Package init

dnsmasq-2.77-underflow.patch

@@ -0,0 +1,63 @@
+From c82a594d95431e8615126621397ea595eb037a6b Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Tue, 26 Sep 2017 14:48:20 +0930
+Subject: [PATCH] google patch hand-applied
+
+---
+ src/edns0.c   | 10 +++++-----
+ src/forward.c |  4 ++++
+ src/rfc1035.c |  2 ++
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/src/edns0.c b/src/edns0.c
+index af33877..ba6ff0c 100644
+--- a/src/edns0.c
++++ b/src/edns0.c
+@@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+       /* Copy back any options */
+       if (buff)
+ 	{
+-          if (p + rdlen > limit)
+-          {
+-            free(buff);
+-            return plen; /* Too big */
+-          }
++	  if (p + rdlen > limit)
++	  {
++	    free(buff);
++	    return plen; /* Too big */
++	  }
+ 	  memcpy(p, buff, rdlen);
+ 	  free(buff);
+ 	  p += rdlen;
+diff --git a/src/forward.c b/src/forward.c
+index cdd11d3..3078f64 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1438,6 +1438,10 @@ void receive_query(struct listener *listen, time_t now)
+ 	udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
+     }
+ 
++  // Make sure the udp size is not smaller than the incoming message so that we
++  // do not underflow
++  if (udp_size < n) udp_size = n;
++
+ #ifdef HAVE_AUTH
+   if (auth_dns)
+     {
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index b078b59..777911b 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1281,6 +1281,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+   int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
+   struct mx_srv_record *rec;
+   size_t len;
++  // Make sure we do not underflow here too.
++  if (qlen > (limit - ((char *)header))) return 0;
+ 
+   if (ntohs(header->ancount) != 0 ||
+       ntohs(header->nscount) != 0 ||
+-- 
+2.14.3
+

dnsmasq-2.78-fips.patch

@@ -0,0 +1,37 @@
+From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 2 Mar 2018 13:17:04 +0100
+Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
+ has no proper FIPS 140-2 compliant implementation.
+
+---
+ src/dnsmasq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index ce44809..9f6c020 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -187,6 +187,7 @@ int main (int argc, char **argv)
+       
+       if (daemon->cachesize < CACHESIZ)
+ 	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
++           
+ #else 
+       die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
+ #endif
+@@ -769,7 +770,10 @@ int main (int argc, char **argv)
+ 	}
+       
+       my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+-      
++
++      if (access("/etc/system-fips", F_OK) == 0)
++        my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant"));
++
+       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
+-- 
+2.14.4
+

dnsmasq-2.80-dnssec.patch

@@ -0,0 +1,73 @@
+From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 29 Jun 2018 14:39:41 +0100
+Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not
+ enabled.
+
+Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
+of of having DNSSEC validation compiled in or enabled.
+
+The thing to understand here is that the cache does not store all the
+DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
+to determine the set of DNSSEC RRs required in an answer. Therefore if
+the client wants the DNSSEC RRs, the query can not be answered from
+the cache. When DNSSEC validation is enabled, any query with the
+do-bit set is never answered from the cache, unless the domain is
+known not to be signed: the query is always forwarded. This ensures
+that the DNSEC RRs are included.
+
+The same thing should be true when DNSSEC validation is not enabled,
+but there's a bug in the logic.
+
+line 1666 of src/rfc1035.c looks like this
+
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
+
+{ ...answer from cache ... }
+
+So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
+then the query is answered, and if the domain is known not to be
+signed, the query is answered.
+
+Unfortunately, if DNSSEC validation is not turned on then the
+F_DNSSECOK bit is not valid, and it's always zero, so the question
+always gets answered from the cache, even when the do-bit is set.
+
+This code should look like that at line 1468, dealing with PTR queries
+
+  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+      !do_bit ||
+      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+
+where the F_DNSSECOK bit is only used when validation is enabled.
+---
+ src/rfc1035.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index ebb1f36..580f5ef 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 		    }
+ 
+ 		  /* If the client asked for DNSSEC  don't use cached data. */
+-		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
++		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
++		      !do_bit ||
++		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+ 		    do
+ 		      { 
+ 			/* don't answer wildcard queries with data not from /etc/hosts
+@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 	    {
+ 	      if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
+ 		  (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
+-		  ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
++		  ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
+ 		{
+ 		  if (!(crecp->flags & F_DNSSECOK))
+ 		    sec_data = 0;
+-- 
+2.14.4
+

dnsmasq-systemd-sysusers.conf

@@ -0,0 +1 @@
+u dnsmasq - "Dnsmasq DHCP and DNS server" /var/lib/dnsmasq

dnsmasq.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=DNS caching server.
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/dnsmasq -k
+
+[Install]
+WantedBy=multi-user.target

dnsmasq.spec

@@ -0,0 +1,109 @@
+Name:           dnsmasq
+Version:        2.79
+Release:        8
+Summary:        Dnsmasq provides network infrastructure for small networks
+License:        GPLv2 or GPLv3
+URL:            http://www.thekelleys.org.uk/dnsmasq/
+Source0:        http://www.thekelleys.org.uk/dnsmasq/%{name}-%{version}.tar.xz
+Source1:        dnsmasq.service
+Source2:        dnsmasq-systemd-sysusers.conf
+
+#patches from the opensource fedora/redhat repository
+Patch0001:      dnsmasq-2.77-underflow.patch
+Patch0002:      dnsmasq-2.78-fips.patch
+Patch0003:      dnsmasq-2.80-dnssec.patch
+
+BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
+Requires:       nettle >= 3.4
+Provides:       dnsmasq-utils
+Obsoletes:      dnsmasq-utils
+
+%{?systemd_requires}
+
+%description
+Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router
+advertisement and network boot. It is designed to be lightweight and have a small
+footprint, suitable for resource constrained routers and firewalls.
+It has also been widely used for tethering on smartphones and portable hotspots,
+and to support virtual networking in virtualisation frameworks.
+
+%package help
+Summary: Help documents for dnsmasq
+
+%description help
+Help package contains some readme, man and other related files for dnsmasq.
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+
+for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
+    sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
+done
+
+sed -i 's|#user=|user=dnsmasq|;s|#group=|group=dnsmasq|;s|%%%%PREFIX%%%%|%{_prefix}|' dnsmasq.conf.example
+sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
+sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' src/config.h
+sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile
+
+cat << EOF >> dnsmasq.conf.example
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
+EOF
+
+%build
+%make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
+%make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
+
+%install
+install -d $RPM_BUILD_ROOT{%{_sbindir},%{_mandir}/man8,%{_var}/lib/dnsmasq}
+install -d $RPM_BUILD_ROOT{%{_sysconfdir}/dnsmasq.d,%{_sysconfdir}/dbus-1/system.d}
+install src/dnsmasq $RPM_BUILD_ROOT%{_sbindir}/dnsmasq
+install -m644 man/dnsmasq.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install dnsmasq.conf.example $RPM_BUILD_ROOT%{_sysconfdir}/dnsmasq.conf
+install dbus/dnsmasq.conf $RPM_BUILD_ROOT%{_sysconfdir}/dbus-1/system.d/
+install -D trust-anchors.conf $RPM_BUILD_ROOT%{_datadir}/%{name}/trust-anchors.conf
+
+install -d $RPM_BUILD_ROOT{%{_bindir},%{_mandir}/man1,%{_unitdir}}
+install -m755 contrib/lease-tools/{dhcp_release,dhcp_release6,dhcp_lease_time} $RPM_BUILD_ROOT%{_bindir}/
+install -m644 contrib/lease-tools/{dhcp_release.1,dhcp_release6.1,dhcp_lease_time.1} $RPM_BUILD_ROOT%{_mandir}/man1/
+
+install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}
+install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
+
+%pre
+%sysusers_create_inline %(cat %{SOURCE2})
+
+%post
+%sysusers_create
+%systemd_post dnsmasq
+
+%preun
+%systemd_preun dnsmasq
+
+%postun
+%systemd_postun_with_restart dnsmasq
+
+%files
+%doc dbus/DBus-interface
+%license COPYING COPYING-v3
+%defattr(0644,root,dnsmasq,0755)
+%config(noreplace) %{_sysconfdir}/dnsmasq.conf
+%dir %{_sysconfdir}/dnsmasq.d
+%dir %{_sharedstatedir}/dnsmasq
+%defattr(-,root,root,-)
+%{_bindir}/dhcp_*
+%{_sbindir}/dnsmasq
+%{_unitdir}/dnsmasq.service
+%{_sysusersdir}/dnsmasq.conf
+%{_datadir}/%{name}/trust-anchors.conf
+%dir %{_datadir}/dnsmasq
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/dnsmasq.conf
+%exclude %{_initrddir}
+
+%files help
+%doc CHANGELOG FAQ doc.html setup.html
+%{_mandir}/man1/dhcp_*
+%{_mandir}/man8/dnsmasq*
+
+%changelog
+* Tue Sep 20 2019 yanzhihua <yanzhihua4@huawei.com> - 2.79-8
+- Package init.