Re: UPDATE: security/opendnssec
On Thu, Feb 07, 2019 at 11:16:45AM +0100, Aham Brahmasmi wrote: > > > > [1]: https://blog.sigterm.se/posts/to-the-cloud-dns-edition/ > > Tack så mycket Patrik for that informative blog post. Could I request > you to please help me with my queries: > Since the question was posted to the list I'll include the list in this initial response, but any further discussion I will gladly take offlist to not disturb the work of the porters. > 1) Since the capability to run OpenBSD virtual machines is now present > in the base, would you still suggest running authoritative DNS in > "cloud" vs on VMs in on-premise/rented baremetal OpenBSD machines? I > ask this because I have trouble relying on cloud, and as I have learnt, > "free" in cloud usually translates to "you do not know how you pay". My reasons for running "in the cloud" are not based on a former lack of virtualization support in OpenBSD. More than anything else it is based on trying new things for fun, cost and the maintenance required to support your own infrastructure. Would you be better served by running your own infrastructure on bare metal? I can't really tell you that, as with so many other things "it depends". I agree there are trust issues involved with free services, so again, it depends on your needs. Sorry i don't have a more concrete answer :). > 2) Could you please elaborate on the custom built DNS server daemon? I > find that very interesting, especially when combined with OpenDNSSEC. > It is a minimal service written in go, there is some code here: https://github.com/eest/cds For production work I would probably not start out with building my own ServeMux implementation but rather use the default one. I did so here for the learning experience. The responses from that service are not signed at this point, so there is no correlation with OpenDNSSEC. -- Patrik Lundin
Re: UPDATE: security/opendnssec
On Sun, Dec 30, 2018 at 03:27:42PM +0100, Rafael Sadowski wrote: > On Sun Nov 18, 2018 at 04:57:55PM +0300, Pavel Korovin wrote: > > Dear all, > > please find the update for the latest OpenDNSSEC attached. > > Tested with sqlite3, softhsm/softhsm2 on amd64. > > Also tested migration from v1.4 (enforcer database migration is > > required for v2). > It seems I missed this work completely somehow, sorry about that! Nice to see you are working on both opendnssec and softhsm 2.x :). I am actually not running opendnssec any more[1], if you would like to take over maintainership I would be fine with that. This goes for softhsm 1.x as well. > > Is there any howto to migrate from 1.4? A note or an howto/link to > current.html would be nice! > There is an official note about this here: https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-UpgradeOpenDNSSEC1.4.9toOpenDNSSEC2.0 -- Patrik Lundin [1]: https://blog.sigterm.se/posts/to-the-cloud-dns-edition/
Re: net/kea: 1.2.0
On Sun, Aug 27, 2017 at 11:19:44AM +0100, Stuart Henderson wrote: > On 2017/08/27 12:07, Patrik Lundin wrote: > > On Sat, Aug 12, 2017 at 11:39:14PM +0200, Patrik Lundin wrote: > > > > > > Since there have been no further feedback, is there a chance the latest > > > diff can get commited? > > > > > > > Ping. > > The COMPILER infrastructure changed in the meantime, I'm leaving it building > now and should be able to pick it up later today. > I saw the commit, thank you Stuart :). -- Patrik Lundin
Re: net/kea: 1.2.0
On Sat, Aug 12, 2017 at 11:39:14PM +0200, Patrik Lundin wrote: > > Since there have been no further feedback, is there a chance the latest > diff can get commited? > Ping. -- Patrik Lundin
Re: net/kea: 1.2.0
On Thu, Aug 03, 2017 at 10:24:00PM +0200, Patrik Lundin wrote: > > Thanks for spotting that. New diff against fresh ports tree below (and > now portcheck is happy as well). > Since there have been no further feedback, is there a chance the latest diff can get commited? -- Patrik Lundin
Re: net/kea: 1.2.0
Hello Stuart, thanks for the review.
On Thu, Aug 03, 2017 at 06:43:11PM +0100, Stuart Henderson wrote:
>
> clang is already used as the compiler on i386/amd64/aarch64. Just using
> "COMPILER=clang" means this won't build on some arch which do have c++11
> support from ports gcc.
>
> For most things "COMPILER=gcc" is generally now the best option for c++11
> ports, this means "build with clang if it's in base, otherwise build with
> ports gcc".
>
Thank you for the information. I will use "gcc" instead.
> > * Use /var/run/kea instead of /tmp for the UNIX domain control sockets
> > introduced in 1.2.0.
>
> Please subst with ${LOCALSTATEDIR} instead of hardcoding /var.
>
Sorry about that. While using ${LOCALSTATEDIR} directly in the .pre
files does not work, I have used the @localstatedir@ markers instead
(which is used in other places in the files already).
>
> It's no longer LIBCXX but COMPILER_LIBCXX, which made me spot that your cvs
> diff is against Makefile r1.7 (post-6.1 but pre-current) .. so your ports tree
> (which includes portcheck) needs an update.
>
Thanks for spotting that. New diff against fresh ports tree below (and
now portcheck is happy as well).
I also noticed something I had missed in the configure output previously:
===
./configure[16315]: test: >: unexpected operator/operand
===
I opened a PR for that:
https://github.com/isc-projects/kea/pull/53
I dont feel that warrants a port patch though as I don't think the
outcome matters on OpenBSD.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/net/kea/Makefile,v
retrieving revision 1.9
diff -u -p -u -r1.9 Makefile
--- Makefile26 Jul 2017 22:45:27 - 1.9
+++ Makefile3 Aug 2017 20:17:26 -
@@ -2,29 +2,30 @@
COMMENT= high-performance and extensible DHCP server engine from ISC
-VERSION= 1.1.0
+VERSION= 1.2.0
DISTNAME= kea-${VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
-REVISION= 0
SHARED_LIBS += kea-asiodns 0.0 # 0.0
-SHARED_LIBS += kea-asiolink 1.0 # 3.0
-SHARED_LIBS += kea-cc0.0 # 1.0
-SHARED_LIBS += kea-cfgclient 0.1 # 2.1
-SHARED_LIBS += kea-cryptolink0.0 # 1.0
-SHARED_LIBS += kea-dhcp++1.0 # 4.1
-SHARED_LIBS += kea-dhcp_ddns 0.1 # 1.1
-SHARED_LIBS += kea-dhcpsrv 1.0 # 6.0
-SHARED_LIBS += kea-dns++ 0.0 # 2.0
-SHARED_LIBS += kea-eval 1.0 # 4.0
+SHARED_LIBS += kea-asiolink 2.0 # 4.0
+SHARED_LIBS += kea-cc1.0 # 2.0
+SHARED_LIBS += kea-cfgclient 1.0 # 3.0
+SHARED_LIBS += kea-cryptolink1.0 # 2.0
+SHARED_LIBS += kea-dhcp++2.0 # 5.0
+SHARED_LIBS += kea-dhcp_ddns 0.2 # 1.2
+SHARED_LIBS += kea-dhcpsrv 2.0 # 7.0
+SHARED_LIBS += kea-dns++ 1.0 # 1.1
+SHARED_LIBS += kea-eval 2.0 # 5.0
SHARED_LIBS += kea-exceptions0.0 # 0.0
-SHARED_LIBS += kea-hooks 1.0 # 2.0
-SHARED_LIBS += kea-log 1.0 # 2.0
+SHARED_LIBS += kea-hooks 2.0 # 3.0
+SHARED_LIBS += kea-http 0.0 # 0.0
+SHARED_LIBS += kea-log 2.0 # 3.0
+SHARED_LIBS += kea-process 0.0 # 0.0
SHARED_LIBS += kea-stats 0.0 # 1.0
SHARED_LIBS += kea-threads 1.0 # 1.0
SHARED_LIBS += kea-util-io 0.0 # 0.0
-SHARED_LIBS += kea-util 1.0 # 2.0
+SHARED_LIBS += kea-util 1.1 # 2.1
CATEGORIES=net
@@ -50,6 +51,9 @@ CONFIGURE_ARGS+= --with-openssl=/usr \
--with-boost-lib-dir=${LOCALBASE}/lib
LIBTOOL_FLAGS= --tag=disable-static
+
+# configure: error: std::unique_ptr (a C++11 feature) is not supported
+COMPILER= gcc
FLAVORS= mysql postgresql
FLAVOR?=
Index: distinfo
===
RCS file: /cvs/ports/net/kea/distinfo,v
retrieving revision 1.3
diff -u -p -u -r1.3 distinfo
--- distinfo13 Nov 2016 14:58:18 - 1.3
+++ distinfo3 Aug 2017 20:17:26 -
@@ -1,2 +1,2 @@
-SHA256 (kea-1.1.0.tar.gz) = w9l67k+qGWU//m0355fi+/YyEkzQuYu1Avm5e1o4PC0=
-SIZE (kea-1.1.0.tar.gz) = 4934875
+SHA256 (kea-1.2.0.tar.gz) = ItFZRbE2ALVsNyE3l8ofPumFHmEZEgrq4IAzxMxS0Sk=
+SIZE (kea-1.2.0.tar.gz) = 5720941
Index: patches/patch-src_bin_dhcp4_tests_dhcp4_process_tests_sh_in
===
RCS file: patches/patch-src_bin_dhcp4_tests_dhcp4_process_tests_sh_in
diff -N patches/patch-src_bin_dhcp4_tests_dhcp4_process_tests_sh_in
--- patches/patch-src_bin_dhcp4_tests_dhcp4_process_tests_sh_in 28 Feb 2017
08:57:12 - 1.1
+++ /dev/null 1 Jan 1970 00:00:00
net/kea: 1.2.0
Hello,
Below is a work in progress of an update of net/kea to 1.2.0.
The complete release notes for 1.2.0 can be seen here:
https://deepthought.isc.org/article/AA-01494
>From the perspective of the port I have made the following updates:
* Start using clang as the compiler. Kea 1.2.0 requires C++11 support.
With the clang work taking place in base I noticed espie@ had already
added a patch for a clang build breaking problem. This has been reported and
fixed upstream for later editions:
https://github.com/isc-projects/kea/commit/75691636ab9421297cfc353b0954aa2e8c82
* Make the example configuration log to syslog. This means there are no
custom log files created that you will need to create your own log
rotation for unless you really want to. The following files are no
longer created because of this:
/var/kea/kea.log
/var/log/kea-ddns.log
/var/log/kea-dhcp4.log
/var/log/kea-dhcp6.log
* Set lfc-interval to 3600 seconds in the configuraion file. This
enables cleanup of the memfile database files. It is a sane default
and discussions to make this either a part of the standard config file
or make it the unconfigured default is part of a ticket created
upstream: http://kea.isc.org/ticket/5341
* Use /var/run/kea instead of /tmp for the UNIX domain control sockets
introduced in 1.2.0.
I did notice that portcheck is currently complaining:
===
# /usr/ports/infrastructure/bin/portcheck
in default FLAVOR: stdc++ in WANTLIB when gcc4 is in MODULES; run
port-lib-depends-check and if stdc++ is still there, check actual build
thoroughly, it's broken
in FLAVOR "mysql": stdc++ in WANTLIB when gcc4 is in MODULES; run
port-lib-depends-check and if stdc++ is still there, check actual build
thoroughly, it's broken
in FLAVOR "postgresql": stdc++ in WANTLIB when gcc4 is in MODULES; run
port-lib-depends-check and if stdc++ is still there, check actual build
thoroughly, it's broken
net/kea
===
I believe this is a result of ${LIBCXX} being part of WANTLIB. This is
not something that has been added by me, so I am unsure what the correct
solution is. Here is the output of the requested port-lib-depends-check:
===
# make port-lib-depends-check
kea-1.2.0(net/kea):
Extra: stdc++.57
===
Any input on this?
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/net/kea/Makefile,v
retrieving revision 1.7
diff -u -p -u -r1.7 Makefile
--- Makefile10 Apr 2017 11:46:32 - 1.7
+++ Makefile3 Aug 2017 16:42:05 -
@@ -2,28 +2,30 @@
COMMENT= high-performance and extensible DHCP server engine from ISC
-VERSION= 1.1.0
+VERSION= 1.2.0
DISTNAME= kea-${VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
SHARED_LIBS += kea-asiodns 0.0 # 0.0
-SHARED_LIBS += kea-asiolink 1.0 # 3.0
-SHARED_LIBS += kea-cc0.0 # 1.0
-SHARED_LIBS += kea-cfgclient 0.1 # 2.1
-SHARED_LIBS += kea-cryptolink0.0 # 1.0
-SHARED_LIBS += kea-dhcp++1.0 # 4.1
-SHARED_LIBS += kea-dhcp_ddns 0.1 # 1.1
-SHARED_LIBS += kea-dhcpsrv 1.0 # 6.0
-SHARED_LIBS += kea-dns++ 0.0 # 2.0
-SHARED_LIBS += kea-eval 1.0 # 4.0
+SHARED_LIBS += kea-asiolink 2.0 # 4.0
+SHARED_LIBS += kea-cc1.0 # 2.0
+SHARED_LIBS += kea-cfgclient 1.0 # 3.0
+SHARED_LIBS += kea-cryptolink1.0 # 2.0
+SHARED_LIBS += kea-dhcp++2.0 # 5.0
+SHARED_LIBS += kea-dhcp_ddns 0.2 # 1.2
+SHARED_LIBS += kea-dhcpsrv 2.0 # 7.0
+SHARED_LIBS += kea-dns++ 1.0 # 1.1
+SHARED_LIBS += kea-eval 2.0 # 5.0
SHARED_LIBS += kea-exceptions0.0 # 0.0
-SHARED_LIBS += kea-hooks 1.0 # 2.0
-SHARED_LIBS += kea-log 1.0 # 2.0
+SHARED_LIBS += kea-hooks 2.0 # 3.0
+SHARED_LIBS += kea-http 0.0 # 0.0
+SHARED_LIBS += kea-log 2.0 # 3.0
+SHARED_LIBS += kea-process 0.0 # 0.0
SHARED_LIBS += kea-stats 0.0 # 1.0
SHARED_LIBS += kea-threads 1.0 # 1.0
SHARED_LIBS += kea-util-io 0.0 # 0.0
-SHARED_LIBS += kea-util 1.0 # 2.0
+SHARED_LIBS += kea-util 1.1 # 2.1
CATEGORIES=net
@@ -49,6 +51,9 @@ CONFIGURE_ARGS+= --with-openssl=/usr \
--with-boost-lib-dir=${LOCALBASE}/lib
LIBTOOL_FLAGS= --tag=disable-static
+
+# configure: error: std::unique_ptr (a C++11 feature) is not supported
+COMPILER= clang
FLAVORS= mysql postgresql
FLAVOR?=
Index: distinfo
===
RCS file: /cvs/ports/net/kea/distinfo,v
retrieving revision 1.3
diff -u -p -u -r1.3 distinfo
--- distinfo13 Nov 2016 14:58:18 - 1.3
+++ distinfo3
Re: security/opendnssec: 1.4.14
On Sun, Jul 02, 2017 at 12:00:08PM +0200, Patrik Lundin wrote: > Hello, > > Below is an update of security/opendnssec to 1.4.14. > From https://www.opendnssec.org/: > === > Bugs Fixed > * OPENDNSSEC-888: Fix up MySQL<->SQLite3 database conversion script. > * OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and > ZSK have exactly the same parameters. This would prevent KSK rollovers. > * OPENDNSSEC-890: Bogus signatures on mismatching TTLs within the same > RRset. > === > Updated diff after unrelated spelling fix from jasper@. -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/security/opendnssec/Makefile,v retrieving revision 1.11 diff -u -p -u -r1.11 Makefile --- Makefile5 Jul 2017 17:03:58 - 1.11 +++ Makefile10 Jul 2017 18:05:01 - @@ -2,8 +2,7 @@ COMMENT= open-source turn-key solution for DNSSEC -DISTNAME= opendnssec-1.4.13 -REVISION= 0 +DISTNAME= opendnssec-1.4.14 CATEGORIES=security Index: distinfo === RCS file: /cvs/ports/security/opendnssec/distinfo,v retrieving revision 1.5 diff -u -p -u -r1.5 distinfo --- distinfo17 Mar 2017 21:12:11 - 1.5 +++ distinfo10 Jul 2017 18:05:01 - @@ -1,2 +1,2 @@ -SHA256 (opendnssec-1.4.13.tar.gz) = zhRv9e6u/cgdsQ6GeIJbMOzAQQADvacGiCG/jo2PTR8= -SIZE (opendnssec-1.4.13.tar.gz) = 1067262 +SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8= +SIZE (opendnssec-1.4.14.tar.gz) = 1037188
security/opendnssec: 1.4.14
Hello, Below is an update of security/opendnssec to 1.4.14. >From https://www.opendnssec.org/: === Bugs Fixed * OPENDNSSEC-888: Fix up MySQL<->SQLite3 database conversion script. * OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and ZSK have exactly the same parameters. This would prevent KSK rollovers. * OPENDNSSEC-890: Bogus signatures on mismatching TTLs within the same RRset. === -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/security/opendnssec/Makefile,v retrieving revision 1.10 diff -u -p -u -r1.10 Makefile --- Makefile10 Apr 2017 11:46:33 - 1.10 +++ Makefile2 Jul 2017 09:54:33 - @@ -2,7 +2,7 @@ COMMENT= open-source turn-key solution for DNSSEC -DISTNAME= opendnssec-1.4.13 +DISTNAME= opendnssec-1.4.14 CATEGORIES=security Index: distinfo === RCS file: /cvs/ports/security/opendnssec/distinfo,v retrieving revision 1.5 diff -u -p -u -r1.5 distinfo --- distinfo17 Mar 2017 21:12:11 - 1.5 +++ distinfo2 Jul 2017 09:54:33 - @@ -1,2 +1,2 @@ -SHA256 (opendnssec-1.4.13.tar.gz) = zhRv9e6u/cgdsQ6GeIJbMOzAQQADvacGiCG/jo2PTR8= -SIZE (opendnssec-1.4.13.tar.gz) = 1067262 +SHA256 (opendnssec-1.4.14.tar.gz) = 4cQexbxhdiM7LZT09PcD51h7rmdgdkqxvvA88QvR3N8= +SIZE (opendnssec-1.4.14.tar.gz) = 1037188
Re: security/opendnssec: 1.4.13
On Tue, Feb 07, 2017 at 07:12:57PM +0100, Patrik Lundin wrote: > On Sun, Jan 22, 2017 at 09:08:09PM +0100, Patrik Lundin wrote: > > Hello, > > > > Here is an update to the newly released OpenDNSSEC 1.4.13. It removes a > > patch > > that has been merged upstream. > > > > Ping. > Ping. -- Patrik Lundin
Re: security/opendnssec: 1.4.13
On Sun, Jan 22, 2017 at 09:08:09PM +0100, Patrik Lundin wrote: > Hello, > > Here is an update to the newly released OpenDNSSEC 1.4.13. It removes a patch > that has been merged upstream. > Ping. -- Patrik Lundin
security/opendnssec: 1.4.13
Hello, Here is an update to the newly released OpenDNSSEC 1.4.13. It removes a patch that has been merged upstream. Announcement: === Version 1.4.13 of OpenDNSSEC has been released on 2017-01-20. News Hereby we announce the OpenDNSSEC 1.4.13 release. It includes a small number of bug fixes and no migration steps are needed. Some minor code adjustments where made to make linking to OpenSSL 1.1.0 possible. This release is signed by our new (Jan 11th) PGP key. Fixes OPENDNSSEC-778: Double NSEC3PARAM record after resalt. OPENDNSSEC-853: Fixed serial_xfr_acquired not updated in state file. Wrong error was sometimes being print on failing TCP connect. Add support for OpenSSL 1.1.0. OPENDNSSEC-866: Script for migration between MySQL and SQLite was outdated. === -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/security/opendnssec/Makefile,v retrieving revision 1.8 diff -u -p -u -r1.8 Makefile --- Makefile19 Nov 2016 12:25:27 - 1.8 +++ Makefile22 Jan 2017 20:03:03 - @@ -2,7 +2,7 @@ COMMENT= open-source turn-key solution for DNSSEC -DISTNAME= opendnssec-1.4.12 +DISTNAME= opendnssec-1.4.13 CATEGORIES=security Index: distinfo === RCS file: /cvs/ports/security/opendnssec/distinfo,v retrieving revision 1.4 diff -u -p -u -r1.4 distinfo --- distinfo19 Nov 2016 12:25:27 - 1.4 +++ distinfo22 Jan 2017 20:03:03 - @@ -1,2 +1,2 @@ -SHA256 (opendnssec-1.4.12.tar.gz) = S6bPBvzRExwe2RPWGVndyQcm7V5PFTyQ9F7GREVSigw= -SIZE (opendnssec-1.4.12.tar.gz) = 1036392 +SHA256 (opendnssec-1.4.13.tar.gz) = zhRv9e6u/cgdsQ6GeIJbMOzAQQADvacGiCG/jo2PTR8= +SIZE (opendnssec-1.4.13.tar.gz) = 1067262 Index: patches/patch-enforcer_ksm_database_access_lite_c === RCS file: patches/patch-enforcer_ksm_database_access_lite_c diff -N patches/patch-enforcer_ksm_database_access_lite_c --- patches/patch-enforcer_ksm_database_access_lite_c 19 Nov 2016 12:25:27 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,12 +0,0 @@ -$OpenBSD: patch-enforcer_ksm_database_access_lite_c,v 1.1 2016/11/19 12:25:27 sthen Exp $ enforcer/ksm/database_access_lite.c.orig Mon Nov 14 18:59:16 2016 -+++ enforcer/ksm/database_access_lite.cMon Nov 14 19:00:58 2016 -@@ -41,6 +41,8 @@ - #include - #include - -+#include -+ - #include - - #include "ksm/dbsdef.h"
Re: security/softhsm: 1.3.8
On Sat, Nov 19, 2016 at 02:02:06PM +, Stuart Henderson wrote:
>
> It seems the first hunk of the configure script patch is unnecessary,
> probably since changes to pthread so that pulled in as a normal dependency.
> Can you confirm that please?
>
Good catch, new diff below.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/security/softhsm/Makefile,v
retrieving revision 1.6
diff -u -p -u -r1.6 Makefile
--- Makefile23 Sep 2016 09:16:57 - 1.6
+++ Makefile19 Nov 2016 19:50:48 -
@@ -5,9 +5,7 @@ PORTROACH_COMMENT= the 2.x version has a
COMMENT= software PKCS\#11 cryptographic token
-DISTNAME= softhsm-1.3.7
-
-REVISION= 1
+DISTNAME= softhsm-1.3.8
CATEGORIES=security
Index: distinfo
===
RCS file: /cvs/ports/security/softhsm/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 distinfo
--- distinfo23 Jun 2015 11:26:05 - 1.1.1.1
+++ distinfo19 Nov 2016 19:50:48 -
@@ -1,2 +1,2 @@
-SHA256 (softhsm-1.3.7.tar.gz) = 0S1kVqhVYSZtnaQnVl8+43RqNd9mcNXmvnXeJTwoEKQ=
-SIZE (softhsm-1.3.7.tar.gz) = 438437
+SHA256 (softhsm-1.3.8.tar.gz) = LqrjoB7DAkHay8bEar8aeNflRkPneTz4qb6Y++a1lTo=
+SIZE (softhsm-1.3.8.tar.gz) = 451445
Index: patches/patch-configure
===
RCS file: /cvs/ports/security/softhsm/patches/patch-configure,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 patch-configure
--- patches/patch-configure 23 Jun 2015 11:26:05 - 1.1.1.1
+++ patches/patch-configure 19 Nov 2016 19:50:48 -
@@ -1,18 +1,7 @@
$OpenBSD: patch-configure,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $
configure.orig Wed May 28 08:03:56 2014
-+++ configure Mon Jun 22 13:16:45 2015
-@@ -4351,8 +4351,8 @@ else
- fi
-
-
-- BOTAN_INCLUDES="-I$BOTAN_PATH/include/botan-1.10"
-- BOTAN_LIBS="-L$BOTAN_PATH/lib -lbotan-1.10"
-+ BOTAN_INCLUDES=`botan-config-1.10 --cflags`
-+ BOTAN_LIBS=`botan-config-1.10 --libs`
- tmp_CPPFLAGS=$CPPFLAGS
- tmp_LIBS=$LIBS
- CPPFLAGS="$CPPFLAGS $BOTAN_INCLUDES"
-@@ -16255,7 +16255,7 @@ CFLAGS=$lt_save_CFLAGS
+--- configure.orig Sat Nov 19 20:40:23 2016
configure Sat Nov 19 20:40:39 2016
+@@ -16410,7 +16410,7 @@ CFLAGS=$lt_save_CFLAGS
Index: patches/patch-src_bin_softhsm-keyconv_cpp
===
RCS file: patches/patch-src_bin_softhsm-keyconv_cpp
diff -N patches/patch-src_bin_softhsm-keyconv_cpp
--- patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 13:24:46 -
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,113 +0,0 @@
-$OpenBSD: patch-src_bin_softhsm-keyconv_cpp,v 1.1 2015/09/21 13:24:46 sthen
Exp $
-
-From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:08:43 +0100
-Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive
- material in insecure way. Also applies to softhsm when using --export or
- --optimize.
-
-From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:45:11 +0100
-Subject: [PATCH 2/2] SOFTHSM-101: Include more header files
-
src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014
-+++ src/bin/softhsm-keyconv.cppMon Sep 21 14:25:56 2015
-@@ -48,6 +48,10 @@
- #include
- #include
- #include
-+#include
-+#include
-+#include
-+#include
-
- void usage() {
- printf("Converting between BIND .private-key format and PKCS#8 key file
format.\n");
-@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file
- return 1;
- }
-
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+out_path, errno);
-+return 1;
-+ }
-+ close(fd);
-+
- // Save the the key to the disk
- switch(algorithm) {
- case DNS_KEYALG_ERROR:
-@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_
- snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm,
key_tag);
- snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
-
-- // Create the private key file
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+priv_out, errno);
-+return 1;
-+ }
-+ close(fd);
-
-+ // Create the private key file
- file_p
security/softhsm: 1.3.8
Hello,
Here is an update to security/softhsm 1.3.8:
https://www.opendnssec.org/2016/11/softhsm-1-3-8/
===
SOFTHSM-101: softhsm-keyconv creates files with sensitive material in
insecure way. Also applies to softhsm-util when using
–export or –optimize.
SOFTHSM-104: Inconsistencies between v1 and v2.
Issue #17: Use the MutexFactory wrapper functions correctly.
===
Note that SOFTHSM-101 was already backported to the version currently in
ports. This update removes those local patches. It also regens the
patch to the configure script.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/security/softhsm/Makefile,v
retrieving revision 1.6
diff -u -p -u -r1.6 Makefile
--- Makefile23 Sep 2016 09:16:57 - 1.6
+++ Makefile19 Nov 2016 13:41:23 -
@@ -5,9 +5,7 @@ PORTROACH_COMMENT= the 2.x version has a
COMMENT= software PKCS\#11 cryptographic token
-DISTNAME= softhsm-1.3.7
-
-REVISION= 1
+DISTNAME= softhsm-1.3.8
CATEGORIES=security
Index: distinfo
===
RCS file: /cvs/ports/security/softhsm/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 distinfo
--- distinfo23 Jun 2015 11:26:05 - 1.1.1.1
+++ distinfo19 Nov 2016 13:41:23 -
@@ -1,2 +1,2 @@
-SHA256 (softhsm-1.3.7.tar.gz) = 0S1kVqhVYSZtnaQnVl8+43RqNd9mcNXmvnXeJTwoEKQ=
-SIZE (softhsm-1.3.7.tar.gz) = 438437
+SHA256 (softhsm-1.3.8.tar.gz) = LqrjoB7DAkHay8bEar8aeNflRkPneTz4qb6Y++a1lTo=
+SIZE (softhsm-1.3.8.tar.gz) = 451445
Index: patches/patch-configure
===
RCS file: /cvs/ports/security/softhsm/patches/patch-configure,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 patch-configure
--- patches/patch-configure 23 Jun 2015 11:26:05 - 1.1.1.1
+++ patches/patch-configure 19 Nov 2016 13:41:23 -
@@ -1,7 +1,7 @@
$OpenBSD: patch-configure,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $
configure.orig Wed May 28 08:03:56 2014
-+++ configure Mon Jun 22 13:16:45 2015
-@@ -4351,8 +4351,8 @@ else
+--- configure.orig Mon Nov 14 10:37:59 2016
configure Sat Nov 19 13:26:33 2016
+@@ -4537,8 +4537,8 @@ else
fi
@@ -12,7 +12,7 @@ $OpenBSD: patch-configure,v 1.1.1.1 2015
tmp_CPPFLAGS=$CPPFLAGS
tmp_LIBS=$LIBS
CPPFLAGS="$CPPFLAGS $BOTAN_INCLUDES"
-@@ -16255,7 +16255,7 @@ CFLAGS=$lt_save_CFLAGS
+@@ -16410,7 +16410,7 @@ CFLAGS=$lt_save_CFLAGS
Index: patches/patch-src_bin_softhsm-keyconv_cpp
===
RCS file: patches/patch-src_bin_softhsm-keyconv_cpp
diff -N patches/patch-src_bin_softhsm-keyconv_cpp
--- patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 13:24:46 -
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,113 +0,0 @@
-$OpenBSD: patch-src_bin_softhsm-keyconv_cpp,v 1.1 2015/09/21 13:24:46 sthen
Exp $
-
-From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:08:43 +0100
-Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive
- material in insecure way. Also applies to softhsm when using --export or
- --optimize.
-
-From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:45:11 +0100
-Subject: [PATCH 2/2] SOFTHSM-101: Include more header files
-
src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014
-+++ src/bin/softhsm-keyconv.cppMon Sep 21 14:25:56 2015
-@@ -48,6 +48,10 @@
- #include
- #include
- #include
-+#include
-+#include
-+#include
-+#include
-
- void usage() {
- printf("Converting between BIND .private-key format and PKCS#8 key file
format.\n");
-@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file
- return 1;
- }
-
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+out_path, errno);
-+return 1;
-+ }
-+ close(fd);
-+
- // Save the the key to the disk
- switch(algorithm) {
- case DNS_KEYALG_ERROR:
-@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_
- snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm,
key_tag);
- snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
-
-- // Create the private key file
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n&q
security/opendnssec: 1.4.12
Hello,
This updates security/opendnssec to 1.4.12:
===
OPENDNSSEC-808: Crash on query with empty query section (thanks Håvard Eidnes).
SUPPORT-191: Regression, Must accept notify without SOA (thanks Christos
Trochalakis).
OPENDNSSEC-845: memory leak occuring when responding to IXFR out when having
had multiple updates.
OPENDNSSEC-805: Avoid full resign due to mismatch in backup file when upgrading
from 1.4.8 or later.
OPENDNSSEC-828: parsing zone list could show data from next zone when zones
iterated on single line.
OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other static code
analysis cleanup
OPENDNSSEC-847: Broken DNS IN notifications when pkt answer section is empty.
OPENDNSSEC-838: Crash in signer after having removed a zone.
Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
Prevent responding to queries when not fully started yet.
===
It removes two already applied patches, and adds a new one which has also been
accepted upstream:
https://github.com/opendnssec/opendnssec/pull/603
Finally it updates LIB_DEPENDS so that databases/sqlite3 is only part of
the sqlite3 flavor to make portcheck happy.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/security/opendnssec/Makefile,v
retrieving revision 1.7
diff -u -p -u -r1.7 Makefile
--- Makefile23 Sep 2016 09:16:57 - 1.7
+++ Makefile19 Nov 2016 11:30:09 -
@@ -2,8 +2,7 @@
COMMENT= open-source turn-key solution for DNSSEC
-DISTNAME= opendnssec-1.4.10
-REVISION= 0
+DISTNAME= opendnssec-1.4.12
CATEGORIES=security
@@ -19,7 +18,6 @@ WANTLIB += c crypto iconv ldns lzma m pt
MASTER_SITES= http://dist.opendnssec.org/source/
LIB_DEPENDS= converters/libiconv \
- databases/sqlite3 \
net/ldns/libldns \
textproc/libxml
@@ -35,6 +33,7 @@ FLAVOR?= sqlite3
.if ${FLAVOR:Msqlite3}
WANTLIB+= sqlite3
+LIB_DEPENDS+= databases/sqlite3
.endif
.if ${FLAVOR:Mmysql}
Index: distinfo
===
RCS file: /cvs/ports/security/opendnssec/distinfo,v
retrieving revision 1.3
diff -u -p -u -r1.3 distinfo
--- distinfo14 Jun 2016 11:29:46 - 1.3
+++ distinfo19 Nov 2016 11:30:09 -
@@ -1,2 +1,2 @@
-SHA256 (opendnssec-1.4.10.tar.gz) =
VbRMHaOmZe7wrx0bP00cV9IPUPd4WLHdPQPKbrwd98s=
-SIZE (opendnssec-1.4.10.tar.gz) = 1036069
+SHA256 (opendnssec-1.4.12.tar.gz) =
S6bPBvzRExwe2RPWGVndyQcm7V5PFTyQ9F7GREVSigw=
+SIZE (opendnssec-1.4.12.tar.gz) = 1036392
Index: patches/patch-conf_conf_xml_in
===
RCS file: /cvs/ports/security/opendnssec/patches/patch-conf_conf_xml_in,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 patch-conf_conf_xml_in
--- patches/patch-conf_conf_xml_in 13 Oct 2015 17:03:55 - 1.1.1.1
+++ patches/patch-conf_conf_xml_in 19 Nov 2016 11:30:09 -
@@ -1,7 +1,7 @@
$OpenBSD: patch-conf_conf_xml_in,v 1.1.1.1 2015/10/13 17:03:55 jca Exp $
conf/conf.xml.in.orig Mon Jul 21 11:30:08 2014
-+++ conf/conf.xml.in Wed Aug 20 08:52:31 2014
-@@ -28,7 +28,7 @@
+--- conf/conf.xml.in.orig Mon Oct 17 14:32:58 2016
conf/conf.xml.in Mon Nov 14 18:41:45 2016
+@@ -31,7 +31,7 @@
3
@@ -10,7 +10,7 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.1.1
@OPENDNSSEC_CONFIG_DIR@/kasp.xml
-@@ -36,19 +36,17 @@
+@@ -39,19 +39,17 @@
@@ -33,7 +33,7 @@ $OpenBSD: patch-conf_conf_xml_in,v 1.1.1
PT3600S
-@@ -60,12 +58,10 @@
+@@ -63,12 +61,10 @@
Index: patches/patch-enforcer_ksm_database_access_lite_c
===
RCS file: patches/patch-enforcer_ksm_database_access_lite_c
diff -N patches/patch-enforcer_ksm_database_access_lite_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-enforcer_ksm_database_access_lite_c 19 Nov 2016 11:30:09
-
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- enforcer/ksm/database_access_lite.c.orig Mon Nov 14 18:59:16 2016
enforcer/ksm/database_access_lite.cMon Nov 14 19:00:58 2016
+@@ -41,6 +41,8 @@
+ #include
+ #include
+
++#include
++
+ #include
+
+ #include "ksm/dbsdef.h"
Index: patches/patch-enforcer_utils_ksmutil_c
===
RCS file: patches/patch-enforcer_utils_ksmutil_c
diff -N patches/patch-enforcer_utils_ksmutil_c
--- patches/patch-enforcer_utils_ksmutil_c 14 Jun 2016 11:29:46 -
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,12 +0,0 @@
-$OpenBSD: patch-enforcer_utils_ksmutil_c,v 1.1 2016/06/14 11:29:46 jca Exp $
enforcer/utils/ksmutil.c.orig Wed May 4 21:09:00 2016
-+++ enforcer/utils/ksmutil.c
Re: net/kea: 1.1.0
On Mon, Oct 10, 2016 at 12:28:58AM +0200, Patrik Lundin wrote: > Hello, > > See below for an update to net/kea from 1.0.0 to 1.1.0. > Ping. -- Patrik Lundin
Re: ansible: openbsd_pkg fails to run when just specifying the package name
On Tue, Oct 18, 2016 at 09:19:22AM +0200, Landry Breuil wrote: > > So the original idea was more or less to use -z to 'fake' branch > support when it wasnt existing. > Maby this is a good time to retire the local patch if the branch syntax solves those problems for newer systems? > As for pkg_info -e vs pkg_info -Iq, i dont know what was the intent of > the change nor if it was good or not > The reason for the change was to make the branch syntax work. -Iq inst: can expand a name based on the branch syntax to the actual installed version, which -e can not do: === $ pkg_info -e autoconf%2.13 Invalid spec: autoconf%2.13 $ pkg_info -Iq inst:autoconf%2.13 autoconf-2.13p4 === > > but here -Iq finds an installed > package by giving only its name (but not if you pass the version without > patchlevel): > > $pkg_info -Iq ansible > ansible-2.1.1.0p2 > $pkg_info -e ansible > Invalid spec: ansible > $pkg_info -e ansible-2.1.1.0 > inst:ansible-2.1.1.0p2 > $pkg_info -Dunsigned -Iq ansible-2.1.1.0 > Error from > http://ftp.fr.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/ansible-2.1.1.0.tgz > ftp: Error retrieving file: 404 Not Found > $pkg_info -Iq ansible-2.1.1.0p2 > ansible-2.1.1.0p2 > > The only 'advantage' of -e here is that it finds it if you pass the full > version without the patchlevel. > Right, the reason for the switch was the requirement to find the real package on disk when a user supplies a name using the branch syntax. -- Patrik Lundin
Re: ansible: openbsd_pkg fails to run when just specifying the package name
On Tue, Oct 18, 2016 at 06:30:41AM +0200, Jasper Lievisse Adriaanse wrote: > > I was hoping that 2.2.0.0 would be released soon, but it seems upstream enjoys > many a rc over a lengthy period of time. So perhaps syncing the openbsd_pkg > provider with master would be the way to go. > This would be my personal preference. This also means the local addition of -z comes into question as the upstream changes replace "pkg_info -e" with "pkg_info -Iq" for looking up package state, which does not handle name lookups in the same way. I believe landry@ should be involved in this decision because from what I recall he is one of the people who wanted the addition (and might be depending on it). I'll repeat my original thoughts about this from when I added the branch support: === I should add that I think the -z addition may actually work worse on the latest code, because i switched the usage of "pkg_info -e" to "pkg_info -Iq inst:name" for finding out the state of a requested package. While -e manages to find a package without the patchlevel version attached (which i believe was a benefit that -z added), this does not seem to be true for "-Iq inst:". This could mean that the module will always think that the package needs to be installed because it can't tell there is a package with the supplied name (plus patchlevel) already installed. === -- Patrik Lundin
Re: ansible: openbsd_pkg fails to run when just specifying the package name
On Mon, Oct 17, 2016 at 06:58:26PM +0200, Jasper Lievisse Adriaanse wrote: > On Mon, Oct 17, 2016 at 02:59:43PM +0200, Sebastien Marie wrote: > > Hi, > > > > With the latest update of ansible (ansible-2.1.2.0->2.1.2.0p3), I > > experiment failure in the use of `openbsd_pkg' module. > > > > The exception occurs when specifying a package name without version or > > branch (like juste "sysclean"). The code will assume branch syntax and > > will fail at extracting branch information after '%'. > > > > Does this also happen when you remove the two '-z' parts of the local patch we > carry for ansible? I don't have a CVS tree around right now to provide you > with > a patch to apply. > Removing -z will not be enough. The openbsd_pkg.py file from the extracted tar ball is missing a lot of branch related changes from upstream. This particular problem is a result of adding the last iteration of branch-syntax fixes without the previous plumbing. Doing a diff -u between a "make extract" version of openbsd_pkg.py and an upstream version from git shows quite a bit of changes that are missing. -- Patrik Lundin
net/kea: 1.1.0
Hello, See below for an update to net/kea from 1.0.0 to 1.1.0. >From the release statement (https://kb.isc.org/article/AA-01428/0/Kea-1.1.0-Release-Notes.html): === * Additional Database Backend - Kea 1.1.0 has added preliminary support for Cassandra as a database backend. In this release of Kea it can only be used to store lease information, it is not able store host reservations. Cassandra support is currently considered experimental. Use with caution. * Host Reservations - Kea 1.0 contained limited support for storing host reservations in the database backend. Kea 1.1.0 has expanded that capability, allowing host reservations to be stored in a MySQL or PostgreSQL database. In particular, Kea 1.1.0: - Adds host reservation (DHCPv4 and DHCPv6) using the PostgreSQL backend. - Adds host reservation for DHCPv6 to the existing MySQL support. - Significantly extends the existing host reservation capabilities to include reservations of specific DHCP options, reservations of siaddr, sname, and file fields within DHCPv4 messages, and reservations of multiple IPv6 addresses/prefixes. - Allows the MySQL or PostgreSQL host reservation database to be configured read-only, in which case Kea will be able to retrieve reservations from it, but not insert or update existing reservations. This feature is useful when a database (or database view) exists for the particular deployment and the administrator doesn't want to grant read-write access for security reasons. * Client Classification - In Kea 1.1 the client classification system has been expanded. A class definition contains a name and a test expression of arbitrary complexity; if the test expression evaluates to "true" the client is a member of that class. A client may be a member of multiple classes and can acquire options from different classes. If the configuration contains multiple definitions for data for an option in two or more of the global, class, subnet or host entries, the server will choose the definition from the most specific entry. There are a number of objects and operators available for use in the test expression. - Operators include: equal, not, and, or, substring, concat - Objects include: - literals: string, hexadecimal, IP address and integer - options: existence and content - relay options for DHCPv4 and DHCPv6: existence and content - subfields within vendor and vendor class options: existence, enterprise-id value and content - selected fields from DHCPv4 and DHCPv6 packets - Classes may be used to select subnets - Classes and class specific subnets may contain option data to serve to clients within that class * Hook Library Parameters - It is now possible to specify parameters for hook libraries in the Kea configuration file. In earlier versions of Kea, hook library authors had to use a external mechanism (such as file of a known name) to pass information across. * DHCPv4-over-DHCPv6 - RFC7341 (https://tools.ietf.org/html/rfc7341) defines an architecture that allows dual-stack clients to communicate with DHCPv4 server in IPv6-only networks. Kea 1.1 introduces support for this mode of operation. It requires running both DHCPv4 and DHCPv6 servers in special mode, where DHCPv6 component does not allocate anything, but decapsulates incoming DHCPv4 messages, sends the to the DHCPv4 server and then relay back the responses. === Note that I have not addded any build options for the cassandra version, since there is no cassandra port available. This also brings up another question of mine: where to place logs. Currently the default setup creates logs in the following places: /var/kea/kea.log /var/log/kea-ddns.log /var/log/kea-dhcp4.log /var/log/kea-dhcp6.log Of course the port does not do anything to setup rotation of these logs. Any input how this should be handled? There are currently some problems with the syslog code (formatting of the messages and problems with setting the syslog facility) that is stopping me from making that the default configuration. These questions apply for the version currently in-tree, so not a new problem introduced by the update. The syslog issues as well as the added patches for fixing the test suite are being discussed upstream in this thread: https://lists.isc.org/pipermail/kea-users/2016-September/000547.html https://lists.isc.org/pipermail/kea-users/2016-October/000560.html Other then that the library versions of the port have been bumped based on shared_libs.log in WRKSRC. -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/net/kea/Makefile,v retrieving revision 1.5 diff -u -p -u -r1.5 Makefile --- Makefile14 Mar 2016 06:46:24 - 1.5 +++ Makefile9 Oct 2016 21:10:57 - @@ -2,28 +2,28 @@ COMMENT= high-performance and extensible DHCP server engine from ISC -VERSION
Re: security/softhsm2
On Mon, Jul 18, 2016 at 06:42:14AM +0200, Rolf Sommerhalder wrote: > Hello, > > Has anyone a port of SoftHSM v2.1.x as a Work-In-Progress? > I currently do not have such a port in progress. > > I am trying to use security/softhsm with SSH (ssh-key-gen, ssh-agent) > in -current, but failed to add private RSA keys in PKCS8 format to > SoftHSM 1.3.7: > > softhsm --init-token --slot 0 --label "myToken1" > ssh-keygen -e -m PKCS8 -f .ssh/id_rsa > .ssh/rsa.pem > softhsm --import .ssh/rsa.pem --slot 0 --label "myToken1" --id A1B2 --pin > 1234 > Decoding error: PKCS #8 private key decoding failed > Error: Perhaps wrong path to file, wrong file format, or wrong PIN to > file (--file-pin ). > > Before digging into sources, I thought it may be worth trying SoftHSM > 2.1.0 as PKCS#11 provider. > When following your steps I notice that the file generated by ssh-keygen includes the public key, not the private key. I believe this is the problem. I am not sure ssh-keygen support generating a PKCS8 private key (the description for -m does not mention it). Doing it with openssl (like described here: https://pthree.org/2013/05/27/strengthen-your-private-encrypted-ssh-keys/ generated a private key file which i manged to import with softhsm. Does this fix your problem? -- Patrik Lundin
Re: net/kea: Helpfully failing test in ./configure
On Mon, Jun 27, 2016 at 07:44:07PM +0200, Jeremie Courreges-Anglas wrote: > Patrik Lundin <pat...@sigterm.se> writes: > > > > > This means that the failing "test" can actually be thought of as a > > feature. It is of course brittle, and will modify the build parameters > > if someone decides to teach the test builtin about "<" prior to bumping > > base gcc past 4.5. > > This is a very unlikely scenario. > > > Basically I am just asking for pointers from other porters, anyone have > > an idea how I should deal with this? Should I bother at all? > > I guess you could just use /bin/test. > I figured that such a gcc version bump is fairly unlikely but I would rather ask than guess :). Thanks for the input, I'll see what upstream thinks about the "expr" proposal. If they decide to merge it I will return with a patch for the port. -- Patrik Lundin
Re: net/kea: Helpfully failing test in ./configure
On Mon, Jun 27, 2016 at 07:51:33PM +, Christian Weisgerber wrote: > On 2016-06-27, Patrik Lundin <pat...@sigterm.se> wrote: > > > CXX_DUMP_VERSION=`$CXX -dumpversion | cut -f1-2 -d.` > > if test "$CXX_DUMP_VERSION" \< "4.5"; then > >WARNING_GCC_44_STRICT_ALIASING_CFLAG="-fno-strict-aliasing" > > fi > > > > The error message is thrown because the builtin test does not support > > the "<" operator (which /bin/test does). > > That's not portable. POSIX does not specify an operator < for test. > > For a portable solution, use expr(1) instead. > Thanks, that sounds like the most proper way forward. I have opened a PR against upstream, lets see what they think: https://github.com/isc-projects/kea/pull/25 I guess the side effect of fixing the check (adding "-fno-strict-aliasing" to the build even if not strictly needed) is not really detrimental to the build. -- Patrik Lundin
net/kea: Helpfully failing test in ./configure
Hello, When looking at the output of ./configure in net/kea I noticed the following warning which I have previously missed: === ./configure[15929]: test: <: unexpected operator/operand === The responsible code in the configure script should be this: === # gcc 4.4 would emit warnings about breaking strict aliasing rules. # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=41874 CXX_DUMP_VERSION=`$CXX -dumpversion | cut -f1-2 -d.` if test "$CXX_DUMP_VERSION" \< "4.5"; then WARNING_GCC_44_STRICT_ALIASING_CFLAG="-fno-strict-aliasing" fi === The error message is thrown because the builtin test does not support the "<" operator (which /bin/test does). The funny thing is that gcc in base does not seem to suffer from the bug that is described in the bug tracker linked above, because the build generates no warnings relating to strict-aliasing. This means that the failing "test" can actually be thought of as a feature. It is of course brittle, and will modify the build parameters if someone decides to teach the test builtin about "<" prior to bumping base gcc past 4.5. Basically I am just asking for pointers from other porters, anyone have an idea how I should deal with this? Should I bother at all? -- Patrik Lundin
net/kea: Ensure base awk is used
Hello,
This diff solves a problem found by naddy@ where the build will fail if
gawk happens to be temporarily installed during a bulk build.
The fix was suggested by naddy@ as well, much appreciated!
It changes the output of a clean (no gawk installed) ./configure from:
===
checking for gawk... (cached) awk
checking for gawk... no
checking for awk... /usr/bin/awk
===
... to:
===
checking for gawk... (cached) awk
checking for gawk... (cached) awk
===
Without the diff and with gawk installed it looked like this:
===
checking for gawk... (cached) awk
checking for gawk... /usr/local/bin/gawk
===
I started an upstream discussion which can be found here:
https://lists.isc.org/pipermail/kea-users/2016-June/000416.html
Since upstream did not jump on this I feel it is good enough to fix it
this way for now.
Again, extra thanks to naddy@ for not only finding this bug but
also helping me wrap my head around the autoconf magic involved.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/net/kea/Makefile,v
retrieving revision 1.5
diff -u -p -u -r1.5 Makefile
--- Makefile14 Mar 2016 06:46:24 - 1.5
+++ Makefile27 Jun 2016 15:55:51 -
@@ -3,6 +3,7 @@
COMMENT= high-performance and extensible DHCP server engine from ISC
VERSION= 1.0.0
+REVISION= 0
DISTNAME= kea-${VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
@@ -47,6 +48,7 @@ CONFIGURE_STYLE= gnu
CONFIGURE_ARGS+= --with-openssl=/usr \
--with-boost-libs=-lboost_system \
--with-boost-lib-dir=${LOCALBASE}/lib
+CONFIGURE_ENV+= ac_cv_path_AWK=awk
LIBTOOL_FLAGS= --tag=disable-static
Re: security/opendnssec: 1.4.10
On Mon, May 16, 2016 at 06:09:54PM +0200, Patrik Lundin wrote: > Hello, > > Attached is a patch for OpenDNSSEC 1.4.10: > https://www.opendnssec.org/2016/05/opendnssec-1-4-10/ > Ping. -- Patrik Lundin
security/opendnssec: 1.4.10
Hello,
Attached is a patch for OpenDNSSEC 1.4.10:
https://www.opendnssec.org/2016/05/opendnssec-1-4-10/
The additional patch files were added to silence some minor build
warnings that I noticed. They have been accepted upstream:
https://github.com/opendnssec/opendnssec/pull/418
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/security/opendnssec/Makefile,v
retrieving revision 1.4
diff -u -p -u -r1.4 Makefile
--- Makefile14 Mar 2016 06:46:24 - 1.4
+++ Makefile16 May 2016 15:55:31 -
@@ -2,7 +2,7 @@
COMMENT= open-source turn-key solution for DNSSEC
-DISTNAME= opendnssec-1.4.9
+DISTNAME= opendnssec-1.4.10
CATEGORIES=security
Index: distinfo
===
RCS file: /cvs/ports/security/opendnssec/distinfo,v
retrieving revision 1.2
diff -u -p -u -r1.2 distinfo
--- distinfo25 Jan 2016 15:05:39 - 1.2
+++ distinfo16 May 2016 15:55:31 -
@@ -1,2 +1,2 @@
-SHA256 (opendnssec-1.4.9.tar.gz) = UKFX0m2LmuNwzX+lLHxvQ/THeu610PzNai6Sx9/B2I4=
-SIZE (opendnssec-1.4.9.tar.gz) = 1043700
+SHA256 (opendnssec-1.4.10.tar.gz) =
VbRMHaOmZe7wrx0bP00cV9IPUPd4WLHdPQPKbrwd98s=
+SIZE (opendnssec-1.4.10.tar.gz) = 1036069
Index: patches/patch-enforcer_utils_ksmutil_c
===
RCS file: patches/patch-enforcer_utils_ksmutil_c
diff -N patches/patch-enforcer_utils_ksmutil_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-enforcer_utils_ksmutil_c 16 May 2016 15:55:31 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- enforcer/utils/ksmutil.c.orig Wed May 4 21:09:00 2016
enforcer/utils/ksmutil.c Wed May 4 21:09:22 2016
+@@ -6878,7 +6878,7 @@ int ListKeys(int zone_id)
+ hsm_key_t *key = NULL;
+ ldns_rr *dnskey_rr = NULL;
+ hsm_sign_params_t *sign_params = NULL;
+-hsm_ctx_t* ctx;
++hsm_ctx_t* ctx = NULL;
+
+ if (verbose_flag) {
+ /* connect to the HSM */
Index: patches/patch-signer_src_signer_zone_c
===
RCS file: patches/patch-signer_src_signer_zone_c
diff -N patches/patch-signer_src_signer_zone_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-signer_src_signer_zone_c 16 May 2016 15:55:31 -
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- signer/src/signer/zone.c.orig Wed May 4 21:09:53 2016
signer/src/signer/zone.c Wed May 4 21:10:02 2016
+@@ -571,7 +571,7 @@ zone_add_rr(zone_type* zone, ldns_rr* rr, int do_stats
+ rr_type* record = NULL;
+ ods_status status = ODS_STATUS_OK;
+ char* str = NULL;
+-int i;
++size_t i;
+
+ ods_log_assert(rr);
+ ods_log_assert(zone);
+@@ -694,7 +694,7 @@ zone_del_nsec3params(zone_type* zone)
+ {
+ domain_type* domain = NULL;
+ rrset_type* rrset = NULL;
+-int i;
++size_t i;
+
+ ods_log_assert(zone);
+ ods_log_assert(zone->name);
Re: NO_SHARED cleanup status
On Mon, Mar 14, 2016 at 09:25:48AM +, Stuart Henderson wrote: > On 2016/03/14 07:49, Jeremie Courreges-Anglas wrote: > > Patrik Lundin <pat...@sigterm.se> writes: > > > > [...] > > > > > The only thing I felt a bit unsure about is net/kea which disables the > > > building of static libraries via libtool flags: > > > === > > > LIBTOOL_FLAGS= --tag=disable-static > > > === > > > > > > My guess is that this is not affected though. > > > > Given the time taken to build only net/kea's shared libs, I'd rather not > > remove this line. ;) > > Yep. This line is to prevent building static versions of the files > which are only used as dlopen()'d .so modules. > Right, I am only trying to make sure if the "no static arch" cleanup would affect this behaviour, making the above flag the default or something like that. Thanks for clearifying that this is not the case. -- Patrik Lundin
Re: NO_SHARED cleanup status
On Fri, Mar 11, 2016 at 09:49:57PM +0100, Christian Weisgerber wrote: > > It was mostly intended as an explanation what's going on and where > we're at. If other committers feel that progress is too slow, they > can pitch in, otherwise I'll get there on my own, too. :-) > Thanks for the information, it seems jca@ has come to the rescue already :). -- Patrik Lundin
Re: NO_SHARED cleanup status
On Fri, Mar 11, 2016 at 09:25:46PM +0100, Jeremie Courreges-Anglas wrote: > Patrik Lundin <pat...@sigterm.se> writes: > > If this is what you had in mind, I can commit it. No REVISION bump > needed. > > Index: net/kea/Makefile > [...] > > Index: security/opendnssec/Makefile > [...] > > Index: security/softhsm/Makefile > Yes, that was it thank you :). The only thing I felt a bit unsure about is net/kea which disables the building of static libraries via libtool flags: === LIBTOOL_FLAGS= --tag=disable-static === My guess is that this is not affected though. -- Patrik Lundin
Re: NO_SHARED cleanup status
On Thu, Mar 10, 2016 at 11:29:33PM +0100, Christian Weisgerber wrote: > > SHARED_ONLY: DO NOT REMOVE from Perl ports. > Does removing SHARED_ONLY from non-perl ports count as a noop or does it require a revision bump? Is ports@ interested in diffs from maintainers or was this only a call for people with commit bits? -- Patrik Lundin
security/opendnssec: 1.4.9
Hello, OpenDNSSEC 1.4.9 was recently released. The announcement: === The main motivations for this release are bug fixes related to use cases with large number of zones (more than 50 zones) in combination with an XFR based setup. Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later. No migration steps needed when upgrading from OpenDNSSEC 1.4.8. Bugfixes: * Add TCP waiting queue. Fix signer getting 'stuck' when adding many zones at once. Thanks to Håvard Eidnes to bringing this to our attention. * OPENDNSSEC-723: received SOA serial reported as on disk. * Fix potential locking issue on SOA serial. * Crash on shutdown. At all times join xfr and dns handler threads. * Make handling of notifies more consistent. Previous implementation would bounce between code paths. Known Issues: * When using SoftHSM2 compiled with OpenSSL, and libmysql with OpenSSL as database backend for OpenDNSSEC. "ods-ksmutil key list --verbose" crashes on exit. This is ultimately a bug in OpenSSL and not new for this particular release. Make sure you don't use this specific combination. === Diff below. -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/security/opendnssec/Makefile,v retrieving revision 1.2 diff -u -p -u -r1.2 Makefile --- Makefile22 Dec 2015 07:02:24 - 1.2 +++ Makefile24 Jan 2016 12:39:35 - @@ -4,8 +4,7 @@ SHARED_ONLY=Yes COMMENT= open-source turn-key solution for DNSSEC -DISTNAME= opendnssec-1.4.8.2 -REVISION= 0 +DISTNAME= opendnssec-1.4.9 CATEGORIES=security Index: distinfo === RCS file: /cvs/ports/security/opendnssec/distinfo,v retrieving revision 1.1.1.1 diff -u -p -u -r1.1.1.1 distinfo --- distinfo13 Oct 2015 17:03:55 - 1.1.1.1 +++ distinfo24 Jan 2016 12:39:35 - @@ -1,2 +1,2 @@ -SHA256 (opendnssec-1.4.8.2.tar.gz) = f9VT7jkXPoB0d+0dr/buL4scg4dc0uUqHfMxW/ABVRM= -SIZE (opendnssec-1.4.8.2.tar.gz) = 1043171 +SHA256 (opendnssec-1.4.9.tar.gz) = UKFX0m2LmuNwzX+lLHxvQ/THeu610PzNai6Sx9/B2I4= +SIZE (opendnssec-1.4.9.tar.gz) = 1043700
net/kea: 1.0.0
gory_const' referenced in
section `.text' of .libs/libkea_asiolink_la-io_socket.o: defined in discarded
section
`.gnu.linkonce.b._ZZN5boost6system16generic_categoryEvE22generic_category_const'
of .libs/libkea_asiolink_la-io_socket.o
`guard variable for boost::system::generic_category()::generic_category_const'
referenced in section `.text' of .libs/libkea_asiolink_la-io_socket.o: defined
in discarded section
`.gnu.linkonce.b._ZGVZN5boost6system16generic_categoryEvE22generic_category_const'
of .libs/libkea_asiolink_la-io_socket.o
`guard variable for boost::system::system_category()::system_category_const'
referenced in section `.text' of .libs/libkea_asiolink_la-io_socket.o: defined
in discarded section
`.gnu.linkonce.b._ZGVZN5boost6system15system_categoryEvE21system_category_const'
of .libs/libkea_asiolink_la-io_socket.o
collect2: ld returned 1 exit status
Error while executing c++ -shared -fPIC -DPIC -o .libs/libkea-asiolink.so.0.0
-pthread -Wall -Wextra -Wnon-virtual-dtor -Wwrite-strings -Woverloaded-virtual
-Wno-sign-compare -fPIC -O2 -pipe .libs/libkea_asiolink_la-interval_timer.o
.libs/libkea_asiolink_la-io_address.o .libs/libkea_asiolink_la-io_endpoint.o
.libs/libkea_asiolink_la-io_service.o .libs/libkea_asiolink_la-io_socket.o
-L.libs -lpthread -lkea-exceptions
*** Error 2 in src/lib/asiolink (Makefile:543 'libkea-asiolink.la')
*** Error 1 in src/lib/asiolink (Makefile:672 'all-recursive')
*** Error 1 in src/lib (Makefile:426 'all-recursive')
*** Error 1 in src (Makefile:428 'all-recursive')
*** Error 1 in . (Makefile:595 'all-recursive')
*** Error 1 in /home/usr/ports/pobj/kea-1.0.0/kea-1.0.0 (Makefile:436 'all')
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2773
'/usr/ports/pobj/kea-1.0.0/.build_done')
*** Error 1 in /usr/ports/net/kea
(/usr/ports/infrastructure/mk/bsd.port.mk:2495 'build')
===
Some digging led me to this ticket http://kea.isc.org/ticket/4009
which in turn led me to the configure flags for defining what boost library to
use. After adding the additional configure flags the build succeeded.
Highlights:
* Renames "message" binary to "kea-msg-compiler".
* Removes all the "include/kea/asio/" stuff.
* Promotes the BUILD_DEPEND of devel/boost to a LIB_DEPEND (which i
guess is good since it appears to clean up the include stuff above).
* Adds an additional SHARED_LIB (kea-eval).
The diff to CVS below, let me know what you think.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/net/kea/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- Makefile23 Dec 2015 15:58:55 - 1.3
+++ Makefile30 Dec 2015 04:16:29 -
@@ -4,11 +4,10 @@ SHARED_ONLY= Yes
COMMENT= high-performance and extensible DHCP server engine from ISC
-VERSION= 0.9.2-P1
+VERSION= 1.0.0
DISTNAME= kea-${VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
-REVISION= 0
SHARED_LIBS += kea-asiodns 0.0 # 0.0
SHARED_LIBS += kea-asiolink 0.0 # 2.0
@@ -19,6 +18,7 @@ SHARED_LIBS += kea-dhcp++
SHARED_LIBS += kea-dhcp_ddns 0.0 # 1.0
SHARED_LIBS += kea-dhcpsrv 0.0 # 4.0
SHARED_LIBS += kea-dns++ 0.0 # 2.0
+SHARED_LIBS += kea-eval 0.0 # 3.0
SHARED_LIBS += kea-exceptions0.0 # 0.0
SHARED_LIBS += kea-hooks 0.0 # 1.0
SHARED_LIBS += kea-log 0.0 # 1.0
@@ -33,20 +33,22 @@ HOMEPAGE= http://kea.isc.org/
MAINTAINER=Patrik Lundin <pat...@sigterm.se>
-# ISC (XXX Kea 1.0 changes to MPL)
+# MPL 2.0
PERMIT_PACKAGE_CDROM= Yes
-WANTLIB += c crypto log4cplus m pthread stdc++
+WANTLIB += boost_system c crypto log4cplus m pthread stdc++
MASTER_SITES= ${MASTER_SITE_ISC:=kea/${VERSION}/}
-BUILD_DEPENDS= devel/boost
-LIB_DEPENDS= devel/log4cplus
+LIB_DEPENDS= devel/boost \
+ devel/log4cplus
FAKE_FLAGS=sysconfdir=${PREFIX}/share/examples
CONFIGURE_STYLE= gnu
-CONFIGURE_ARGS+= --with-openssl=/usr
+CONFIGURE_ARGS+= --with-openssl=/usr \
+ --with-boost-libs=-lboost_system \
+ --with-boost-lib-dir=${LOCALBASE}/lib
LIBTOOL_FLAGS= --tag=disable-static
Index: distinfo
===
RCS file: /cvs/ports/net/kea/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- distinfo23 Dec 2015 13:40:53 - 1.1.1.1
+++ distinfo30 Dec 2015 04:16:29 -
@@ -1,2 +1,2 @@
-SHA256 (kea-0.9.2-P1.tar.gz) = Ne4gqNW0/FCU6d7d2YnuJ3TXIcCdU9/WS2QIr2P3md4=
-SIZE (kea-0.9.2-P1.tar.gz) = 4436468
+SHA256 (kea-1.0.0.tar.gz) = lphP6Rj5Ez0I0xFerAEtKIFNjM+vJSiUmfAo3lYTWv4=
+SIZE (kea-1.0.0.tar.gz) = 4559334
Index: pkg/PLIST
===
RCS file: /cvs/ports/net/kea/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u
Re: net/kea
On Thu, Dec 24, 2015 at 02:53:06AM +, Stuart Henderson wrote: > > I saw it on oss-sec first, then on ISC's security RSS feed (and as if > to emphasize the slightly random nature of that feed it was followed > by release notes for 0.9, 0.9.2-beta and 0.9.2 :-) I read oss-sec anyway, > and since I maintain the BIND port I track a few places where ISC are > likely to announce things. > > http://www.openwall.com/lists/oss-security/2015/12/22/11 > https://www.isc.org/?feed=security-feed > Thanks for the info, I guess it is time to spin up newsbeuter again :). -- Patrik Lundin
Re: net/kea
On Wed, Dec 23, 2015 at 11:33:30AM +, Stuart Henderson wrote:
> Updated tar.gz for the 0.9.2-P1 crash fix ("Improved handling of incoming
> packets with invalid client-id and DUID.")
>
Nice catch! I had not seen any word of this release on the kea mailing
lists, how did you notice it?
>
> I also added an XXX comment
> to remind us to update the license marker for 1.0 because ISC are moving
> to the Apache license :'(
>
I did have this upcoming change noted in the back of my head, but having
an explicit note in the Makefile does makes sense.
--
Patrik Lundin
Re: security/opendnssec: replace /etc with ${SYSCONFDIR}
On Tue, Dec 22, 2015 at 08:03:29AM +0100, Antoine Jacoutot wrote: > > That part is not, rc.subr is part of base and is always found under > /etc/rc.d/rc.subr > I was not aware of that gotcha, thanks for the information :). > > I committed the first part (with a bump). > Thanks. > Great, thanks! -- Patrik Lundin
security/opendnssec: replace /etc with ${SYSCONFDIR}
Hello,
I noticed I was still using some '/etc' locations in PLIST and rc
script, diff below.
--
Patrik Lundin
Index: pkg/PLIST
===
RCS file: /cvs/ports/security/opendnssec/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 PLIST
--- pkg/PLIST 13 Oct 2015 17:03:55 - 1.1.1.1
+++ pkg/PLIST 21 Dec 2015 18:04:59 -
@@ -24,7 +24,7 @@ sbin/ods-control
@bin sbin/ods-signerd
@mode 0750
@group _opendnssec
-@sample /etc/opendnssec/
+@sample ${SYSCONFDIR}/opendnssec/
@mode
@group
share/doc/opendnssec/
Index: pkg/opendnssec.rc
===
RCS file: /cvs/ports/security/opendnssec/pkg/opendnssec.rc,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 opendnssec.rc
--- pkg/opendnssec.rc 13 Oct 2015 17:03:55 - 1.1.1.1
+++ pkg/opendnssec.rc 21 Dec 2015 18:04:59 -
@@ -4,7 +4,7 @@
daemon="${TRUEPREFIX}/sbin/ods-control"
-. /etc/rc.d/rc.subr
+. ${SYSCONFDIR}/rc.d/rc.subr
rc_reload=NO
Re: net/kea
On Tue, Dec 08, 2015 at 11:15:04PM +, Stuart Henderson wrote: > On 2015/12/08 23:59, Patrik Lundin wrote: > > I have posted a question to kea-dev regarding this: > > https://lists.isc.org/pipermail/kea-dev/2015-December/000588.html > > > > Let's see how that goes. > > Good idea. > I have recieved a response now. As I do not think there is an overwhelming reason for using Botan I feel it is nicer to skip additional port dependencies and explicitly use our LibreSSL instead. The question remaining is if the configure flag should be --with-openssl or --with-openssl=/usr. While it seems the configure script will look for the library in an order that starts with /usr, I wonder if it is nicer to be explicit that we want to use the base version (rather than the openssl port for instance). Attached is a port with the explicit flag set and a shortened LIB_DEPENDS/WANTLIB list. I have tested that it ignores the use of Botan when it is installed. Let me know what you think. -- Patrik Lundin kea,3.tgz Description: application/tar-gz
Re: net/kea
On Wed, Dec 09, 2015 at 08:33:10PM +0100, Patrik Lundin wrote: > > Attached is a port with the explicit flag set and a shortened > LIB_DEPENDS/WANTLIB list. I have tested that it ignores the use of Botan > when it is installed. Let me know what you think. > Stuart: It would of course be nice to know if this stops the inclusion of Botan on your build box as well, just for good measure. -- Patrik Lundin
Re: net/kea
On Tue, Dec 08, 2015 at 07:39:24PM +0100, Patrik Lundin wrote: > > not a port problem, but "message" is a terrible name for sonething that > > upstream want to place in a system directory! > > I have mentioned this in my upstream kea-dev thread. > FYI: upstream has created a ticket which aims to rename "message" to "kea-msg-compiler" based on this input: http://kea.isc.org/ticket/4228 -- Patrik Lundin
Re: net/kea
On Mon, Dec 07, 2015 at 09:59:44AM +, Stuart Henderson wrote:
> >
> > 1. When running "make update-plist" I get the following messages:
> > ===
> > make-plist: Bogus element outside of every prefix: /etc/kea/kea.conf
> > make-plist: Bogus element outside of every prefix: /etc/kea/keactrl.conf
>
> For these, you can often override a variable in upstream's Makefiles
> in FAKE_FLAGS to install these files to /usr/local/share/examples,
> often named sysconfdir or SYSCONFDIR.
>
> it's likely to be similar to this
>
> FAKE_FLAGS= sysconfdir=${PREFIX}/share/examples/
>
> pre-install:
> mkdir -p ${PREFIX}/share/examples/bind10/
>
Some trial and error proved that these were pretty much exactly what was
needed, thanks!
This line is now printed instead, guess I can just ignore it?:
===
make-plist: Bogus element outside of every prefix: /etc/kea
===
> > make-plist: Bogus element outside of every prefix: /etc/rc.d/kea
>
> Ignore this and handle the rcscript in PLIST manually.
>
I have noticed that update-plist always removes the rcscript in
PLIST, but reading older threads this seems to be a known problem.
> > make-plist: Bogus element outside of every prefix: /var/kea
> > make-plist: Bogus element outside of every prefix: /var/run/kea
>
> /var/run is cleared at boot so the /var/run/kea directory needs creating
> in the rcscript. we normally do not include these in plist.
>
I have removed the PLIST @sample for /var/run/kea, and added an rc_pre()
which creates the directory if it does not exist.
>
> other comments:
>
> "@sample /etc/kea/" shoukd use SYSCONFDIR and this plist line is usually
> placed near the files that go in that dir
>
Fixed.
>
> please order Makefile closer to the section ordering in
> Makefile.template
>
> the shared libs lines are ok (except want to be earlier in the makefile)
>
I have done a major reorder of the Makefile to mirror the template.
> the static libs are unlikely to be useful, and the whole port is unlikely
> to work without shared libs, so I'd disable them (probably --disable-static
> in CONFIGURE_ARGS, and SHARED_ONLY=Yes) to save build time
>
This turned out to be the trickiest part. Adding "--disable-static" to
CONFIGURE_ARGS indeed disabled static libraries according to config.log:
===
configure:12388: checking whether to build static libraries
configure:12392: result: no
===
However, the .a files were still being generated by the build.
After digging around I found out about LIBTOOL_FLAGS and added
"LIBTOOL_FLAGS= --tag=disable-static" and this made the .a files
disappear.
Using LIBTOOL_FLAGS it does not seem to matter if CONFIGURE_ARGS are set
or not, should I use both for good measure or only LIBTOOL_FLAGS? Is
this expected behaviour?
> not a port problem, but "message" is a terrible name for sonething that
> upstream want to place in a system directory!
I have mentioned this in my upstream kea-dev thread.
Attached is the updated port, which only uses LIBTOOL_FLAGS to disable
the static libraries.
Thanks a lot for your time!
--
Patrik Lundin
kea.tgz
Description: application/tar-gz
Re: net/kea
On Tue, Dec 08, 2015 at 10:41:07PM +, Stuart Henderson wrote: > > I see it in perfdhcp. Actually it looks like there's another option, we can > instead use CONFIGURE_ARGS+= --with-openssl - which would you prefer? > > $ objdump -p ../fake-amd64/usr/local/sbin/perfdhcp > [...] > NEEDED libbotan-1.10.so.1.0 [...] It is not being required on my (clean) system, did you have the library installed previously when building the port? Of course we should make sure only one path is choosen anyway. For reference, this is how perfdhcp looks for me: === # objdump -p /usr/local/sbin/perfdhcp /usr/local/sbin/perfdhcp: file format elf64-x86-64 Program Header: PHDR off0x0040 vaddr 0x0040 paddr 0x0040 align 2**3 filesz 0x0268 memsz 0x0268 flags r-x INTERP off0x0318 vaddr 0x0318 paddr 0x0318 align 2**0 filesz 0x0013 memsz 0x0013 flags r-- LOAD off0x vaddr 0x paddr 0x align 2**20 filesz 0x0005361e memsz 0x0005361e flags r-x LOAD off0x00053620 vaddr 0x00153620 paddr 0x00153620 align 2**20 filesz 0x00011ae5 memsz 0x00011ae5 flags r-- LOAD off0x00065108 vaddr 0x00265108 paddr 0x00265108 align 2**20 filesz 0x1ad0 memsz 0x1ad0 flags rw- LOAD off0x00066bd8 vaddr 0x00366bd8 paddr 0x00366bd8 align 2**20 filesz 0x0908 memsz 0x0908 flags rw- LOAD off0x000674e0 vaddr 0x004674e0 paddr 0x004674e0 align 2**20 filesz 0x0058 memsz 0x0500 flags rw- DYNAMIC off0x00066a08 vaddr 0x00266a08 paddr 0x00266a08 align 2**3 filesz 0x01d0 memsz 0x01d0 flags rw- NOTE off0x032c vaddr 0x032c paddr 0x032c align 2**2 filesz 0x0018 memsz 0x0018 flags r-- EH_FRAME off0x0005a128 vaddr 0x0015a128 paddr 0x0015a128 align 2**2 filesz 0x0f54 memsz 0x0f54 flags r-- OPENBSD_RANDOMIZE off0x00065108 vaddr 0x00265108 paddr 0x00265108 align 2**3 filesz 0x0008 memsz 0x0008 flags rw- Dynamic Section: NEEDED libkea-exceptions.so.0.0 NEEDED libkea-dhcp++.so.0.0 NEEDED libkea-asiolink.so.0.0 NEEDED libkea-dns++.so.0.0 NEEDED libkea-cryptolink.so.0.0 NEEDED libcrypto.so.36.1 NEEDED libkea-util.so.0.0 NEEDED libstdc++.so.57.0 NEEDED libm.so.9.0 NEEDED libc.so.84.2 HASH0x348 STRTAB 0x48f0 SYMTAB 0x1440 STRSZ 0x69e5 SYMENT 0x18 DEBUG 0x0 PLTGOT 0x366bd8 PLTRELSZ0xd98 PLTREL 0x7 JMPREL 0xf700 RELA0xb2d8 RELASZ 0x4428 RELAENT 0x18 RELACOUNT 0x111 === I have posted a question to kea-dev regarding this: https://lists.isc.org/pipermail/kea-dev/2015-December/000588.html Let's see how that goes. -- Patrik Lundin
Re: net/kea
On Tue, Dec 08, 2015 at 11:18:53PM +0100, Patrik Lundin wrote: > > What is picking up botan? I looked at every @bin and @lib with ldd and I > can't see anyone referring to that library. What am i missing? > >From http://kea.isc.org/docs/kea-guide.html#required-software: === Kea supports two crypto libraries: Botan and OpenSSL. Only one of them is required to be installed during compilation. Kea uses the Botan crypto library for C++ (http://botan.randombit.net/), version 1.8 or later. As an alternative to Botan, Kea can use the OpenSSL crypto library (http://www.openssl.org/). It requires a version with SHA-2 support. === I realize I do not know which library is preferred from the upstream perspective, but using LibreSSL seemed nice (and this is what was choosen on my build box). On my box the following is seen: === # ldd /usr/local/sbin/kea-dhcp4 [...] 1f4847a77000 1f4848045000 rlib 07 0 /usr/lib/libcrypto.so.36.1 [...] === >From config.log (after tests for botan have failed): === configure:17410: checking for OpenSSL library configure:17430: result: yes configure:17468: checking OpenSSL version configure:17480: result: LibreSSL 2.3.2 configure:17485: checking support of SHA-2 configure:17506: c++ -o conftest -O2 -pipe -DOS_BSD conftest.cpp -lcrypto >&5 configure:17506: $? = 0 configure:17507: result: yes === I can ask upstream what they prefer if there are no strong opinions raised on this list. -- Patrik Lundin
Re: net/kea
On Tue, Dec 08, 2015 at 09:46:34PM +, Stuart Henderson wrote:
> Thanks, this is looking good to me, Only two changes I'd make. First is
> in the rc script, what you have isn't wrong, but the mkdir/chown/chmod
> lines can be replaced with a single command:
>
> install -d -o root:_kea -m 775 ${LOCALSTATEDIR}/run/kea
>
This is much prettier, nice catch :).
>
> Second change is WANTLIB/LIB_DEPENDS; it picks up botan so it needs to be
> listed in LIB_DEPENDS, and the relevant WANTLIBs added. New tar attached.
>
What is picking up botan? I looked at every @bin and @lib with ldd and I
can't see anyone referring to that library. What am i missing?
--
Patrik Lundin
net/kea
Hello, I am working on a port for Kea, the new DHCP server from ISC. === # cat pkg/DESC Kea is a new open source DHCPv4/DHCPv6 server being developed by Internet Systems Consortium. The objective of this project is to provide a very high-performance, extensible DHCP server engine for use by enterprises and service providers, either as is or with extensions and modifications. Kea provides DHCPv4 and DHCPv6 servers, a dynamic DNS update module, a portable DHCP library, libdhcp++, and a DHCP benchmarking tool, perfdhcp. === Attached you will find the port, which is currently a work-in-progress hoping for input from more experience porters. I am currently able to build three flavors: the default one which only uses the built in "memfile" backend, and then two database backends using mysql and postgresql. My current up front questions are these: 1. When running "make update-plist" I get the following messages: === make-plist: Bogus element outside of every prefix: /etc/kea/kea.conf make-plist: Bogus element outside of every prefix: /etc/kea/keactrl.conf make-plist: Bogus element outside of every prefix: /etc/rc.d/kea make-plist: Bogus element outside of every prefix: /var/kea make-plist: Bogus element outside of every prefix: /var/run/kea === Can these be ignored? I am handling all of the files mentioned via @sample lines in PLIST (except for rc.d/kea which of course is an @rc line). 2. I am not completely comfortable in my SHARED_LIBS knowledge, I would appreciate an extra eye on those lines in the Makefile. Right now they are taken as-is from the output generated when building the port. Other than that I have raised some additional questions against upstream, you can find them here: https://lists.isc.org/pipermail/kea-dev/2015-December/000576.html -- Patrik Lundin kea.tgz Description: application/tar-gz
Re: opendnssec and softhsm revisited
On Mon, Oct 12, 2015 at 11:34:46PM +0100, Stuart Henderson wrote: > On 2015/10/05 22:22, Patrik Lundin wrote: > > The 1.4.8.2 version of opendnssec was just released. This version > > incorporates the above mentioned fixes. You will find the port attached. > > Looks good to me. I've reserved uid/gid 757 so PLIST can be updated. > Great, thanks :). > > Only one thing I'm unsure about, I'd welcome other comments on this > though: the naming of the mariadb flavour. It is technically correct, > but we're not using -mariadb as a flavour name anywhere else, so I'd > be inclined to name it "mysql" for consistency with the rest of the > tree. > This sounds reasonable to me. Moving the ports tree from using "mysql" to "mariadb" in flavor names seems like something that should be done in a more controlled fashion than having some ports slowly start diverging. Attached is a port with the uid/gid number updated to 757 in PLIST, as well as having the "mariadb" name reverted to "mysql" (except in the README file where I still refer to the mariadb-server package). -- Patrik Lundin opendnssec.tgz Description: application/tar-gz
Re: opendnssec and softhsm revisited
On Sat, Sep 19, 2015 at 11:24:12AM +0200, Patrik Lundin wrote: > > Just a quick update: both the segfault on i386 and the lockup on macppc > has been fixed on the development branch. > > I'll send an updated port as soon as the fixes are available in a > release which may be out in the upcoming week. > The 1.4.8.2 version of opendnssec was just released. This version incorporates the above mentioned fixes. You will find the port attached. The only issue I have seen was on sparc64 where some kind of self-check in the botan library would fail once: /var/log/messages: === Sep 26 08:25:01 ns3-old ods-enforcerd: opendnssec started (version 1.4.8), pid 28386 Sep 26 08:25:03 ns3-old ods-signerd: [hsm] libhsm connection opened succesfully Sep 26 08:25:03 ns3-old ods-signerd: [engine] signer started (version 1.4.8), pid 17887 Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Sep 26 08:26:00 ns3-old ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Sep 26 08:26:00 ns3-old ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure that you know the potential problems of using keys which are not recoverable Sep 26 08:26:00 ns3-old ods-signerd: [signconf] zone example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] Sep 26 08:26:00 ns3-old ods-signerd: SoftHSM: C_Sign: Could not sign the data: Internal error: Assertion self_test_signature(encoded, plain_sig) failed (PK_Signer consistency check failed) in Botan::SecureVector Botan::PK_Signer::signature(Botan::RandomNumberGenerator&) @./src/pubkey/pubkey.cpp:219 Sep 26 08:26:00 ns3-old ods-signerd: [hsm] sign final: CKR_GENERAL_ERROR Sep 26 08:26:00 ns3-old ods-signerd: [hsm] error signing rrset with libhsm Sep 26 08:26:00 ns3-old ods-signerd: [rrset] unable to sign RRset[50]: lhsm_sign() failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] sign zone example.com failed: 1 RRsets failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] CRITICAL: failed to sign zone example.com: General error Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] backoff task [sign] for zone example.com with 60 seconds Sep 26 08:27:00 ns3-old ods-signerd: [STATS] example.com 1443248820 RR[count=5 time=0(sec)] NSEC3[count=3 time=0(sec)] RRSIG[new=2 reused=7 time=0(sec) avg=0(sig/sec)] TOTAL[time=60(sec)] === /var/log/daemon: === Sep 26 08:26:00 ns3-old ods-signerd: [cmdhandler] received command update example.com[18] Sep 26 08:26:00 ns3-old ods-signerd: [zonelist] read file /etc/opendnssec/zonelist.xml Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] configure zone example.com Sep 26 08:26:00 ns3-old ods-enforcerd: Called signer engine: /usr/local/sbin/ods-signer update example.com Sep 26 08:26:00 ns3-old ods-enforcerd: Disconnecting from Database... Sep 26 08:26:00 ns3-old ods-enforcerd: Sleeping for 3600 seconds. Sep 26 08:26:00 ns3-old ods-signerd: [signconf] zone example.com signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime] Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] read zone example.com Sep 26 08:26:00 ns3-old ods-signerd: [adapter] read zone example.com from file input adapter /var/opendnssec/unsigned/example.com Sep 26 08:26:00 ns3-old ods-signerd: [adapter] zone example.com set soa ttl to 3600 Sep 26 08:26:00 ns3-old ods-signerd: [adapter] zone example.com set soa minimum to 3600 Sep 26 08:26:00 ns3-old ods-signerd: [adapter] zone example.com set soa serial to 1443248760 Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] sign zone example.com Sep 26 08:26:00 ns3-old ods-signerd: [hsm] sign final: CKR_GENERAL_ERROR Sep 26 08:26:00 ns3-old ods-signerd: [hsm] error signing rrset with libhsm Sep 26 08:26:00 ns3-old ods-signerd: [rrset] unable to sign RRset[50]: lhsm_sign() failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] sign zone example.com failed: 1 RRsets failed Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] CRITICAL: failed to sign zone example.com: General error Sep 26 08:26:00 ns3-old ods-signerd: [worker[2]] backoff task [sign] for zone example.com with 60 seconds Sep 26 08:27:00 ns3-old ods-signerd: [worker[2]] sign zone example.com Sep 26 08:27:00 ns3-old ods-signerd: [zone] zone example.com set soa serial to 1443248820 Sep 26 08:27:00 ns3-old ods-signerd: [worker[2]] write zone example.com Sep 26 08:27:00 ns3-old ods-signerd: [adapter] write zone example.com serial 1443248820 to output file adapter /var/opendnssec/signed/example.com Sep 26 08:27:00 ns
softhsm: Add PORTROACH_COMMENT
Hello, After sitting in the audience at EuroBSDcon 2015 listening to the portroach talk by jasper@ I realized I had some homework to do :). A PORTROACH limit should be accompanied by a PORTROACH_COMMENT. Attached is a diff against my port. -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/security/softhsm/Makefile,v retrieving revision 1.3 diff -u -p -u -r1.3 Makefile --- Makefile21 Sep 2015 13:24:46 - 1.3 +++ Makefile4 Oct 2015 16:41:44 - @@ -1,6 +1,7 @@ # $OpenBSD: Makefile,v 1.3 2015/09/21 13:24:46 sthen Exp $ PORTROACH= limit:^1\. +PORTROACH_COMMENT= the 2.x version has a different user interface SHARED_ONLY= Yes
Re: softhsm: add portroach limit
On Thu, Aug 27, 2015 at 06:06:44PM +0200, Patrik Lundin wrote: > Hello, > > portroach currently thinks security/softhsm is outdated. The reason for > this is that while the version in ports is 1.3.7, there is a development > release using a 2.0.0 version number. > > The diff below should limit the version check to the 1.x.x versions. > > -- > Patrik Lundin > > Index: Makefile > === > RCS file: /cvs/ports/security/softhsm/Makefile,v > retrieving revision 1.1.1.1 > diff -u -p -u -r1.1.1.1 Makefile > --- Makefile 23 Jun 2015 11:26:05 - 1.1.1.1 > +++ Makefile 27 Aug 2015 16:00:25 - > @@ -1,5 +1,7 @@ > # $OpenBSD: Makefile,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $ > > +PORTROACH= limit:^1\. > + > SHARED_ONLY= Yes > > COMMENT= software PKCS\#11 cryptographic token > My opinion is still that the original diff above is the correct one. While I understand the reaction from other people on the list that it would be troublesome to make portroach blind to "newer" releases, I am still convinced that the 2.x branch is not relevant to this port at all. This means we are currently doing the opposite of making portroach miss new releases: we are making it harder for people to spot real unmaintained code which could be considered just as bad. If you don't trust my personal judgement on this, maby looking at other projects having a separate package for the 2.x branch can help sway your opinion: FreeBSD: http://portsmon.freebsd.org/portoverview.py?category=security=softhsm2 Debian: https://packages.debian.org/sid/softhsm2 At the end of the day I hope my maintainer status would make you trust my judgement. This port is my responsibility after all. -- Patrik Lundin
softhsm: Apply SOFTHSM-101 security fixes
Hello,
Looking around I noticed NetBSD and Debian had a few (somewhat
different) fixes for the softhsm tool creating some sensitive files with
too wide permissions.
This has been handled upstream in SOFTHSM-101:
https://issues.opendnssec.org/browse/SOFTHSM-101
It was merged to the development branch in git commit
e853dc5b34d00a09e3e114cb4914b06c01c72b1c.
I have exported the diff using the following URL:
https://github.com/opendnssec/SoftHSMv1/commit/e853dc5b34d00a09e3e114cb4914b06c01c72b1c.diff
After removing the part modifying NEWS I applied the diff using
patch(1):
===
# patch -p1 -i e853dc5b34d00a09e3e114cb4914b06c01c72b1c.diff
===
I have verified that this makes the files created by softhsm --export as
well has softhsm-keyconv have 0600 permissions.
See below for diff against the port which also adds REVISION=0 to the
Makefile.
--
Patrik Lundin
Index: Makefile
===
RCS file: /cvs/ports/security/softhsm/Makefile,v
retrieving revision 1.2
diff -u -p -u -r1.2 Makefile
--- Makefile21 Sep 2015 09:36:33 - 1.2
+++ Makefile21 Sep 2015 12:38:30 -
@@ -8,6 +8,8 @@ COMMENT=software PKCS\#11 cryptographic
DISTNAME= softhsm-1.3.7
+REVISION= 0
+
CATEGORIES=security
HOMEPAGE= http://www.opendnssec.org/softhsm/
Index: patches/patch-src_bin_softhsm-keyconv_cpp
===
RCS file: patches/patch-src_bin_softhsm-keyconv_cpp
diff -N patches/patch-src_bin_softhsm-keyconv_cpp
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 12:38:30 -
@@ -0,0 +1,100 @@
+$OpenBSD$
+--- src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014
src/bin/softhsm-keyconv.cppMon Sep 21 14:25:56 2015
+@@ -48,6 +48,10 @@
+ #include
+ #include
+ #include
++#include
++#include
++#include
++#include
+
+ void usage() {
+ printf("Converting between BIND .private-key format and PKCS#8 key file
format.\n");
+@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file
+ return 1;
+ }
+
++ // Create and set file permissions if the file does not exist.
++ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
++ if (fd == -1) {
++fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++out_path, errno);
++return 1;
++ }
++ close(fd);
++
+ // Save the the key to the disk
+ switch(algorithm) {
+ case DNS_KEYALG_ERROR:
+@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_
+ snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm,
key_tag);
+ snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
+
+- // Create the private key file
++ // Create and set file permissions if the file does not exist.
++ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
++ if (fd == -1) {
++fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++priv_out, errno);
++return 1;
++ }
++ close(fd);
+
++ // Create the private key file
+ file_pointer = fopen(priv_out, "w");
+ if (!file_pointer) {
+ fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", priv_out);
+@@ -786,8 +807,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_
+
+ printf("The private key has been written to %s\n", priv_out);
+
+- // Create the public key file
++ // Create and set file permissions if the file does not exist.
++ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR);
++ if (fd == -1) {
++fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++pub_out, errno);
++return 1;
++ }
++ close(fd);
+
++ // Create the public key file
+ file_pointer = fopen(pub_out, "w");
+ if (!file_pointer) {
+ fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", pub_out);
+@@ -836,6 +865,15 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_
+ snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm,
key_tag);
+ snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
+
++ // Create and set file permissions if the file does not exist.
++ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
++ if (fd == -1) {
++fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++priv_out, errno);
++return 1;
++ }
++ close(fd);
++
+ file_pointer = fopen(priv_out, "w");
+ if (!file_pointer) {
+ fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", priv_out);
+@@ -873,8 +911,16 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_
+
+ printf("The private key has been written to %s\n", priv_out);
+
Re: softhsm: Apply SOFTHSM-101 security fixes
On Mon, Sep 21, 2015 at 02:25:53PM +0100, Stuart Henderson wrote: > > Thanks, committed. I added comments to patches with the headers from > https://github.com/opendnssec/SoftHSMv1/commit/e853dc5b34d00a09e3e114cb4914b06c01c72b1c.patch > Looks good to me, thanks! -- Patrik Lundin
Re: softhsm: add portroach limit
On Mon, Sep 21, 2015 at 10:39:10AM +0100, Stuart Henderson wrote: > On 2015/09/21 10:31, Antoine Jacoutot wrote: > > > > It's not that we don't trust you. > > But I think it's the first time I see that softhsm2 would be a totally > > different port (i.e. security/softhsm2). > > If that's the case, then yes of course your diff is fine. > > I am not entirely convinced that softhsm2 should be a different port > rather than just something we cut across to at a suitable point (let's see > how things go when it has matured; our approach to providing early versions > of a major release doesn't necessarily equate to FreeBSD/Debian's), but > I do agree with adding the limit for now so I've committed this. > Thank you, I wanted to have this sorted out so I could start looking at a patch for a security issue that is fixed in the NetBSD port: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/security/softhsm/patches/patch-src_bin_softhsm-keyconv.cpp?annotate=1.1 I'll handle that in a separate thread once I have reproduced and fixed the problem. -- Patrik Lundin
Re: opendnssec and softhsm revisited
On Sun, Aug 30, 2015 at 11:32:24PM +0200, Jérémie Courrèges-Anglas wrote: > > Very nice! Yes, asking upstream is the right thing to do. > > If they don't plan to do a release with that stack size problem > addressed, I think it would be ok to import opendnssec with a temporary > patch. > Just a quick update: both the segfault on i386 and the lockup on macppc has been fixed on the development branch. I'll send an updated port as soon as the fixes are available in a release which may be out in the upcoming week. -- Patrik Lundin
Re: opendnssec and softhsm revisited
On Wed, Jun 24, 2015 at 07:10:33AM +0200, Patrik Lundin wrote:
The summary for now looks like this:
Working: amd64, sparc64
Broken: i386, macppc
Is there some relation between threading and 32/64 bit? It is the main
thing that sticks out currently, since sparc64 rules out an endian issue
as far as i can tell.
So there might be some light at the end of the opendnssec tunnel.
I have noticed that the thread stack size is smaller on i386 than it is
on amd64 using this code snippet:
---
#include stdio.h
#include pthread.h
pthread_attr_t attr;
size_t stacksize;
int main (){
pthread_attr_init(attr);
pthread_attr_getstacksize(attr, stacksize);
printf(stacksize: %d\n, stacksize);
return 0;
}
---
While amd64 and sparc64 reports 524288, i386 says 262144. It looks like I have
been able to stop opendnssec from crashing by modifying a wrapper function to
pass an attribute variable to pthread_create(), increasing the stack size:
---
pthread_attr_t attr;
size_t stacksize;
pthread_attr_init(attr);
pthread_attr_getstacksize(attr, stacksize);
pthread_attr_setstacksize(attr, stacksize * 2);
---
The above was inspired from this thread:
http://openbsd-archive.7691.n7.nabble.com/Default-Posix-thread-stack-size-td47465.html
Anyway, I have sent a message regarding this to one of the nlnet people. I will
report back with how things goes. I am not sure if this is the correct fix, or
if one should instead store less data on the stack or something.
--
Patrik Lundin
Re: softhsm: add portroach limit
On Thu, Aug 27, 2015 at 05:35:54PM +0100, Stuart Henderson wrote: On 2015/08/27 18:17, Antoine Jacoutot wrote: On Thu, Aug 27, 2015 at 06:06:44PM +0200, Patrik Lundin wrote: Hello, portroach currently thinks security/softhsm is outdated. The reason for this is that while the version in ports is 1.3.7, there is a development release using a 2.0.0 version number. The diff below should limit the version check to the 1.x.x versions. Well the problem here is that once uptream release a 2.X version as stable, then portroach will never know. I'd rather have false positive in this case, rather than missing updates. I agree - I imagine that you could skipv:2.0.0 for now though. I am pretty sure the 2.0.0 version would be a different port (security/softhsm2). Looking at the example at https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2.0 it can be seen that a different command line utility is used (specifically mentioning 2 in the name): === softhsm2-util --init-token --slot 0 --label My token 1 === -- Patrik Lundin
softhsm: add portroach limit
Hello, portroach currently thinks security/softhsm is outdated. The reason for this is that while the version in ports is 1.3.7, there is a development release using a 2.0.0 version number. The diff below should limit the version check to the 1.x.x versions. -- Patrik Lundin Index: Makefile === RCS file: /cvs/ports/security/softhsm/Makefile,v retrieving revision 1.1.1.1 diff -u -p -u -r1.1.1.1 Makefile --- Makefile23 Jun 2015 11:26:05 - 1.1.1.1 +++ Makefile27 Aug 2015 16:00:25 - @@ -1,5 +1,7 @@ # $OpenBSD: Makefile,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $ +PORTROACH= limit:^1\. + SHARED_ONLY= Yes COMMENT= software PKCS\#11 cryptographic token
Re: opendnssec and softhsm revisited
On Mon, Jun 22, 2015 at 05:25:52PM +0200, Patrik Lundin wrote: I did not see the problem on amd64 or sparc64 at least. I am currently building stuff on a fresh macppc snapshot to see what happens there. After that I am out of platforms :). So this is interesting. It turns out ods has problems on my macppc as well. While it does not segfault like it does on i386, the ods-signerd process instead seems to be spinning forever after the same notify command that makes it segfault on i386: --- PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 380 _opendns 510 11M 7152K run thrslee 4:25 97.12% ods-signerd --- At the same time i see this in /var/log/daemon that i do not recognize from before: --- Jun 24 07:01:46 ns4-old ods-signerd: [adapter] error parsing RR at line 14 (Syntax error, could not parse the RR): \M^?\M^?\M^?\M^?\M^?\M^?\M^?[...] --- This is the exact same example.com zone file that is available in git: --- # sha1 example.com SHA1 (example.com) = 60c5f533184b8cbbbe78ec4c9d455ac3effbd5bf --- Jérémie: Let me know if you want access to the macppc machine to cross reference the problems, just send over a public key and I'll set you up. The summary for now looks like this: Working: amd64, sparc64 Broken: i386, macppc Is there some relation between threading and 32/64 bit? It is the main thing that sticks out currently, since sparc64 rules out an endian issue as far as i can tell. -- Patrik Lundin
Re: opendnssec and softhsm revisited
On Mon, Jun 22, 2015 at 09:22:41AM +0100, Stuart Henderson wrote: 2. The i386 problems are a bit concerning, it seems quite unlikely that they will only affect i386. I did not see the problem on amd64 or sparc64 at least. I am currently building stuff on a fresh macppc snapshot to see what happens there. After that I am out of platforms :). softhsm is probably easier to test so let's look at that first. I'm fairly busy at the moment but I'll put it on my list to look at... Sounds good to me, thanks! -- Patrik Lundin
Re: opendnssec and softhsm revisited
On Mon, Jun 22, 2015 at 01:24:35PM +0200, Jérémie Courrèges-Anglas wrote:
Stuart Henderson st...@openbsd.org writes:
2. The i386 problems are a bit concerning, it seems quite unlikely that
they will only affect i386.
I'll take a look at them this evening, had to update my i386 box.
Awesome! Just in case you missed my previous info: you can use
https://github.com/eest/obsd-ports/blob/master/testing/opendnssec/reset-ods.sh
to take care of the initial setup and get instructions on how I cause the crash.
There is also an example.com zone file there, so you can be sure you are
testing with the same setup I have.
softhsm is probably easier to test so let's look at that first. I'm
fairly busy at the moment but I'll put it on my list to look at...
Here's a diff against Patrick's tarball, and a new tarball attached.
- don't hardcode the botan libs but use botan-config
- no need for libsofthsm.{a,la}, ltdl is not used
I think it's ready to import.
Thanks for the feedback!
--
Patrik Lundin
Re: opendnssec and softhsm revisited
On Mon, Jun 22, 2015 at 11:11:05PM +0200, Jérémie Courrèges-Anglas wrote: That's what I used, and I can easily reproduce the problem. Sadly the core file doesn't help me much in finding the cause of the segfault, and when running under gdb ods-signerd just spins endlessly. Sucks... Yeah it seems to be quite a funky problem to debug. The last guy from NLnet labs that looked at it seemed to believe it had something to do with threading, but was not able to make more sense of it than that. -- Patrik Lundin
Re: opendnssec and softhsm revisited
On Wed, Jun 17, 2015 at 08:57:35AM +0200, Patrik Lundin wrote: On Thu, May 21, 2015 at 08:23:49PM +0200, Patrik Lundin wrote: On Sat, May 16, 2015 at 06:24:11PM +0200, Patrik Lundin wrote: You will find the latest ports attached. Except for marking opendnssec broken on i386 I have also updated the version from 1.4.6 to 1.4.7, and I have converted databases/mysql dependencies to databases/mariadb. Since there seems to be no further feedback from porters: If the reason no one is picking up these ports is a lack of spare time (which has been indicated earlier) I would be happy to manage them in-tree myself given the opportunity. Ping. I am not sure why no one feels like importing my work. I have put quite a lot of effort into the port, involving both ports@ and upstream to make the best out of the situation. I am also prepared to handle any issues reported by users. Anyway, I'll stop asking after this. -- Patrik Lundin
Re: opendnssec and softhsm revisited
On Thu, May 21, 2015 at 08:23:49PM +0200, Patrik Lundin wrote: On Sat, May 16, 2015 at 06:24:11PM +0200, Patrik Lundin wrote: You will find the latest ports attached. Except for marking opendnssec broken on i386 I have also updated the version from 1.4.6 to 1.4.7, and I have converted databases/mysql dependencies to databases/mariadb. Since there seems to be no further feedback from porters: If the reason no one is picking up these ports is a lack of spare time (which has been indicated earlier) I would be happy to manage them in-tree myself given the opportunity. Ping. -- Patrik Lundin
isc-dhcp-server: Make sure /var/db/dhcpd.leases exists
Hello,
I noticed that the isc-dhcp-server dhcpd won't start because of the
following error:
===
Can't open lease database /var/db/dhcpd.leases: No such file or directory --
===
This is handled by rc_pre() in the rc.d script for the base dhcpd
(/etc/rc.d/dhcpd).
We should probably do the same thing in the port. Diff below.
--
Patrik Lundin
Index: isc_dhcpd.rc
===
RCS file: /cvs/ports/net/isc-dhcp/pkg/isc_dhcpd.rc,v
retrieving revision 1.1
diff -u -p -u -r1.1 isc_dhcpd.rc
--- isc_dhcpd.rc12 Oct 2014 20:10:16 - 1.1
+++ isc_dhcpd.rc28 May 2015 18:16:47 -
@@ -9,4 +9,8 @@ daemon_flags=-user _isc-dhcp -group _is
rc_reload=NO
+rc_pre() {
+ touch /var/db/dhcpd.leases
+}
+
rc_cmd $1
Re: opendnssec and softhsm revisited
On Sat, May 16, 2015 at 06:24:11PM +0200, Patrik Lundin wrote: You will find the latest ports attached. Except for marking opendnssec broken on i386 I have also updated the version from 1.4.6 to 1.4.7, and I have converted databases/mysql dependencies to databases/mariadb. Since there seems to be no further feedback from porters: If the reason no one is picking up these ports is a lack of spare time (which has been indicated earlier) I would be happy to manage them in-tree myself given the opportunity. -- Patrik Lundin
Re: opendnssec and softhsm revisited
Hello again! I have now been updating the ports for both opendnssec and softhsm to the latest versions (opendnssec 1.4.6 and softhsm 1.3.7). While doing this I extended my testing from amd64/sparc64 to i386. Sadly this revealed a segfault in ods-signerd (which was present in 1.4.5 as well). Since I posted the above message I have had people from NLnet Labs looking at the crashes without being able to figure out what is causing them. If anyone from the OpenBSD camp would be interested in further debugging, I have saved helper scripts I wrote for the NLnet Labs folks, which can be found here: https://github.com/eest/obsd-ports/tree/master/testing/opendnssec For this crowd reset-ods.sh would probably be the script that is most helpful. I have decided to just mark i386 as BROKEN in the port for now, like I have stated earlier, I have not seen these problems on amd64 or sparc64. You will find the latest ports attached. Except for marking opendnssec broken on i386 I have also updated the version from 1.4.6 to 1.4.7, and I have converted databases/mysql dependencies to databases/mariadb. -- Patrik Lundin opendnssec.tgz Description: application/tar-gz softhsm.tgz Description: application/tar-gz
logstash-forwarder: certificate handling
Hello,
First of all, thanks a lot to jasper@ for creating packages for
logstash, much appreciated!
I have a question regarding certificate handling. The
/usr/local/share/examples/logstash-forwarder/logstash-forwarder.conf.example
file contains the following configuration:
===
ssl certificate: ./lumberjack.crt,
ssl key: ./lumberjack.key,
ssl ca: ./lumberjack_ca.crt
===
It appears to me only ssl ca is required to connect to a logstash instance.
Is there a purpose to the cert and key? I would assume this is used for client
authentication, but it does not seem to cause me any problems connecting
without them.
On a similar note, would it be good if the example filenames used in
the lumberjack{} block in logstash.conf used the same file names as is
used in the example logstash-forwarder.conf?
It seems to me the simplest way of solving the certificate stuff is to
generate the key and crt on the logstash host, and then use that same
crt file as the ssl ca on the logstash-forwarder host.
--
Patrik Lundin
Re: rcctl ansible service support
On Sat, Jan 17, 2015 at 12:22:09PM +0100, Patrik Lundin wrote: Also, pending input from armani@ the code could change drastically. So I would not invest too much time until it is merged. Better late than never: The updated rcctl support has been merged upstream (https://github.com/ansible/ansible-modules-core/pull/691) as well as added to the port (thanks to rpe@ and ajacoutot@): http://marc.info/?l=openbsd-ports-cvsm=142206037411721w=2 This means ansible users should be able to make full use of the upcoming 5.7 release which includes rcctl(8) :). On a personal note: It feels great that what was once something I wrote for my own needs has been picked up and extended/managed/reviewed by you devs on the inside. A big thank you from me to everyone involved! Regards, Patrik Lundin
Re: rcctl ansible service support
On Wed, Dec 31, 2014 at 03:17:23PM +0100, Patrik Lundin wrote: Just a small update, the PR above has now been merged into armanis branch. If anyone was waiting for this to have a nice baseline for testing you are good to go. As mentioned earlier the upstream PR is here: https://github.com/ansible/ansible-modules-core/pull/189 Another update for any bleeding edge ansible users out there. I have just now opened a pull request against the armani@ fork that updates the rcctl handling to use the new syntax as described here: http://marc.info/?l=openbsd-cvsm=142054488027109w=2 As opposed to the rcctl tool that seems to keep some backwards compat, the ansible code does _not_. Please update to a fresh enough snapshot if you want to use this. Also, pending input from armani@ the code could change drastically. So I would not invest too much time until it is merged. The PR: https://github.com/jarmani/ansible-modules-core/pull/5 Regards, Patrik Lundin
Re: rcctl ansible service support
On Thu, Dec 11, 2014 at 11:55:59PM +, Stuart Henderson wrote: On Thu, Dec 11, 2014 at 09:11:27PM +0100, Patrik Lundin wrote: Ugh, I spoke too soon. I found a bug in the handling of special services like pf just now. A PR against armanis fork is available here (this will of course be added to the upstream PR once accepted): https://github.com/jarmani/ansible-modules-core/pull/4 Thanks for asking about the code, seems like I needed some encouragement to give it another glance :). Regards, Patrik Lundin Heh, thank you. I'll try and give it a shot over the next few days and weigh in on the upstream PR. Just a small update, the PR above has now been merged into armanis branch. If anyone was waiting for this to have a nice baseline for testing you are good to go. As mentioned earlier the upstream PR is here: https://github.com/ansible/ansible-modules-core/pull/189 Happy new year and all that stuff :). Regards, Patrik Lundin
Re: rcctl ansible service support
On Thu, Dec 11, 2014 at 06:24:43PM +, Stuart Henderson wrote: Hi, does anyone know the current status of the rcctl support for Ansible (http://marc.info/?l=openbsd-miscm=141326537311927w=2) ? Is anyone pushing it upstream? You can find the upstream PR created by armani here: https://github.com/ansible/ansible-modules-core/pull/189 To my knowledge the support should be pretty solid by now. If you are asking about the status of actually merging the PR by the ansible people, I have no idea really. Adding positive feedback to the PR would be appreciated. Any negative feedback would also be welcome of course ;). Regards, Patrik Lundin
Re: rcctl ansible service support
On Thu, Dec 11, 2014 at 09:11:27PM +0100, Patrik Lundin wrote: To my knowledge the support should be pretty solid by now. Ugh, I spoke too soon. I found a bug in the handling of special services like pf just now. A PR against armanis fork is available here (this will of course be added to the upstream PR once accepted): https://github.com/jarmani/ansible-modules-core/pull/4 Thanks for asking about the code, seems like I needed some encouragement to give it another glance :). Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
On Mon, Jun 02, 2014 at 09:48:41AM +0200, Patrik Lundin wrote: Is no one interested in this? I think it is a nice complement to nsd in base for automated DNSSEC. I have now been updating the ports for both opendnssec and softhsm to the latest versions (opendnssec 1.4.6 and softhsm 1.3.7). While doing this I extended my testing from amd64/sparc64 to i386. Sadly this revealed a segfault in ods-signerd (which was present in 1.4.5 as well). I have posted a detailed report to opendnssec-user which can be read here: http://permalink.gmane.org/gmane.network.dns.opendnssec.user/2735 Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
On Tue, May 27, 2014 at 10:27:52PM +0200, Patrik Lundin wrote: The ports are now at a state where i feel they are suitable for import. Is no one interested in this? I think it is a nice complement to nsd in base for automated DNSSEC. Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
Hello, The ports are now at a state where i feel they are suitable for import. Some remaining questions: * Do people agree daemon is the correct syslog facility to use? The upstream manual recommends the use of the localX ones. (Noted on this page: https://wiki.opendnssec.org/display/DOCS/conf.xml). The system logs pretty verbosely. * When running make port-lib-depends-check on the mysql FLAVOR, the following is printed: Asking ports for dependency mysql-client-5.1.73v0(databases/mysql,-main) I only react because this is the only dependency that does that, I guess that is OK? * I still have not been able to figure out what sthen@ meant by @owner/@group need updating in the inital review. I have used uid/gid 505 up until now. * I have made sure the example simple-dnskey-mailer.sh script is available under /usr/local/share/opendnssec. The git repo keeps this file non-executable. Should I make it executable via PLIST our keep that as an exercise for the user if they want to use it? * I am not convinced the pexp used in the rc-script (ods-), is considered safe enough, but there are two different processes that are started: ods-enforcerd and ods-signerd. * During the time that has passed working on the port, at some point I noticed a change in the build output: the titles of man-pages would appear, and then at a later date they did not. At first I was worried I had introduced some bug in the Makefile, but now I am pretty sure http://marc.info/?l=openbsd-cvsm=139842797830466w=2 is the reason (because of updated snapshots). There are quite a few patches in the opendnssec port right now, the good news is that except for patch-conf_conf_xml_in (syslog facility, user/group used etc.) the other changes have been merged upstream. The ports have recieved testing on amd64 and sparc64. If they are found to be good enough for import I want to make sure Stuart, Jérémie and Jerry Lundström jerry () opendnssec.org are credited for the help so far. Regards, Patrik Lundin opendnssec.tgz Description: application/tar-gz softhsm.tgz Description: application/tar-gz
Re: opendnssec and softhsm revisited
On Mon, May 19, 2014 at 11:55:33PM +0200, Jérémie Courrèges-Anglas wrote: It is not about this particular occurrence. If you replace it by a strlcpy call, you will probably see the same warning, coming from another strcpy call elsewhere. Propose upstream strl* and snprintf as alternatives to the unchecked functions. If upstream sees interest in this, then a careful audit of the code can follow, and strl* functions make error checking easier. Adding fallback code for OSes not providing those functions is easy too. Upon mentioning these findings I was informed of the situation where an ongoing rewrite of the code for 2.0 will make sure strcpy/strcat is not used, so this will fix itself in time. It is available here: http://lists.opendnssec.org/pipermail/opendnssec-user/2014-May/002941.html The call in signer/src/wire/notify.c: random()%(extra-base); I guess #ifdef'ing this with HAVE_ARC4RANDOM like is done in ksm_policy.c would be nice. See arc4random_uniform(3), the configure seems to test for its presence. The current random-related fixes on the upstream openbsd branch actually tests for both now. Thanks for the pointer! Finally some unused variables, might as well be complete while I am at it: === daemon/cmdhandler.c:398: warning: unused variable 'task' shared/duration.c:442: warning: 'is_leap_year' defined but not used shared/duration.c:449: warning: 'leap_days' defined but not used shared/hsm.c:224: warning: unused variable 'retries' shared/hsm.c:220: warning: unused variable 'status' === Those could be harmless, or they could show a bug in the program logic. If you want to audit them fine, but in the end it's rather upstream's responsibility. These was mostly intended to be seen by upstream, and some of them has been fixed on the branch. We try to avoid having too much patches in the ports tree. The best way is probably to work with upstream and get your patches integrated, after proper reviewing. Some mistakes have been done while wrongly replacing eg. strcpy by strlcpy. I intend to ignore the strcat/strcpy stuff for now given the above status. The other stuff has been fixed. Thanks a lot for your input :). Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
On Sun, May 18, 2014 at 07:24:00PM +0200, Patrik Lundin wrote:
First up is this one:
===
pin.c: In function 'hsm_shm_open':
pin.c:209: warning: comparison between signed and unsigned
===
Next we have this one:
===
hsmspeed.c:38:1: warning: PTHREAD_THREADS_MAX redefined
In file included from hsmspeed.c:33:
/usr/include/pthread.h:55:1: warning: this is the location of the
previous definition
===
Third and final (for now):
===
hsmspeed.c: In function 'sign':
hsmspeed.c:120: warning: control reaches end of non-void function
===
Jerry Lundström from the OpenDNSSEC-team has been kind enough to create
a branch where he fixed the stuff I posted above, and made it into a pull
request:
https://github.com/opendnssec/opendnssec/pull/83
I have imported the changes as patches and those warnings are now gone.
Since they have been sorted out I'll now go through the the rest of the
warnings. Since upstream is watching I will be as verbose as possible.
First of all there are a bunch of libraries spitting out warnings on several
locations, I consider these outside the scope:
===
.libs/libxml2.so.15.1: warning: strcpy() is almost always misused, please use
strlcpy()
.libs/libxml2.so.15.1: warning: rand_r() isn't random; consider using
arc4random()
.libs/libldns.so.6.1: warning: random() isn't random; consider using
arc4random()
.libs/libxml2.so.15.1: warning: strcat() is almost always misused, please use
strlcat()
===
Now for the first warning in the code at hand:
../ksm/libksm.a(datetime.o)(.text+0x562): In function `DtSecondsInterval':
: warning: strcpy() is almost always misused, please use strlcpy()
The code looks like this:
enforcer/ksm/datetime.c:
charbuffer[64];
[...]
else {
strcpy(buffer, 0s);
}
I am not sure trying to turn this into strlcpy is worth it since the
string is static and the buffer obviously large enough. (Though I
welcome cluebats from anyone more well versed in C here).
Next up some random warnings:
===
../ksm/libksm.a(ksm_policy.o)(.text+0xd31): In function `KsmPolicyUpdateSalt':
: warning: rand() isn't random; consider using arc4random()
../ksm/libksm.a(ksm_policy.o)(.text+0xd13): In function `KsmPolicyUpdateSalt':
: warning: srand() seed choices are invariably poor
===
Now these warnings were interesting, looking into the code it looks like
this:
enforcer/ksm/ksm_policy.c:
===
#ifdef HAVE_ARC4RANDOM
for (i = 0; i 2*(policy-denial-saltlength); i++) {
salt[i] = hex_chars[arc4random()%strlen(hex_chars)];
}
#else
srand( time(NULL) );
for (i = 0; i 2*(policy-denial-saltlength); i++) {
salt[i] = hex_chars[rand()%strlen(hex_chars)];
}
#endif
===
It is obviously prepared to use arc4random() if it is available, yet it does
not for some reason.
I found HAVE_ARC4RANDOM is indeed set:
common/config.h:
===
/* Define to 1 if you have the `arc4random' function. */
#define HAVE_ARC4RANDOM 1
/* Define to 1 if you have the `arc4random_uniform' function. */
#define HAVE_ARC4RANDOM_UNIFORM 1
===
And even -DHAVE_CONFIG_H is supplied during the build:
===
cc -DHAVE_CONFIG_H -I. -I../../common -I../../common -I../../common
-I./include -I./include -I/usr/local/include -I/usr/local/include/libxml2
-I/usr/l
ocal/include -O2 -pipe -Wall -Wextra -pthread -MT ksm_policy.o -MD -MP -MF
.deps/ksm_policy.Tpo -c -o ksm_policy.o ksm_policy.c
===
However, I finally noticed config.h is never included in ksm_policy.c. I tried
doing so before the current #include lines as is done in other files, and it
made the warning disappear.
There was one more random-related warning:
===
notify.o(.text+0x233): In function `notify_setup':^M
: warning: random() isn't random; consider using arc4random()^M
===
The call in signer/src/wire/notify.c:
random()%(extra-base);
I guess #ifdef'ing this with HAVE_ARC4RANDOM like is done in ksm_policy.c
would be nice.
Next up some strcat stuff:
===
../ksm/libksm.a(datetime.o)(.text+0x961): In function `DtAppendTime':
: warning: strcat() is almost always misused, please use strlcat()
===
The DtAppendTime() function in enforcer/ksm/datetime.c contains six
calls to strcat, I dont feel comfortable converting these to strlcat, in
case i introduce bugs myself. Input is welcome though.
And another instance:
===
kc_helper.o(.text+0x677): In function `StrAppend':
: warning: strcat() is almost always misused, please use strlcat()
===
... the call in enforcer/utils/kc_helper.c:
strcat(*str1, str2);
Same thing applies here. Input is welcome.
Finally some unused variables, might as well be complete while I am at
it:
===
daemon/cmdhandler.c:398: warning: unused variable 'task'
shared/duration.c:442: warning: 'is_leap_year' defined but not used
shared/duration.c:449: warning: 'leap_days' defined but not used
shared/hsm.c:224: warning: unused variable 'retries'
shared/hsm.c:220: warning: unused variable 'status'
===
Regards,
Patrik Lundin
Re: opendnssec and softhsm revisited
On Wed, May 07, 2014 at 10:57:50PM +0200, Patrik Lundin wrote: The opendnssec port is a work in progress. The most annoying thing while building currently is the warnings regarding comma at end of enumerator list which seems to be the result of inconsistent use of -std=c99 which i am not sure how to solve properly. Trying to figure out what is the best course of action to remove these warnings I am first of all trying to figure out why they are thrown on OpenBSD but not on a Ubuntu 14.04 system that I use for comparision. It seems to me it comes down to some sort of special handling of included headers on the Ubuntu box that I do not see on OpenBSD. Basically i see this: On OpenBSD using the system include syntax: # echo '#include ldns/error.h' test.c # cc -I/usr/local/include -pedantic -Wall -Wextra -c test.c In file included from test.c:1: /usr/local/include/ldns/error.h:130: warning: comma at end of enumerator list On OpenBSD including the file directly: # echo '#include /usr/local/include/ldns/error.h' test.c # cc -I/usr/local/include -pedantic -Wall -Wextra -c test.c In file included from test.c:1: /usr/local/include/ldns/error.h:130: warning: comma at end of enumerator list These are consistent. However, when looking at what happens on Ubuntu: ... Using system include syntax makes it quiet: # echo '#include ldns/error.h' test.c # cc -pedantic -Wall -Wextra -c test.c ... while including the file directly causes a warning: # echo '#include /usr/include/ldns/error.h' test.c # cc -pedantic -Wall -Wextra -c test.c In file included from test.c:1:0: /usr/include/ldns/error.h:129:28: warning: comma at end of enumerator list [-Wpedantic] LDNS_STATUS_RDATA_OVERFLOW, ^ I'm guessing this is the reason it is not spotted as easily on Linux. What I wonder is if anyone here has struggled with a similar problem and if there is a good solution for it. Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
On Sun, May 18, 2014 at 11:04:19AM +0100, Stuart Henderson wrote: This is due to differences between C compilers. gcc 4.8 and clang don't warn for this with -pedantic, gcc 4.2.1 does. I think -pedantic is fairly pointless in ports and should be removed, but I would also report it to nlnetlabs as an ldns bug, I think the best approach would be to remove the surplus , for better compiler compatibility (and their other enums don't have a trailing ,). Thank you for the input, this has been reported here: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=579 I guess I will have to look into how to disabled -pedantic in the build then. Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
On Sun, May 18, 2014 at 01:24:11PM +0200, Patrik Lundin wrote: I guess I will have to look into how to disabled -pedantic in the build then. Disabling -pedantic was easy to do at configure time, using --disable-pedantic. Now I have started looking at the remaining warnings. I am constantly debating with myself which group I should talk to first regarding the following questions, but since these are not thrown on the comparision Linux box I'll start in this end: First up is this one: === pin.c: In function 'hsm_shm_open': pin.c:209: warning: comparison between signed and unsigned === This is caused by comparing a size_t variable to shm_segsz which according to shmctl(2) on OpenBSD is an int. Reading the same man page on the Ubuntu box shows that shm_segsz is considerd to be type size_t there. I guess I can fix this by casting shm_segsz to an unsigned int, does that sound reasonable? Next we have this one: === hsmspeed.c:38:1: warning: PTHREAD_THREADS_MAX redefined In file included from hsmspeed.c:33: /usr/include/pthread.h:55:1: warning: this is the location of the previous definition === It seems the Linux box just has this to say: /* We have no predefined limit on the number of threads. */ #undef PTHREAD_THREADS_MAX While OpenBSD sets it to a very big value: #define PTHREAD_THREADS_MAX ULONG_MAX The code itself sets it to 2048, way less than the default. I guess having a more conservative setting is not a problem. Maby I should just leave this warning as is? Third and final (for now): === hsmspeed.c: In function 'sign': hsmspeed.c:120: warning: control reaches end of non-void function === This warning bothers me somewhat, the function is declared in the following way: void * sign (void *arg) It is passed to pthread_create() which is probably why it is a pointer function. I am not sure why the Linux box does not say anything about this. My current idea is that the function should just have a dummy return NULL; after the call to pthread_exit(). Any ideas? Regards, Patrik Lundin
Re: opendnssec and softhsm revisited
On Wed, May 07, 2014 at 11:23:52PM +0100, Stuart Henderson wrote:
Some quick comments from a read-through of the files (but
not building/testing yet) :-
opendnssec README:
- should follow style from ports/infrastructure/templates/README.template
I have updated the README to reflect README.template.
- vi /etc/softhsm.conf should use ${SYSCONFDIR},
Nice catch, this has been fixed in this version.
and I think the directory
structure and ownership should be setup with @samples rather than
telling people what to type.
The reason i made those steps manual is because i was not sure how much
of a relationship I should enforce between the opendnssec and softhsm
packages. I do agree that solving it via PLIST is cleaner given that
having an empty softhsm/ directory is acceptable if not being used.
I have added the directory to PLIST and updated the README accordingly.
The file owner still needs to be set manually though, maby this can be
accomplished in a better way?
opendnssec PLIST:
- no point @sample'ing /var/run/opendnssec/, you need to create it in the
rc_pre in the rc script anyway because /var/run is cleared at boot.
example in smokeping.
The only reason I have added the @sample is because I wanted to make
'make update-plist' happy. Without the @sample i get a Bogus element
outside of every prefix warning.
Given that this is fine then OpenDNSSEC actually creates that directory
itself when started, so a rc_pre is not needed.
- @owner/@group need updating
I'm not sure what you mean by this, what am I missing? :)
- you're using /var/opendnssec/ in this file but ${LOCALSTATEDIR} in README
softhsm PLIST:
- /var / ${LOCALSTATEDIR}
Using ${LOCALSTATEDIR} in the PLISTs also cause Bogus element outside
of every prefix warnings, maby this is OK?
I have updated the PLISTs for now.
Thanks a lot for taking a look!
Regards,
Patrik Lundin
softhsm.tgz
Description: application/tar-gz
opendnssec.tgz
Description: application/tar-gz
opendnssec and softhsm revisited
Hello, I thought I would take a second look at porting opendnssec and softhsm since last time my softhsm adventure grinded to a halt due to libtool issues (http://marc.info/?l=openbsd-portsm=137054816021002w=2). The attached softhsm port is based on what sthen@ sent out in that thread with some stuff removed. I am not sure if it is because of the recent libtool work I have seen on the lists, but it now seems the softhsm shared object turns up just fine without any special care. The opendnssec port is a work in progress. The most annoying thing while building currently is the warnings regarding comma at end of enumerator list which seems to be the result of inconsistent use of -std=c99 which i am not sure how to solve properly. Another thing I am not sure about is the MODULES= converters/libiconv which I added because portcheck wanted it to be there. Finally I am pretty sure both LICENSE files can be summed up as BSD, an extra pair of eyes would be welcome though. I make sure they are installed under doc/name in both ports. Anyway, any feedback is much appreciated. Regards, Patrik Lundin opendnssec.tgz Description: application/tar-gz softhsm.tgz Description: application/tar-gz
Re: SoftHSM: base libtool problem
On Thu, Jun 06, 2013 at 10:07:56PM +0100, Stuart Henderson wrote: The attached port builds, but doesn't produce a shared library, which the produced binaries rely upon, so it doesn't actually work.. Ah, cool! It seems your configure patch fixes that specfic build problem I described. If I use USE_LIBTOOL=gnu in the ports build here, it builds, but I get an error during fake, again related to the shared library. I guess it's the missing libsofthsm.lai file it complains about. Funny enough that file is only created when using the base libtool. A ./configure make does build the .so file. I noticed that g++ is being used in that case, so I tried setting CC=g++, and this, together with removing the patch-src_lib_Makefile_in patch makes the .so file appear (however the build still explodes).
SoftHSM: base libtool problem
Hello, I have been looking at porting SoftHSM (http://www.opendnssec.org/softhsm/) and later looking at the OpenDNSSEC tool (http://www.opendnssec.org/). I have been stopped in my tracks by the libtool in base, but I am not sure i really need to activate the GNU version as I am possibly just missing something simple. A non-port ./configure make ends with this action (which works): === /bin/sh ../libtool --tag=CC--mode=link gcc -g -O2 -pedantic -Wall -Wextra -no-install -static -shared-libgcc -o checks checks.o ../src/lib/libsofthsm.la -lstdc++ libtool: link: gcc -g -O2 -pedantic -Wall -Wextra -shared-libgcc -o checks checks.o ../src/lib/.libs/libsofthsm.a -L/usr/local/lib -lbotan-1.10 -lsqlite3 -lstdc++ ../src/lib/.libs/libsofthsm.a(SoftDatabase.o)(.text+0x1e65): In function `SoftDatabase::getTokenLabel()': /home/patrik/softhsm-1.3.4/src/lib/SoftDatabase.cpp:203: warning: sprintf() is often misused, please use snprintf() /usr/local/lib/libbz2.so.10.4: warning: strcat() is almost always misused, please use strlcat() /usr/local/lib/libgmp.so.9.0: warning: strcpy() is almost always misused, please use strlcpy() /usr/local/lib/libgmp.so.9.0: warning: vsprintf() is often misused, please use vsnprintf() === make build breaks like this: === /usr/bin/libtool --tag=CC--mode=link cc -O2 -pipe -pedantic -Wall -Wextra -no-install -static -shared-libgcc -o checks checks.o ../src/lib/libsofthsm.la -lstdc++ libtool: link: cc -o .libs/checks -O2 -pipe -pedantic -Wall -Wextra -shared-libgcc checks.o -L.libs /usr/ports/pobj/softhsm-1.3.4/softhsm-1.3.4/src/lib/.libs/libsofthsm.a -lbotan-1.10 -lsqlite3 -lstdc++ -lm -Wl,-rpath,/usr/local/lib/softhsm /usr/ports/pobj/softhsm-1.3.4/softhsm-1.3.4/src/lib/.libs/libsofthsm.a(SoftDatabase.o)(.text+0x1e65): In function `SoftDatabase::getTokenLabel()': : warning: sprintf() is often misused, please use snprintf() /usr/bin/ld: warning: libbz2.so.10.4, needed by .libs/libbotan-1.10.so.0.1, not found (try using -rpath or -rpath-link) /usr/bin/ld: warning: libgmp.so.9.0, needed by .libs/libbotan-1.10.so.0.1, not found (try using -rpath or -rpath-link) .libs/libbotan-1.10.so.0.1: undefined reference to `__gmpz_clear' .libs/libbotan-1.10.so.0.1: undefined reference to `__gmpz_mod' .libs/libbotan-1.10.so.0.1: undefined reference to `__gmpz_init_set' .libs/libbotan-1.10.so.0.1: undefined reference to `BZ2_bzDecompressInit' [...] === If i set USE_LIBTOOL=gnu it works: === /usr/local/bin/libtool --tag=CC--mode=link cc -O2 -pipe -pedantic -Wall -Wextra -no-install -static -shared-libgcc -o checks checks.o ../src/lib/libsofthsm.la -lstdc++ libtool: link: cc -O2 -pipe -pedantic -Wall -Wextra -shared-libgcc -o checks checks.o ../src/lib/.libs/libsofthsm.a -L/usr/local/lib -lbotan-1.10 -lsqlite3 -lstdc++ ../src/lib/.libs/libsofthsm.a(SoftDatabase.o)(.text+0x1e65): In function `SoftDatabase::getTokenLabel()': : warning: sprintf() is often misused, please use snprintf() /usr/local/lib/libbz2.so.10.4: warning: strcat() is almost always misused, please use strlcat() /usr/local/lib/libgmp.so.9.0: warning: strcpy() is almost always misused, please use strlcpy() /usr/local/lib/libgmp.so.9.0: warning: vsprintf() is often misused, please use vsnprintf() === The problem seems to be that while the GNU version adds -L/usr/local/lib, the base version does not. I have been grasping for straws by including that in CFLAGS but the base libtool strips it: === /usr/bin/libtool --tag=CC--mode=link cc -L/usr/local/lib -pedantic -Wall -Wextra -no-install -static -shared-libgcc -o checks checks.o ../src/lib/libsofthsm.la -lstdc++ libtool: link: cc -o .libs/checks -pedantic -Wall -Wextra -shared-libgcc checks.o -L.libs /usr/ports/pobj/softhsm-1.3.4/softhsm-1.3.4/src/lib/.libs/libsofthsm.a -lbotan-1.10 -lsqlite3 -lstdc++ -lm -Wl,-rpath,/usr/local/lib/softhsm === Is there a proper way to fix this without resorting to GNU? Regards, Patrik Lundin
