pwouters pushed to opendnssec (el6). "* Tue Jun 09 2015 Paul Wouters <pwouters at redhat.com> - 1.4.7-1 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Jun 9 15:54:43 UTC 2015
From 8739ab95cc308f1353b17da04a17656a9a8c2b10 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters at redhat.com>
Date: Tue, 9 Jun 2015 11:50:31 -0400
Subject: * Tue Jun 09 2015 Paul Wouters <pwouters at redhat.com> - 1.4.7-1 -
Updated to 1.4.7 - Create slot as ods user, not root. - Added the extract
patches from the fedora branch
diff --git a/.gitignore b/.gitignore
index cf0a372..f48fdde 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@
/opendnssec-1.4.4.tar.gz
/opendnssec-1.4.5.tar.gz
/opendnssec-1.4.6.tar.gz
+/opendnssec-1.4.7.tar.gz
diff --git a/opendnssec-1.4.7-extract.patch b/opendnssec-1.4.7-extract.patch
new file mode 100644
index 0000000..2b96715
--- /dev/null
+++ b/opendnssec-1.4.7-extract.patch
@@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rnc 2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ element RequireBackup { empty }?,
+
+ # Do not maintain public keys in the repository (optional)
+- element SkipPublicKey { empty }?
++ element SkipPublicKey { empty }?,
++
++ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++ element AllowExtraction { empty }?
+ }*
+ },
+
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng 2014-12-04 10:18:39.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rng 2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+ <empty/>
+ </element>
+ </optional>
++ <optional>
++ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++ <element name="AllowExtraction">
++ <empty/>
++ </element>
++ </optional>
+ </element>
+ </zeroOrMore>
+ </element>
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.xml.in 2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ <TokenLabel>OpenDNSSEC</TokenLabel>
+ <PIN>1234</PIN>
+ <SkipPublicKey/>
++ <!--
++ <AllowExtraction/>
++ -->
+ </Repository>
+
+ <!--
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c 2014-12-08 22:49:16.102212061 -0500
+@@ -504,6 +504,7 @@
+ hsm_config_default(hsm_config_t *config)
+ {
+ config->use_pubkey = 1;
++ config->allow_extract = 0;
+ }
+
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@
+ module_pin = (char *) xmlNodeGetContent(curNode);
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+ module_config.use_pubkey = 0;
++ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++ module_config.allow_extract = 1;
+ curNode = curNode->next;
+ }
+
+@@ -2341,10 +2344,12 @@
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL ctoken = CK_TRUE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+ do {
+@@ -2380,7 +2385,7 @@
+ { CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof (ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof (ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@
+ CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ /* ids we create are 16 bytes of data */
+ unsigned char id[16];
+@@ -2466,12 +2472,13 @@
+ { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof(ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+
+@@ -2533,6 +2540,7 @@
+ CK_OBJECT_HANDLE publicKey, privateKey;
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ /* ids we create are 16 bytes of data */
+ unsigned char id[16];
+@@ -2569,12 +2577,13 @@
+ { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof(ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h 2014-12-08 22:49:16.102212061 -0500
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+ unsigned int use_pubkey; /*!< Maintain public keys in HSM */
++ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+
+ /*! Data type to describe an HSM */
+diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
+--- opendnssec-1.4.7-orig/NEWS 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/NEWS 2014-12-08 22:50:00.560342544 -0500
+@@ -1,3 +1,9 @@
++
++Fedora patch:
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++ and extracted from HSM.
++
+ OpenDNSSEC 1.4.7 - 2014-12-04
+
+ Bugfixes:
diff --git a/opendnssec.spec b/opendnssec.spec
index ae54f3a..f2de926 100644
--- a/opendnssec.spec
+++ b/opendnssec.spec
@@ -3,7 +3,7 @@
Summary: DNSSEC key and zone management software
Name: opendnssec
-Version: 1.4.6
+Version: 1.4.7
Release: 1%{?prever}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
@@ -15,6 +15,8 @@ Source4: conf.xml
Source5: opendnssec.cron
Source6: kasp.xml
+Patch1: opendnssec-1.4.7-extract.patch
+
Group: Applications/System
Requires: opencryptoki, softhsm
BuildRequires: libxml2, libxslt
@@ -42,6 +44,8 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
# bump default policy ZSK keysize to 2048
sed -i "s/1024/2048/" conf/kasp.xml.in
+%patch1 -p1
+
%build
export LDFLAGS="-Wl,-z,relro,-z,now -pie"
export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
@@ -102,7 +106,7 @@ exit 0
# Initialise a slot on the softhsm on first install
if [ "$1" -eq 1 ]; then
if [ ! -f /var/softhsm/slot0.db ]; then
- softhsm --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234
+ %{_sbindir}/runuser -u ods -- softhsm --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234
fi
fi
# in case we update any xml conf file
@@ -124,6 +128,11 @@ if [ "$1" -ge "1" ]; then
fi
%changelog
+* Tue Jun 09 2015 Paul Wouters <pwouters at redhat.com> - 1.4.7-1
+- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
+- Create slot as ods user, not root.
+- Added the extract patches from the fedora branch
+
* Wed Aug 20 2014 Paul Wouters <pwouters at redhat.com> - 1.4.6-1
- Updated to 1.4.6
- Removed merged in patch
diff --git a/sources b/sources
index fa56547..1db5a67 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d241a6e4660aad92044f61568d32d4dd opendnssec-1.4.6.tar.gz
+363387b90624acc2e3f6d33fea23c2d3 opendnssec-1.4.7.tar.gz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/opendnssec.git/commit/?h=el6&id=8739ab95cc308f1353b17da04a17656a9a8c2b10
More information about the scm-commits
mailing list