t filter_rrsigs(struct dns_header *header, size_t plen);
+ unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
+-int setup_timestamp(struct passwd *ent_pw);
++int setup_timestamp(void);
+
+ /* util.c */
+ void rand_init(void);
+diff --git a/src/dnssec.c b/src/dnssec.c
+index c60eacf73c6b..ad0d6f072ba2 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -397,18 +397,21 @@ static int serial_compare_32(unsigned long s1, unsigned long s2)
+
+ /* Called at startup. If the timestamp file is configured and exists, put its mtime on
+ timestamp_time. If it doesn't exist, create it, and set the mtime to 1-1-2015.
+- Change the ownership to the user we'll be running as, so that we can update the mtime.
++ return -1 -> Cannot create file.
++ 0 -> not using timestamp, or timestamp exists and is in past.
++ 1 -> timestamp exists and is in future.
+ */
++
+ static time_t timestamp_time;
+ static int back_to_the_future;
+
+-int setup_timestamp(struct passwd *ent_pw)
++int setup_timestamp(void)
+ {
+ struct stat statbuf;
+
+ back_to_the_future = 0;
+
+- if (!option_bool(OPT_DNSSEC_VALID) || !daemon->timestamp_file)
++ if (!daemon->timestamp_file)
+ return 0;
+
+ if (stat(daemon->timestamp_file, &statbuf) != -1)
+@@ -428,7 +431,8 @@ int setup_timestamp(struct passwd *ent_pw)
+
+ if (errno == ENOENT)
+ {
+- int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK, 0666);
++ /* NB. for explanation of O_EXCL flag, see comment on pidfile in dnsmasq.c */
++ int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK | O_EXCL, 0666);
+ if (fd != -1)
+ {
+ struct utimbuf timbuf;
+@@ -436,14 +440,12 @@ int setup_timestamp(struct passwd *ent_pw)
+ close(fd);
+
+ timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */
+- if (utime(daemon->timestamp_file, &timbuf) == 0 &&
+- (!ent_pw || getuid() != 0 || chown(daemon->timestamp_file, ent_pw->pw_uid, -1) == 0))
++ if (utime(daemon->timestamp_file, &timbuf) == 0)
+ goto check_and_exit;
+ }
+ }
+
+- die(_("Cannot create timestamp file %s: %s" ), daemon->timestamp_file, EC_BADCONF);
+- return 0;
++ return -1;
+ }
+
+ /* Check whether today/now is between date_start and date_end */
+--
+2.1.0
+
diff --git a/src/patches/openssl-disable-sslv2-sslv3.patch b/src/patches/openssl-disable-sslv2-sslv3.patch
new file mode 100644
index 0000000..ebf5429
--- /dev/null
+++ b/src/patches/openssl-disable-sslv2-sslv3.patch
@@ -0,0 +1,13 @@
+diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
+--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200
++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200
+@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ */
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+
++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++
+ return(ret);
+ err:
+ SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2015-03-12 12:09 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150312120901.67E7721F24@argus.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox