Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new diffs from the top

This commit is contained in:
christos 2015-01-22 21:42:06 +00:00
parent dbb6d0a43e
commit 42529d8197
2 changed files with 234 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

294
external/bsd/blacklist/diff/named.diff vendored
View File

@ -1,141 +1,5 @@
Index: client.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v
retrieving revision 1.11
diff -u -u -r1.11 client.c
--- client.c 10 Dec 2014 04:37:51 -0000 1.11
+++ client.c 22 Jan 2015 17:54:19 -0000
@@ -65,6 +65,8 @@
#include <named/server.h>
#include <named/update.h>
+#include "pfilter.h"
+
/***
*** Client
***/
@@ -3101,6 +3103,7 @@
result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
acl, default_allow);
+ pfilter_notify(result, client, opname);
if (result == ISC_R_SUCCESS)
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
Index: main.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v
retrieving revision 1.15
diff -u -u -r1.15 main.c
--- main.c 10 Dec 2014 04:37:51 -0000 1.15
+++ main.c 22 Jan 2015 17:54:19 -0000
@@ -95,6 +95,8 @@
#include <dlz/dlz_drivers.h>
#endif
+#include "pfilter.h"
+
/*
* The maximum number of stack frames to dump on assertion failure.
*/
@@ -1206,6 +1208,7 @@
parse_command_line(argc, argv);
+ pfilter_open();
/*
* Warn about common configuration error.
*/
Index: query.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v
retrieving revision 1.17
diff -u -u -r1.17 query.c
--- query.c 10 Dec 2014 04:37:52 -0000 1.17
+++ query.c 22 Jan 2015 17:54:19 -0000
@@ -65,6 +65,8 @@
#include <named/sortlist.h>
#include <named/xfrout.h>
+#include "pfilter.h"
+
#if 0
/*
* It has been recommended that DNS64 be changed to return excluded
@@ -762,6 +764,7 @@
}
result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ pfilter_notify(result, client, "validatezonedb");
if ((options & DNS_GETDB_NOLOG) == 0) {
char msg[NS_CLIENT_ACLMSGSIZE("query")];
if (result == ISC_R_SUCCESS) {
@@ -1026,6 +1029,7 @@
result = ns_client_checkaclsilent(client, NULL,
client->view->cacheacl,
ISC_TRUE);
+ pfilter_notify(result, client, "cachedb");
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the "allow-query-cache" ACL.
Index: update.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v
retrieving revision 1.9
diff -u -u -r1.9 update.c
--- update.c 10 Dec 2014 04:37:52 -0000 1.9
+++ update.c 22 Jan 2015 17:54:19 -0000
@@ -59,6 +59,8 @@
#include <named/server.h>
#include <named/update.h>
+#include "pfilter.h"
+
/*! \file
* \brief
* This module implements dynamic update as in RFC2136.
@@ -306,6 +308,7 @@
isc_result_t result;
result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ pfilter_notify(result, client, "queryacl");
if (result != ISC_R_SUCCESS) {
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
@@ -362,6 +365,7 @@
msg = "disabled";
} else {
result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
+ pfilter_notify(result, client, "updateacl");
if (result == ISC_R_SUCCESS) {
level = ISC_LOG_DEBUG(3);
msg = "approved";
Index: xfrout.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v
retrieving revision 1.7
diff -u -u -r1.7 xfrout.c
--- xfrout.c 10 Dec 2014 04:37:52 -0000 1.7
+++ xfrout.c 22 Jan 2015 17:54:19 -0000
@@ -54,6 +54,8 @@
#include <named/server.h>
#include <named/xfrout.h>
+#include "pfilter.h"
+
/*! \file
* \brief
* Outgoing AXFR and IXFR.
@@ -822,6 +824,7 @@
&client->peeraddr,
&db);
+ pfilter_notify(result, client, "zonexfr");
if (result == ISC_R_NOPERM) {
char _buf1[DNS_NAME_FORMATSIZE];
char _buf2[DNS_RDATACLASS_FORMATSIZE];
--- /dev/null 2015-01-22 01:48:00.000000000 -0500 --- /dev/null 2015-01-22 01:48:00.000000000 -0500
+++ pfilter.c 2015-01-22 01:35:16.000000000 -0500 +++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500
@@ -0,0 +1,42 @@ @@ -0,0 +1,42 @@
+#include <config.h> +#include <config.h>
+ +
@ -180,7 +44,161 @@ diff -u -u -r1.7 xfrout.c
+ &client->peeraddr.type.sa, client->peeraddr.length, msg); + &client->peeraddr.type.sa, client->peeraddr.length, msg);
+} +}
--- /dev/null 2015-01-22 01:48:00.000000000 -0500 --- /dev/null 2015-01-22 01:48:00.000000000 -0500
+++ pfilter.h 2015-01-22 01:16:56.000000000 -0500 +++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
+void pfilter_open(void); +void pfilter_open(void);
+void pfilter_notify(isc_result_t, ns_client_t *, const char *); +void pfilter_notify(isc_result_t, ns_client_t *, const char *);
Index: bin/named/Makefile
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v
retrieving revision 1.8
diff -u -u -r1.8 Makefile
--- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8
+++ bin/named/Makefile 22 Jan 2015 21:40:38 -0000
@@ -33,7 +33,9 @@
lwaddr.c lwdclient.c lwderror.c \
lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \
main.c notify.c query.c server.c sortlist.c statschannel.c \
- tkeyconf.c tsigconf.c \
+ pfilter.c tkeyconf.c tsigconf.c \
update.c xfrout.c zoneconf.c ${SRCS_UNIX}
+LDADD+=-lblacklist
+DPADD+=${LIBBLACKLIST}
.include <bsd.prog.mk>
Index: dist/bin/named/client.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v
retrieving revision 1.11
diff -u -u -r1.11 client.c
--- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11
+++ dist/bin/named/client.c 22 Jan 2015 21:40:38 -0000
@@ -65,6 +65,8 @@
#include <named/server.h>
#include <named/update.h>
+#include "pfilter.h"
+
/***
*** Client
***/
@@ -3101,6 +3103,7 @@
result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
acl, default_allow);
+ pfilter_notify(result, client, opname);
if (result == ISC_R_SUCCESS)
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
Index: dist/bin/named/main.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v
retrieving revision 1.15
diff -u -u -r1.15 main.c
--- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15
+++ dist/bin/named/main.c 22 Jan 2015 21:40:38 -0000
@@ -95,6 +95,8 @@
#include <dlz/dlz_drivers.h>
#endif
+#include "pfilter.h"
+
/*
* The maximum number of stack frames to dump on assertion failure.
*/
@@ -1206,6 +1208,7 @@
parse_command_line(argc, argv);
+ pfilter_open();
/*
* Warn about common configuration error.
*/
Index: dist/bin/named/query.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v
retrieving revision 1.17
diff -u -u -r1.17 query.c
--- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17
+++ dist/bin/named/query.c 22 Jan 2015 21:40:39 -0000
@@ -65,6 +65,8 @@
#include <named/sortlist.h>
#include <named/xfrout.h>
+#include "pfilter.h"
+
#if 0
/*
* It has been recommended that DNS64 be changed to return excluded
@@ -762,6 +764,7 @@
}
result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ pfilter_notify(result, client, "validatezonedb");
if ((options & DNS_GETDB_NOLOG) == 0) {
char msg[NS_CLIENT_ACLMSGSIZE("query")];
if (result == ISC_R_SUCCESS) {
@@ -1026,6 +1029,7 @@
result = ns_client_checkaclsilent(client, NULL,
client->view->cacheacl,
ISC_TRUE);
+ pfilter_notify(result, client, "cachedb");
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the "allow-query-cache" ACL.
Index: dist/bin/named/update.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v
retrieving revision 1.9
diff -u -u -r1.9 update.c
--- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9
+++ dist/bin/named/update.c 22 Jan 2015 21:40:39 -0000
@@ -59,6 +59,8 @@
#include <named/server.h>
#include <named/update.h>
+#include "pfilter.h"
+
/*! \file
* \brief
* This module implements dynamic update as in RFC2136.
@@ -306,6 +308,7 @@
isc_result_t result;
result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+ pfilter_notify(result, client, "queryacl");
if (result != ISC_R_SUCCESS) {
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
@@ -362,6 +365,7 @@
msg = "disabled";
} else {
result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
+ pfilter_notify(result, client, "updateacl");
if (result == ISC_R_SUCCESS) {
level = ISC_LOG_DEBUG(3);
msg = "approved";
Index: dist/bin/named/xfrout.c
===================================================================
RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v
retrieving revision 1.7
diff -u -u -r1.7 xfrout.c
--- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7
+++ dist/bin/named/xfrout.c 22 Jan 2015 21:40:39 -0000
@@ -54,6 +54,8 @@
#include <named/server.h>
#include <named/xfrout.h>
+#include "pfilter.h"
+
/*! \file
* \brief
* Outgoing AXFR and IXFR.
@@ -822,6 +824,7 @@
&client->peeraddr,
&db);
+ pfilter_notify(result, client, "zonexfr");
if (result == ISC_R_NOPERM) {
char _buf1[DNS_NAME_FORMATSIZE];
char _buf2[DNS_RDATACLASS_FORMATSIZE];

156
external/bsd/blacklist/diff/ssh.diff vendored
View File

@ -1,81 +1,3 @@
Index: bin/sshd/Makefile
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
retrieving revision 1.10
diff -u -r1.10 Makefile
--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10
+++ bin/sshd/Makefile 21 Jan 2015 02:16:08 -0000
@@ -15,7 +15,7 @@
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c sandbox-rlimit.c
+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
COPTS.auth-options.c= -Wno-pointer-sign
COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
@@ -68,3 +68,6 @@
LDADD+= -lwrap
DPADD+= ${LIBWRAP}
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
Index: dist/auth.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
retrieving revision 1.10
diff -u -r1.10 auth.c
--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10
+++ dist/auth.c 21 Jan 2015 02:16:09 -0000
@@ -62,6 +62,7 @@
#include "monitor_wrap.h"
#include "krl.h"
#include "compat.h"
+#include "pfilter.h"
#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
@@ -362,6 +363,8 @@
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+ if (!authctxt->postponed)
+ pfilter_notify(!authenticated);
free(authctxt->info);
authctxt->info = NULL;
}
Index: dist/sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.15
diff -u -u -r1.15 sshd.c
--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15
+++ dist/sshd.c 21 Jan 2015 02:49:39 -0000
@@ -109,6 +109,7 @@
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
+#include "pfilter.h"
#ifdef LIBWRAP
#include <tcpd.h>
@@ -364,6 +365,7 @@
killpg(0, SIGTERM);
}
+ pfilter_notify(1);
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -1160,6 +1162,7 @@
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
+ pfilter_init();
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
--- /dev/null 2015-01-20 21:14:44.000000000 -0500 --- /dev/null 2015-01-20 21:14:44.000000000 -0500
+++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500 +++ dist/pfilter.c 2015-01-20 21:17:22.000000000 -0500
@@ -0,0 +1,27 @@ @@ -0,0 +1,27 @@
@ -112,3 +34,81 @@ diff -u -u -r1.15 sshd.c
+ +
+void pfilter_notify(int); +void pfilter_notify(int);
+void pfilter_init(void); +void pfilter_init(void);
Index: bin/sshd/Makefile
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/bin/sshd/Makefile,v
retrieving revision 1.10
diff -u -u -r1.10 Makefile
--- bin/sshd/Makefile 19 Oct 2014 16:30:58 -0000 1.10
+++ bin/sshd/Makefile 22 Jan 2015 21:39:21 -0000
@@ -15,7 +15,7 @@
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
- roaming_common.c roaming_serv.c sandbox-rlimit.c
+ roaming_common.c roaming_serv.c sandbox-rlimit.c pfilter.c
COPTS.auth-options.c= -Wno-pointer-sign
COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
@@ -68,3 +68,6 @@
LDADD+= -lwrap
DPADD+= ${LIBWRAP}
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
Index: dist/auth.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
retrieving revision 1.10
diff -u -u -r1.10 auth.c
--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10
+++ dist/auth.c 22 Jan 2015 21:39:22 -0000
@@ -62,6 +62,7 @@
#include "monitor_wrap.h"
#include "krl.h"
#include "compat.h"
+#include "pfilter.h"
#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
@@ -362,6 +363,8 @@
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+ if (!authctxt->postponed)
+ pfilter_notify(!authenticated);
free(authctxt->info);
authctxt->info = NULL;
}
Index: dist/sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.15
diff -u -u -r1.15 sshd.c
--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15
+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000
@@ -109,6 +109,7 @@
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
+#include "pfilter.h"
#ifdef LIBWRAP
#include <tcpd.h>
@@ -364,6 +365,7 @@
killpg(0, SIGTERM);
}
+ pfilter_notify(1);
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -1160,6 +1162,7 @@
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
+ pfilter_init();
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.