From 42529d81974bf2355f922c7b03eed5d941940279 Mon Sep 17 00:00:00 2001 From: christos Date: Thu, 22 Jan 2015 21:42:06 +0000 Subject: [PATCH] new diffs from the top --- external/bsd/blacklist/diff/named.diff | 294 +++++++++++++------------ external/bsd/blacklist/diff/ssh.diff | 156 ++++++------- 2 files changed, 234 insertions(+), 216 deletions(-) diff --git a/external/bsd/blacklist/diff/named.diff b/external/bsd/blacklist/diff/named.diff index d3d1dbda3d1d..99069c85859a 100644 --- a/external/bsd/blacklist/diff/named.diff +++ b/external/bsd/blacklist/diff/named.diff @@ -1,141 +1,5 @@ -Index: client.c -=================================================================== -RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v -retrieving revision 1.11 -diff -u -u -r1.11 client.c ---- client.c 10 Dec 2014 04:37:51 -0000 1.11 -+++ client.c 22 Jan 2015 17:54:19 -0000 -@@ -65,6 +65,8 @@ - #include - #include - -+#include "pfilter.h" -+ - /*** - *** Client - ***/ -@@ -3101,6 +3103,7 @@ - result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, - acl, default_allow); - -+ pfilter_notify(result, client, opname); - if (result == ISC_R_SUCCESS) - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), -Index: main.c -=================================================================== -RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v -retrieving revision 1.15 -diff -u -u -r1.15 main.c ---- main.c 10 Dec 2014 04:37:51 -0000 1.15 -+++ main.c 22 Jan 2015 17:54:19 -0000 -@@ -95,6 +95,8 @@ - #include - #endif - -+#include "pfilter.h" -+ - /* - * The maximum number of stack frames to dump on assertion failure. - */ -@@ -1206,6 +1208,7 @@ - - parse_command_line(argc, argv); - -+ pfilter_open(); - /* - * Warn about common configuration error. - */ -Index: query.c -=================================================================== -RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v -retrieving revision 1.17 -diff -u -u -r1.17 query.c ---- query.c 10 Dec 2014 04:37:52 -0000 1.17 -+++ query.c 22 Jan 2015 17:54:19 -0000 -@@ -65,6 +65,8 @@ - #include - #include - -+#include "pfilter.h" -+ - #if 0 - /* - * It has been recommended that DNS64 be changed to return excluded -@@ -762,6 +764,7 @@ - } - - result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); -+ pfilter_notify(result, client, "validatezonedb"); - if ((options & DNS_GETDB_NOLOG) == 0) { - char msg[NS_CLIENT_ACLMSGSIZE("query")]; - if (result == ISC_R_SUCCESS) { -@@ -1026,6 +1029,7 @@ - result = ns_client_checkaclsilent(client, NULL, - client->view->cacheacl, - ISC_TRUE); -+ pfilter_notify(result, client, "cachedb"); - if (result == ISC_R_SUCCESS) { - /* - * We were allowed by the "allow-query-cache" ACL. -Index: update.c -=================================================================== -RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v -retrieving revision 1.9 -diff -u -u -r1.9 update.c ---- update.c 10 Dec 2014 04:37:52 -0000 1.9 -+++ update.c 22 Jan 2015 17:54:19 -0000 -@@ -59,6 +59,8 @@ - #include - #include - -+#include "pfilter.h" -+ - /*! \file - * \brief - * This module implements dynamic update as in RFC2136. -@@ -306,6 +308,7 @@ - isc_result_t result; - - result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); -+ pfilter_notify(result, client, "queryacl"); - if (result != ISC_R_SUCCESS) { - dns_name_format(zonename, namebuf, sizeof(namebuf)); - dns_rdataclass_format(client->view->rdclass, classbuf, -@@ -362,6 +365,7 @@ - msg = "disabled"; - } else { - result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); -+ pfilter_notify(result, client, "updateacl"); - if (result == ISC_R_SUCCESS) { - level = ISC_LOG_DEBUG(3); - msg = "approved"; -Index: xfrout.c -=================================================================== -RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v -retrieving revision 1.7 -diff -u -u -r1.7 xfrout.c ---- xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 -+++ xfrout.c 22 Jan 2015 17:54:19 -0000 -@@ -54,6 +54,8 @@ - #include - #include - -+#include "pfilter.h" -+ - /*! \file - * \brief - * Outgoing AXFR and IXFR. -@@ -822,6 +824,7 @@ - &client->peeraddr, - &db); - -+ pfilter_notify(result, client, "zonexfr"); - if (result == ISC_R_NOPERM) { - char _buf1[DNS_NAME_FORMATSIZE]; - char _buf2[DNS_RDATACLASS_FORMATSIZE]; --- /dev/null 2015-01-22 01:48:00.000000000 -0500 -+++ pfilter.c 2015-01-22 01:35:16.000000000 -0500 ++++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500 @@ -0,0 +1,42 @@ +#include + @@ -180,7 +44,161 @@ diff -u -u -r1.7 xfrout.c + &client->peeraddr.type.sa, client->peeraddr.length, msg); +} --- /dev/null 2015-01-22 01:48:00.000000000 -0500 -+++ pfilter.h 2015-01-22 01:16:56.000000000 -0500 ++++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500 @@ -0,0 +1,2 @@ +void pfilter_open(void); +void pfilter_notify(isc_result_t, ns_client_t *, const char *); +Index: bin/named/Makefile +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v +retrieving revision 1.8 +diff -u -u -r1.8 Makefile +--- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8 ++++ bin/named/Makefile 22 Jan 2015 21:40:38 -0000 +@@ -33,7 +33,9 @@ + lwaddr.c lwdclient.c lwderror.c \ + lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \ + main.c notify.c query.c server.c sortlist.c statschannel.c \ +- tkeyconf.c tsigconf.c \ ++ pfilter.c tkeyconf.c tsigconf.c \ + update.c xfrout.c zoneconf.c ${SRCS_UNIX} + ++LDADD+=-lblacklist ++DPADD+=${LIBBLACKLIST} + .include +Index: dist/bin/named/client.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v +retrieving revision 1.11 +diff -u -u -r1.11 client.c +--- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11 ++++ dist/bin/named/client.c 22 Jan 2015 21:40:38 -0000 +@@ -65,6 +65,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /*** + *** Client + ***/ +@@ -3101,6 +3103,7 @@ + result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, + acl, default_allow); + ++ pfilter_notify(result, client, opname); + if (result == ISC_R_SUCCESS) + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), +Index: dist/bin/named/main.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v +retrieving revision 1.15 +diff -u -u -r1.15 main.c +--- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15 ++++ dist/bin/named/main.c 22 Jan 2015 21:40:38 -0000 +@@ -95,6 +95,8 @@ + #include + #endif + ++#include "pfilter.h" ++ + /* + * The maximum number of stack frames to dump on assertion failure. + */ +@@ -1206,6 +1208,7 @@ + + parse_command_line(argc, argv); + ++ pfilter_open(); + /* + * Warn about common configuration error. + */ +Index: dist/bin/named/query.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v +retrieving revision 1.17 +diff -u -u -r1.17 query.c +--- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17 ++++ dist/bin/named/query.c 22 Jan 2015 21:40:39 -0000 +@@ -65,6 +65,8 @@ + #include + #include + ++#include "pfilter.h" ++ + #if 0 + /* + * It has been recommended that DNS64 be changed to return excluded +@@ -762,6 +764,7 @@ + } + + result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); ++ pfilter_notify(result, client, "validatezonedb"); + if ((options & DNS_GETDB_NOLOG) == 0) { + char msg[NS_CLIENT_ACLMSGSIZE("query")]; + if (result == ISC_R_SUCCESS) { +@@ -1026,6 +1029,7 @@ + result = ns_client_checkaclsilent(client, NULL, + client->view->cacheacl, + ISC_TRUE); ++ pfilter_notify(result, client, "cachedb"); + if (result == ISC_R_SUCCESS) { + /* + * We were allowed by the "allow-query-cache" ACL. +Index: dist/bin/named/update.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v +retrieving revision 1.9 +diff -u -u -r1.9 update.c +--- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9 ++++ dist/bin/named/update.c 22 Jan 2015 21:40:39 -0000 +@@ -59,6 +59,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /*! \file + * \brief + * This module implements dynamic update as in RFC2136. +@@ -306,6 +308,7 @@ + isc_result_t result; + + result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); ++ pfilter_notify(result, client, "queryacl"); + if (result != ISC_R_SUCCESS) { + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, +@@ -362,6 +365,7 @@ + msg = "disabled"; + } else { + result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); ++ pfilter_notify(result, client, "updateacl"); + if (result == ISC_R_SUCCESS) { + level = ISC_LOG_DEBUG(3); + msg = "approved"; +Index: dist/bin/named/xfrout.c +=================================================================== +RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v +retrieving revision 1.7 +diff -u -u -r1.7 xfrout.c +--- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 ++++ dist/bin/named/xfrout.c 22 Jan 2015 21:40:39 -0000 +@@ -54,6 +54,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /*! \file + * \brief + * Outgoing AXFR and IXFR. +@@ -822,6 +824,7 @@ + &client->peeraddr, + &db); + ++ pfilter_notify(result, client, "zonexfr"); + if (result == ISC_R_NOPERM) { + char _buf1[DNS_NAME_FORMATSIZE]; + char _buf2[DNS_RDATACLASS_FORMATSIZE]; diff --git a/external/bsd/blacklist/diff/ssh.diff b/external/bsd/blacklist/diff/ssh.diff index ab2e42903a0f..8bd971a9ede6 100644 --- a/external/bsd/blacklist/diff/ssh.diff +++ b/external/bsd/blacklist/diff/ssh.diff @@ -1,81 +1,3 @@ -Index: bin/sshd/Makefile -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v -retrieving revision 1.10 -diff -u -r1.10 Makefile ---- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 -+++ bin/sshd/Makefile 21 Jan 2015 02:16:08 -0000 -@@ -15,7 +15,7 @@ - auth2-none.c auth2-passwd.c auth2-pubkey.c \ - monitor_mm.c monitor.c monitor_wrap.c \ - kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ -- roaming_common.c roaming_serv.c sandbox-rlimit.c -+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c - - COPTS.auth-options.c= -Wno-pointer-sign - COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix -@@ -68,3 +68,6 @@ - - LDADD+= -lwrap - DPADD+= ${LIBWRAP} -+ -+LDADD+= -lblacklist -+DPADD+= ${LIBBLACKLIST} -Index: dist/auth.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v -retrieving revision 1.10 -diff -u -r1.10 auth.c ---- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 -+++ dist/auth.c 21 Jan 2015 02:16:09 -0000 -@@ -62,6 +62,7 @@ - #include "monitor_wrap.h" - #include "krl.h" - #include "compat.h" -+#include "pfilter.h" - - #ifdef HAVE_LOGIN_CAP - #include -@@ -362,6 +363,8 @@ - compat20 ? "ssh2" : "ssh1", - authctxt->info != NULL ? ": " : "", - authctxt->info != NULL ? authctxt->info : ""); -+ if (!authctxt->postponed) -+ pfilter_notify(!authenticated); - free(authctxt->info); - authctxt->info = NULL; - } -Index: dist/sshd.c -=================================================================== -RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v -retrieving revision 1.15 -diff -u -u -r1.15 sshd.c ---- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 -+++ dist/sshd.c 21 Jan 2015 02:49:39 -0000 -@@ -109,6 +109,7 @@ - #include "roaming.h" - #include "ssh-sandbox.h" - #include "version.h" -+#include "pfilter.h" - - #ifdef LIBWRAP - #include -@@ -364,6 +365,7 @@ - killpg(0, SIGTERM); - } - -+ pfilter_notify(1); - /* Log error and exit. */ - sigdie("Timeout before authentication for %s", get_remote_ipaddr()); - } -@@ -1160,6 +1162,7 @@ - for (i = 0; i < options.max_startups; i++) - startup_pipes[i] = -1; - -+ pfilter_init(); - /* - * Stay listening for connections until the system crashes or - * the daemon is killed with a signal. --- /dev/null 2015-01-20 21:14:44.000000000 -0500 +++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500 @@ -0,0 +1,27 @@ @@ -112,3 +34,81 @@ diff -u -u -r1.15 sshd.c + +void pfilter_notify(int); +void pfilter_init(void); +Index: bin/sshd/Makefile +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v +retrieving revision 1.10 +diff -u -u -r1.10 Makefile +--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10 ++++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000 +@@ -15,7 +15,7 @@ + auth2-none.c auth2-passwd.c auth2-pubkey.c \ + monitor_mm.c monitor.c monitor_wrap.c \ + kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \ +- roaming_common.c roaming_serv.c sandbox-rlimit.c ++ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c + + COPTS.auth-options.c= -Wno-pointer-sign + COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix +@@ -68,3 +68,6 @@ + + LDADD+= -lwrap + DPADD+= ${LIBWRAP} ++ ++LDADD+= -lblacklist ++DPADD+= ${LIBBLACKLIST} +Index: dist/auth.c +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v +retrieving revision 1.10 +diff -u -u -r1.10 auth.c +--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10 ++++ dist/auth.c 22 Jan 2015 21:39:22 -0000 +@@ -62,6 +62,7 @@ + #include "monitor_wrap.h" + #include "krl.h" + #include "compat.h" ++#include "pfilter.h" + + #ifdef HAVE_LOGIN_CAP + #include +@@ -362,6 +363,8 @@ + compat20 ? "ssh2" : "ssh1", + authctxt->info != NULL ? ": " : "", + authctxt->info != NULL ? authctxt->info : ""); ++ if (!authctxt->postponed) ++ pfilter_notify(!authenticated); + free(authctxt->info); + authctxt->info = NULL; + } +Index: dist/sshd.c +=================================================================== +RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v +retrieving revision 1.15 +diff -u -u -r1.15 sshd.c +--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15 ++++ dist/sshd.c 22 Jan 2015 21:39:22 -0000 +@@ -109,6 +109,7 @@ + #include "roaming.h" + #include "ssh-sandbox.h" + #include "version.h" ++#include "pfilter.h" + + #ifdef LIBWRAP + #include +@@ -364,6 +365,7 @@ + killpg(0, SIGTERM); + } + ++ pfilter_notify(1); + /* Log error and exit. */ + sigdie("Timeout before authentication for %s", get_remote_ipaddr()); + } +@@ -1160,6 +1162,7 @@ + for (i = 0; i < options.max_startups; i++) + startup_pipes[i] = -1; + ++ pfilter_init(); + /* + * Stay listening for connections until the system crashes or + * the daemon is killed with a signal.