diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:01 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-03-29 01:39:47 +0100 |
commit | 1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c (patch) | |
tree | f6334f58466cfe559c8aebb39074bd7018b86ee9 | |
parent | ce9a126fdaa8ef6488364107cc66d04ecabc8cc4 (diff) |
Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
-rw-r--r-- | dns.c | 14 | ||||
-rw-r--r-- | openbsd-compat/getrrsetbyname.c | 10 | ||||
-rw-r--r-- | openbsd-compat/getrrsetbyname.h | 3 |
3 files changed, 21 insertions, 6 deletions
@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
206 | { | 206 | { |
207 | u_int counter; | 207 | u_int counter; |
208 | int result; | 208 | int result; |
209 | unsigned int rrset_flags = 0; | ||
209 | struct rrsetinfo *fingerprints = NULL; | 210 | struct rrsetinfo *fingerprints = NULL; |
210 | 211 | ||
211 | u_int8_t hostkey_algorithm; | 212 | u_int8_t hostkey_algorithm; |
@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
229 | return -1; | 230 | return -1; |
230 | } | 231 | } |
231 | 232 | ||
233 | /* | ||
234 | * Original getrrsetbyname function, found on OpenBSD for example, | ||
235 | * doesn't accept any flag and prerequisite for obtaining AD bit in | ||
236 | * DNS response is set by "options edns0" in resolv.conf. | ||
237 | * | ||
238 | * Our version is more clever and use RRSET_FORCE_EDNS0 flag. | ||
239 | */ | ||
240 | #ifndef HAVE_GETRRSETBYNAME | ||
241 | rrset_flags |= RRSET_FORCE_EDNS0; | ||
242 | #endif | ||
232 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, | 243 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, |
233 | DNS_RDATATYPE_SSHFP, 0, &fingerprints); | 244 | DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); |
245 | |||
234 | if (result) { | 246 | if (result) { |
235 | verbose("DNS lookup error: %s", dns_result_totext(result)); | 247 | verbose("DNS lookup error: %s", dns_result_totext(result)); |
236 | return -1; | 248 | return -1; |
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index dc6fe0533..e061a290a 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c | |||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
209 | goto fail; | 209 | goto fail; |
210 | } | 210 | } |
211 | 211 | ||
212 | /* don't allow flags yet, unimplemented */ | 212 | /* Allow RRSET_FORCE_EDNS0 flag only. */ |
213 | if (flags) { | 213 | if ((flags & !RRSET_FORCE_EDNS0) != 0) { |
214 | result = ERRSET_INVAL; | 214 | result = ERRSET_INVAL; |
215 | goto fail; | 215 | goto fail; |
216 | } | 216 | } |
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
226 | #endif /* DEBUG */ | 226 | #endif /* DEBUG */ |
227 | 227 | ||
228 | #ifdef RES_USE_DNSSEC | 228 | #ifdef RES_USE_DNSSEC |
229 | /* turn on DNSSEC if EDNS0 is configured */ | 229 | /* turn on DNSSEC if required */ |
230 | if (_resp->options & RES_USE_EDNS0) | 230 | if (flags & RRSET_FORCE_EDNS0) |
231 | _resp->options |= RES_USE_DNSSEC; | 231 | _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); |
232 | #endif /* RES_USE_DNSEC */ | 232 | #endif /* RES_USE_DNSEC */ |
233 | 233 | ||
234 | /* make query */ | 234 | /* make query */ |
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h | |||
@@ -72,6 +72,9 @@ | |||
72 | #ifndef RRSET_VALIDATED | 72 | #ifndef RRSET_VALIDATED |
73 | # define RRSET_VALIDATED 1 | 73 | # define RRSET_VALIDATED 1 |
74 | #endif | 74 | #endif |
75 | #ifndef RRSET_FORCE_EDNS0 | ||
76 | # define RRSET_FORCE_EDNS0 0x0001 | ||
77 | #endif | ||
75 | 78 | ||
76 | /* | 79 | /* |
77 | * Return codes for getrrsetbyname() | 80 | * Return codes for getrrsetbyname() |