summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:01 +0000
committerColin Watson <cjwatson@debian.org>2017-03-29 01:39:47 +0100
commit1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c (patch)
treef6334f58466cfe559c8aebb39074bd7018b86ee9
parentce9a126fdaa8ef6488364107cc66d04ecabc8cc4 (diff)
Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
-rw-r--r--dns.c14
-rw-r--r--openbsd-compat/getrrsetbyname.c10
-rw-r--r--openbsd-compat/getrrsetbyname.h3
3 files changed, 21 insertions, 6 deletions
diff --git a/dns.c b/dns.c
index e813afeae..fce2e308f 100644
--- a/dns.c
+++ b/dns.c
@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
206{ 206{
207 u_int counter; 207 u_int counter;
208 int result; 208 int result;
209 unsigned int rrset_flags = 0;
209 struct rrsetinfo *fingerprints = NULL; 210 struct rrsetinfo *fingerprints = NULL;
210 211
211 u_int8_t hostkey_algorithm; 212 u_int8_t hostkey_algorithm;
@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
229 return -1; 230 return -1;
230 } 231 }
231 232
233 /*
234 * Original getrrsetbyname function, found on OpenBSD for example,
235 * doesn't accept any flag and prerequisite for obtaining AD bit in
236 * DNS response is set by "options edns0" in resolv.conf.
237 *
238 * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
239 */
240#ifndef HAVE_GETRRSETBYNAME
241 rrset_flags |= RRSET_FORCE_EDNS0;
242#endif
232 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, 243 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
233 DNS_RDATATYPE_SSHFP, 0, &fingerprints); 244 DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
245
234 if (result) { 246 if (result) {
235 verbose("DNS lookup error: %s", dns_result_totext(result)); 247 verbose("DNS lookup error: %s", dns_result_totext(result));
236 return -1; 248 return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
209 goto fail; 209 goto fail;
210 } 210 }
211 211
212 /* don't allow flags yet, unimplemented */ 212 /* Allow RRSET_FORCE_EDNS0 flag only. */
213 if (flags) { 213 if ((flags & !RRSET_FORCE_EDNS0) != 0) {
214 result = ERRSET_INVAL; 214 result = ERRSET_INVAL;
215 goto fail; 215 goto fail;
216 } 216 }
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
226#endif /* DEBUG */ 226#endif /* DEBUG */
227 227
228#ifdef RES_USE_DNSSEC 228#ifdef RES_USE_DNSSEC
229 /* turn on DNSSEC if EDNS0 is configured */ 229 /* turn on DNSSEC if required */
230 if (_resp->options & RES_USE_EDNS0) 230 if (flags & RRSET_FORCE_EDNS0)
231 _resp->options |= RES_USE_DNSSEC; 231 _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
232#endif /* RES_USE_DNSEC */ 232#endif /* RES_USE_DNSEC */
233 233
234 /* make query */ 234 /* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
72#ifndef RRSET_VALIDATED 72#ifndef RRSET_VALIDATED
73# define RRSET_VALIDATED 1 73# define RRSET_VALIDATED 1
74#endif 74#endif
75#ifndef RRSET_FORCE_EDNS0
76# define RRSET_FORCE_EDNS0 0x0001
77#endif
75 78
76/* 79/*
77 * Return codes for getrrsetbyname() 80 * Return codes for getrrsetbyname()