- (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in

openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c] bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr) with some rework from myself and djm. ok djm.
author: Darren Tucker <dtucker@zip.com.au> 2011-11-04 11:25:24 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2011-11-04 11:25:24 +1100
commit: aa3cbd1b5bc83a30f7deb960e3e69e56df92bc56 (patch)
tree: 4dfe9c368d9899396774e7a45425fb29ad7fcb19
parent: be4032ba1e821008df614bede98bfd8f270af77a (diff)
7 files changed, 338 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index b4bad9dec..43dacda54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,11 @@
   - dtucker@cvs.openbsd.org 011/11/04 00:09:39
     [moduli]
     regenerated moduli file; ok deraadt
+ - (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in
+   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
+   bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
+   which supports DNSSEC.  Patch from Simon Vallet (svallet at genoscope cns fr)
+   with some rework from myself and djm.  ok djm.
 20111025
 - (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file
diff --git a/INSTALL b/INSTALL
index 0031dea85..7c6046932 100644
--- a/INSTALL
+++ b/INSTALL
@@ -80,6 +80,12 @@ these multi-platform ports:
 http://www.thrysoee.dk/editline/
 http://sourceforge.net/projects/libedit/
+LDNS:
+LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
+http://nlnetlabs.nl/projects/ldns/
 Autoconf:
 If you modify configure.ac or configure doesn't exist (eg if you checked
@@ -260,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
-$Id: INSTALL,v 1.86 2011/05/05 03:48:37 djm Exp $
+$Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $
diff --git a/LICENCE b/LICENCE
index 120d6fd54..f52387139 100644
--- a/LICENCE
+++ b/LICENCE
@@ -207,6 +207,7 @@ OpenSSH contains no GPL code.
        The SCO Group
        Daniel Walsh
        Red Hat, Inc
+        Simon Vallet / Genoscope
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions
diff --git a/configure.ac b/configure.ac
index c471e7f35..dc53f0398 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.483 2011/10/02 07:49:24 dtucker Exp $
+# $Id: configure.ac,v 1.484 2011/11/04 00:25:25 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.483 $)
+AC_REVISION($Revision: 1.484 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
@@ -1319,6 +1319,41 @@ int deny_severity = 0, allow_severity = 0;
        ]
 )
+# Check whether user wants to use ldns
+LDNS_MSG="no"
+AC_ARG_WITH(ldns,
+        [  --with-ldns[[=PATH]]      Use ldns for DNSSEC support (optionally in PATH)],
+    [
+        if test "x$withval" != "xno" ; then
+                        if test "x$withval" != "xyes" ; then
+                                CPPFLAGS="$CPPFLAGS -I${withval}/include"
+                                LDFLAGS="$LDFLAGS -L${withval}/lib"
+                        fi
+            AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
+            LIBS="-lldns $LIBS"
+            LDNS_MSG="yes"
+            AC_MSG_CHECKING([for ldns support])
+            AC_LINK_IFELSE(
+                [AC_LANG_SOURCE([[
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <ldns/ldns.h>
+int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
+                                ]])
+                ],
+                                [AC_MSG_RESULT(yes)],
+                                [
+                                        AC_MSG_RESULT(no)
+                                        AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
+                                ])
+        fi
+    ]
+)
 # Check whether user wants libedit support
 LIBEDIT_MSG="no"
 AC_ARG_WITH([libedit],
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index fcc70fca5..196a81d13 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.47 2011/09/29 13:17:22 dtucker Exp $
+# $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
 OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o
-COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c
new file mode 100644
index 000000000..8ce5678c9
--- /dev/null
+++ b/openbsd-compat/getrrsetbyname-ldns.c
@@ -0,0 +1,284 @@
+/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
+/*
+ * Copyright (c) 2007 Simon Vallet / Genoscope <svallet@genoscope.cns.fr>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Portions Copyright (c) 1999-2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "includes.h"
+#if !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS)
+#include <stdlib.h>
+#include <string.h>
+#include <ldns/ldns.h>
+#include "getrrsetbyname.h"
+#include "log.h"
+#include "xmalloc.h"
+#define malloc(x)       (xmalloc(x))
+#define calloc(x, y)    (xcalloc((x),(y)))
+#define free(x)         (xfree(x))
+int
+getrrsetbyname(const char *hostname, unsigned int rdclass,
+               unsigned int rdtype, unsigned int flags,
+               struct rrsetinfo **res)
+{
+        int result;
+        unsigned int i, j, index_ans, index_sig;
+        struct rrsetinfo *rrset = NULL;
+        struct rdatainfo *rdata;
+        size_t len;
+        ldns_resolver *ldns_res;
+        ldns_rdf *domain = NULL;
+        ldns_pkt *pkt = NULL;
+        ldns_rr_list *rrsigs = NULL, *rrdata = NULL;
+        ldns_status err;
+        ldns_rr *rr;
+        /* check for invalid class and type */
+        if (rdclass > 0xffff || rdtype > 0xffff) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+        /* don't allow queries of class or type ANY */
+        if (rdclass == 0xff || rdtype == 0xff) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+        /* don't allow flags yet, unimplemented */
+        if (flags) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+        /* Initialize resolver from resolv.conf */
+        domain = ldns_dname_new_frm_str(hostname);
+        if ((err = ldns_resolver_new_frm_file(&ldns_res, NULL)) != \
+            LDNS_STATUS_OK) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+#ifdef LDNS_DEBUG
+        ldns_resolver_set_debug(ldns_res, true);
+#endif /* LDNS_DEBUG */
+        ldns_resolver_set_dnssec(ldns_res, true); /* Use DNSSEC */
+        /* make query */
+        pkt = ldns_resolver_query(ldns_res, domain, rdtype, rdclass, LDNS_RD);
+        /*** TODO: finer errcodes -- see original **/
+        if (!pkt || ldns_pkt_ancount(pkt) < 1) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+        /* initialize rrset */
+        rrset = calloc(1, sizeof(struct rrsetinfo));
+        if (rrset == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        rrdata = ldns_pkt_rr_list_by_type(pkt, rdtype, LDNS_SECTION_ANSWER);
+        rrset->rri_nrdatas = ldns_rr_list_rr_count(rrdata);
+        if (!rrset->rri_nrdatas) {
+                result = ERRSET_NODATA;
+                goto fail;
+        }
+        /* copy name from answer section */
+        len = ldns_rdf_size(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0)));
+        if ((rrset->rri_name = malloc(len)) == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        memcpy(rrset->rri_name,
+            ldns_rdf_data(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0))), len);
+        rrset->rri_rdclass = ldns_rr_get_class(ldns_rr_list_rr(rrdata, 0));
+        rrset->rri_rdtype = ldns_rr_get_type(ldns_rr_list_rr(rrdata, 0));
+        rrset->rri_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrdata, 0));
+        debug2("ldns: got %u answers from DNS", rrset->rri_nrdatas);
+        /* Check for authenticated data */
+        if (ldns_pkt_ad(pkt)) {
+                rrset->rri_flags |= RRSET_VALIDATED;
+        } else { /* AD is not set, try autonomous validation */
+                ldns_rr_list * trusted_keys = ldns_rr_list_new();
+                debug2("ldns: trying to validate RRset");
+                /* Get eventual sigs */
+                rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG,
+                    LDNS_SECTION_ANSWER);
+                rrset->rri_nsigs = ldns_rr_list_rr_count(rrsigs);
+                debug2("ldns: got %u signature(s) (RRTYPE %u) from DNS",
+                       rrset->rri_nsigs, LDNS_RR_TYPE_RRSIG);
+                if ((err = ldns_verify_trusted(ldns_res, rrdata, rrsigs,
+                     trusted_keys)) == LDNS_STATUS_OK) {
+                        rrset->rri_flags |= RRSET_VALIDATED;
+                        debug2("ldns: RRset is signed with a valid key");
+                } else {
+                        debug2("ldns: RRset validation failed: %s",
+                            ldns_get_errorstr_by_id(err));
+                }
+                ldns_rr_list_deep_free(trusted_keys);
+        }
+        /* allocate memory for answers */
+        rrset->rri_rdatas = calloc(rrset->rri_nrdatas,
+           sizeof(struct rdatainfo));
+        if (rrset->rri_rdatas == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        /* allocate memory for signatures */
+        if (rrset->rri_nsigs > 0) {
+                rrset->rri_sigs = calloc(rrset->rri_nsigs,
+                    sizeof(struct rdatainfo));
+                if (rrset->rri_sigs == NULL) {
+                        result = ERRSET_NOMEMORY;
+                        goto fail;
+                }
+        }
+        /* copy answers & signatures */
+        for (i=0, index_ans=0, index_sig=0; i< pkt->_header->_ancount; i++) {
+                rdata = NULL;
+                rr = ldns_rr_list_rr(ldns_pkt_answer(pkt), i);
+                if (ldns_rr_get_class(rr) == rrset->rri_rdclass &&
+                    ldns_rr_get_type(rr) == rrset->rri_rdtype) {
+                        rdata = &rrset->rri_rdatas[index_ans++];
+                }
+                if (rr->_rr_class == rrset->rri_rdclass &&
+                    rr->_rr_type == LDNS_RR_TYPE_RRSIG) {
+                        rdata = &rrset->rri_sigs[index_sig++];
+                }
+                if (rdata) {
+                        size_t rdata_offset = 0;
+                        rdata->rdi_length = 0;
+                        for (j=0; j< rr->_rd_count; j++) {
+                                rdata->rdi_length +=
+                                    ldns_rdf_size(ldns_rr_rdf(rr, j));
+                        }
+                        rdata->rdi_data = malloc(rdata->rdi_length);
+                        if (rdata->rdi_data == NULL) {
+                                result = ERRSET_NOMEMORY;
+                                goto fail;
+                        }
+                        /* Re-create the raw DNS RDATA */
+                        for (j=0; j< rr->_rd_count; j++) {
+                                len = ldns_rdf_size(ldns_rr_rdf(rr, j));
+                                memcpy(rdata->rdi_data + rdata_offset,
+                                       ldns_rdf_data(ldns_rr_rdf(rr, j)), len);
+                                rdata_offset += len;
+                        }
+                }
+        }
+        *res = rrset;
+        result = ERRSET_SUCCESS;
+fail:
+        /* freerrset(rrset); */
+        ldns_rdf_deep_free(domain);
+        ldns_pkt_free(pkt);
+        ldns_rr_list_deep_free(rrsigs);
+        ldns_rr_list_deep_free(rrdata);
+        ldns_resolver_deep_free(ldns_res);
+        return result;
+}
+void
+freerrset(struct rrsetinfo *rrset)
+{
+        u_int16_t i;
+        if (rrset == NULL)
+                return;
+        if (rrset->rri_rdatas) {
+                for (i = 0; i < rrset->rri_nrdatas; i++) {
+                        if (rrset->rri_rdatas[i].rdi_data == NULL)
+                                break;
+                        free(rrset->rri_rdatas[i].rdi_data);
+                }
+                free(rrset->rri_rdatas);
+        }
+        if (rrset->rri_sigs) {
+                for (i = 0; i < rrset->rri_nsigs; i++) {
+                        if (rrset->rri_sigs[i].rdi_data == NULL)
+                                break;
+                        free(rrset->rri_sigs[i].rdi_data);
+                }
+                free(rrset->rri_sigs);
+        }
+        if (rrset->rri_name)
+                free(rrset->rri_name);
+        free(rrset);
+}
+#endif /* !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS) */
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 98876673d..dc6fe0533 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -47,7 +47,7 @@
 #include "includes.h"
-#ifndef HAVE_GETRRSETBYNAME
+#if !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS)
 #include <stdlib.h>
 #include <string.h>
@@ -607,4 +607,4 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
        return (n);
 }
-#endif /* !defined(HAVE_GETRRSETBYNAME) */
+#endif /*  !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS) */
author	Darren Tucker <dtucker@zip.com.au>	2011-11-04 11:25:24 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2011-11-04 11:25:24 +1100
commit	aa3cbd1b5bc83a30f7deb960e3e69e56df92bc56 (patch)
tree	4dfe9c368d9899396774e7a45425fb29ad7fcb19
parent	be4032ba1e821008df614bede98bfd8f270af77a (diff)

diff --git a/ChangeLog b/ChangeLog index b4bad9dec..43dacda54 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -24,6 +24,11 @@
24	- dtucker@cvs.openbsd.org 011/11/04 00:09:39	24	- dtucker@cvs.openbsd.org 011/11/04 00:09:39
25	[moduli]	25	[moduli]
26	regenerated moduli file; ok deraadt	26	regenerated moduli file; ok deraadt
		27	- (dtucker) [INSTALL LICENCE configure.ac openbsd-compat/Makefile.in
		28	openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/getrrsetbyname.c]
		29	bz 1320: Add optional support for LDNS, a BSD licensed DNS resolver library
		30	which supports DNSSEC. Patch from Simon Vallet (svallet at genoscope cns fr)
		31	with some rework from myself and djm. ok djm.
27		32
28	20111025	33	20111025
29	- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file	34	- (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc file


diff --git a/INSTALL b/INSTALL index 0031dea85..7c6046932 100644 --- a/INSTALL +++ b/INSTALL
@@ -80,6 +80,12 @@ these multi-platform ports:
80	http://www.thrysoee.dk/editline/	80	http://www.thrysoee.dk/editline/
81	http://sourceforge.net/projects/libedit/	81	http://sourceforge.net/projects/libedit/
82		82
		83	LDNS:
		84
		85	LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
		86
		87	http://nlnetlabs.nl/projects/ldns/
		88
83	Autoconf:	89	Autoconf:
84		90
85	If you modify configure.ac or configure doesn't exist (eg if you checked	91	If you modify configure.ac or configure doesn't exist (eg if you checked
@@ -260,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at
260	http://www.openssh.com/	266	http://www.openssh.com/
261		267
262		268
263	$Id: INSTALL,v 1.86 2011/05/05 03:48:37 djm Exp $	269	$Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $


diff --git a/LICENCE b/LICENCE index 120d6fd54..f52387139 100644 --- a/LICENCE +++ b/LICENCE
@@ -207,6 +207,7 @@ OpenSSH contains no GPL code.
207	The SCO Group	207	The SCO Group
208	Daniel Walsh	208	Daniel Walsh
209	Red Hat, Inc	209	Red Hat, Inc
		210	Simon Vallet / Genoscope
210		211
211	* Redistribution and use in source and binary forms, with or without	212	* Redistribution and use in source and binary forms, with or without
212	* modification, are permitted provided that the following conditions	213	* modification, are permitted provided that the following conditions


diff --git a/configure.ac b/configure.ac index c471e7f35..dc53f0398 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.483 2011/10/02 07:49:24 dtucker Exp $	1	# $Id: configure.ac,v 1.484 2011/11/04 00:25:25 dtucker Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -15,7 +15,7 @@
15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		16
17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])	17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18	AC_REVISION($Revision: 1.483 $)	18	AC_REVISION($Revision: 1.484 $)
19	AC_CONFIG_SRCDIR([ssh.c])	19	AC_CONFIG_SRCDIR([ssh.c])
20	AC_LANG([C])	20	AC_LANG([C])
21		21
@@ -1319,6 +1319,41 @@ int deny_severity = 0, allow_severity = 0;
1319	]	1319	]
1320	)	1320	)
1321		1321
		1322	# Check whether user wants to use ldns
		1323	LDNS_MSG="no"
		1324	AC_ARG_WITH(ldns,
		1325	[ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)],
		1326	[
		1327	if test "x$withval" != "xno" ; then
		1328
		1329	if test "x$withval" != "xyes" ; then
		1330	CPPFLAGS="$CPPFLAGS -I${withval}/include"
		1331	LDFLAGS="$LDFLAGS -L${withval}/lib"
		1332	fi
		1333
		1334	AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support])
		1335	LIBS="-lldns $LIBS"
		1336	LDNS_MSG="yes"
		1337
		1338	AC_MSG_CHECKING([for ldns support])
		1339	AC_LINK_IFELSE(
		1340	[AC_LANG_SOURCE([[
		1341	#include <stdio.h>
		1342	#include <stdlib.h>
		1343	#include <stdint.h>
		1344	#include <ldns/ldns.h>
		1345	int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
		1346	]])
		1347	],
		1348	[AC_MSG_RESULT(yes)],
		1349	[
		1350	AC_MSG_RESULT(no)
		1351	AC_MSG_ERROR([** Incomplete or missing ldns libraries.])
		1352	])
		1353	fi
		1354	]
		1355	)
		1356
1322	# Check whether user wants libedit support	1357	# Check whether user wants libedit support
1323	LIBEDIT_MSG="no"	1358	LIBEDIT_MSG="no"
1324	AC_ARG_WITH([libedit],	1359	AC_ARG_WITH([libedit],


diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index fcc70fca5..196a81d13 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1	# $Id: Makefile.in,v 1.47 2011/09/29 13:17:22 dtucker Exp $	1	# $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $
2		2
3	sysconfdir=@sysconfdir@	3	sysconfdir=@sysconfdir@
4	piddir=@piddir@	4	piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
18		18
19	OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o	19	OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o
20		20
21	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o	21	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22		22
23	PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o	23	PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
24		24


diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c new file mode 100644 index 000000000..8ce5678c9 --- /dev/null +++ b/openbsd-compat/getrrsetbyname-ldns.c
@@ -0,0 +1,284 @@
		1	/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
		2
		3	/*
		4	* Copyright (c) 2007 Simon Vallet / Genoscope <svallet@genoscope.cns.fr>
		5	*
		6	* Redistribution and use in source and binary forms, with or without
		7	* modification, are permitted provided that the following conditions
		8	* are met:
		9	*
		10	* 1. Redistributions of source code must retain the above copyright
		11	* notice, this list of conditions and the following disclaimer.
		12	*
		13	* 2. Redistributions in binary form must reproduce the above copyright
		14	* notice, this list of conditions and the following disclaimer in the
		15	* documentation and/or other materials provided with the distribution.
		16	*
		17	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		18	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		19	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		20	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		21	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		22	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		23	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		24	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		25	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		26	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		27	*/
		28
		29	/*
		30	* Portions Copyright (c) 1999-2001 Internet Software Consortium.
		31	*
		32	* Permission to use, copy, modify, and distribute this software for any
		33	* purpose with or without fee is hereby granted, provided that the above
		34	* copyright notice and this permission notice appear in all copies.
		35	*
		36	* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
		37	* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
		38	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
		39	* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
		40	* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
		41	* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
		42	* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
		43	* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		44	*/
		45
		46	#include "includes.h"
		47
		48	#if !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS)
		49
		50	#include <stdlib.h>
		51	#include <string.h>
		52
		53	#include <ldns/ldns.h>
		54
		55	#include "getrrsetbyname.h"
		56	#include "log.h"
		57	#include "xmalloc.h"
		58
		59	#define malloc(x) (xmalloc(x))
		60	#define calloc(x, y) (xcalloc((x),(y)))
		61	#define free(x) (xfree(x))
		62
		63	int
		64	getrrsetbyname(const char *hostname, unsigned int rdclass,
		65	unsigned int rdtype, unsigned int flags,
		66	struct rrsetinfo **res)
		67	{
		68	int result;
		69	unsigned int i, j, index_ans, index_sig;
		70	struct rrsetinfo *rrset = NULL;
		71	struct rdatainfo *rdata;
		72	size_t len;
		73	ldns_resolver *ldns_res;
		74	ldns_rdf *domain = NULL;
		75	ldns_pkt *pkt = NULL;
		76	ldns_rr_list rrsigs = NULL, rrdata = NULL;
		77	ldns_status err;
		78	ldns_rr *rr;
		79
		80	/* check for invalid class and type */
		81	if (rdclass > 0xffff \|\| rdtype > 0xffff) {
		82	result = ERRSET_INVAL;
		83	goto fail;
		84	}
		85
		86	/* don't allow queries of class or type ANY */
		87	if (rdclass == 0xff \|\| rdtype == 0xff) {
		88	result = ERRSET_INVAL;
		89	goto fail;
		90	}
		91
		92	/* don't allow flags yet, unimplemented */
		93	if (flags) {
		94	result = ERRSET_INVAL;
		95	goto fail;
		96	}
		97
		98	/* Initialize resolver from resolv.conf */
		99	domain = ldns_dname_new_frm_str(hostname);
		100	if ((err = ldns_resolver_new_frm_file(&ldns_res, NULL)) != \
		101	LDNS_STATUS_OK) {
		102	result = ERRSET_FAIL;
		103	goto fail;
		104	}
		105
		106	#ifdef LDNS_DEBUG
		107	ldns_resolver_set_debug(ldns_res, true);
		108	#endif /* LDNS_DEBUG */
		109
		110	ldns_resolver_set_dnssec(ldns_res, true); /* Use DNSSEC */
		111
		112	/* make query */
		113	pkt = ldns_resolver_query(ldns_res, domain, rdtype, rdclass, LDNS_RD);
		114
		115	/* TODO: finer errcodes -- see original /
		116	if (!pkt \|\| ldns_pkt_ancount(pkt) < 1) {
		117	result = ERRSET_FAIL;
		118	goto fail;
		119	}
		120
		121	/* initialize rrset */
		122	rrset = calloc(1, sizeof(struct rrsetinfo));
		123	if (rrset == NULL) {
		124	result = ERRSET_NOMEMORY;
		125	goto fail;
		126	}
		127
		128	rrdata = ldns_pkt_rr_list_by_type(pkt, rdtype, LDNS_SECTION_ANSWER);
		129	rrset->rri_nrdatas = ldns_rr_list_rr_count(rrdata);
		130	if (!rrset->rri_nrdatas) {
		131	result = ERRSET_NODATA;
		132	goto fail;
		133	}
		134
		135	/* copy name from answer section */
		136	len = ldns_rdf_size(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0)));
		137	if ((rrset->rri_name = malloc(len)) == NULL) {
		138	result = ERRSET_NOMEMORY;
		139	goto fail;
		140	}
		141	memcpy(rrset->rri_name,
		142	ldns_rdf_data(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0))), len);
		143
		144	rrset->rri_rdclass = ldns_rr_get_class(ldns_rr_list_rr(rrdata, 0));
		145	rrset->rri_rdtype = ldns_rr_get_type(ldns_rr_list_rr(rrdata, 0));
		146	rrset->rri_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrdata, 0));
		147
		148	debug2("ldns: got %u answers from DNS", rrset->rri_nrdatas);
		149
		150	/* Check for authenticated data */
		151	if (ldns_pkt_ad(pkt)) {
		152	rrset->rri_flags \|= RRSET_VALIDATED;
		153	} else { /* AD is not set, try autonomous validation */
		154	ldns_rr_list * trusted_keys = ldns_rr_list_new();
		155
		156	debug2("ldns: trying to validate RRset");
		157	/* Get eventual sigs */
		158	rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG,
		159	LDNS_SECTION_ANSWER);
		160
		161	rrset->rri_nsigs = ldns_rr_list_rr_count(rrsigs);
		162	debug2("ldns: got %u signature(s) (RRTYPE %u) from DNS",
		163	rrset->rri_nsigs, LDNS_RR_TYPE_RRSIG);
		164
		165	if ((err = ldns_verify_trusted(ldns_res, rrdata, rrsigs,
		166	trusted_keys)) == LDNS_STATUS_OK) {
		167	rrset->rri_flags \|= RRSET_VALIDATED;
		168	debug2("ldns: RRset is signed with a valid key");
		169	} else {
		170	debug2("ldns: RRset validation failed: %s",
		171	ldns_get_errorstr_by_id(err));
		172	}
		173
		174	ldns_rr_list_deep_free(trusted_keys);
		175	}
		176
		177	/* allocate memory for answers */
		178	rrset->rri_rdatas = calloc(rrset->rri_nrdatas,
		179	sizeof(struct rdatainfo));
		180
		181	if (rrset->rri_rdatas == NULL) {
		182	result = ERRSET_NOMEMORY;
		183	goto fail;
		184	}
		185
		186	/* allocate memory for signatures */
		187	if (rrset->rri_nsigs > 0) {
		188	rrset->rri_sigs = calloc(rrset->rri_nsigs,
		189	sizeof(struct rdatainfo));
		190
		191	if (rrset->rri_sigs == NULL) {
		192	result = ERRSET_NOMEMORY;
		193	goto fail;
		194	}
		195	}
		196
		197	/* copy answers & signatures */
		198	for (i=0, index_ans=0, index_sig=0; i< pkt->_header->_ancount; i++) {
		199	rdata = NULL;
		200	rr = ldns_rr_list_rr(ldns_pkt_answer(pkt), i);
		201
		202	if (ldns_rr_get_class(rr) == rrset->rri_rdclass &&
		203	ldns_rr_get_type(rr) == rrset->rri_rdtype) {
		204	rdata = &rrset->rri_rdatas[index_ans++];
		205	}
		206
		207	if (rr->_rr_class == rrset->rri_rdclass &&
		208	rr->_rr_type == LDNS_RR_TYPE_RRSIG) {
		209	rdata = &rrset->rri_sigs[index_sig++];
		210	}
		211
		212	if (rdata) {
		213	size_t rdata_offset = 0;
		214
		215	rdata->rdi_length = 0;
		216	for (j=0; j< rr->_rd_count; j++) {
		217	rdata->rdi_length +=
		218	ldns_rdf_size(ldns_rr_rdf(rr, j));
		219	}
		220
		221	rdata->rdi_data = malloc(rdata->rdi_length);
		222	if (rdata->rdi_data == NULL) {
		223	result = ERRSET_NOMEMORY;
		224	goto fail;
		225	}
		226
		227	/* Re-create the raw DNS RDATA */
		228	for (j=0; j< rr->_rd_count; j++) {
		229	len = ldns_rdf_size(ldns_rr_rdf(rr, j));
		230	memcpy(rdata->rdi_data + rdata_offset,
		231	ldns_rdf_data(ldns_rr_rdf(rr, j)), len);
		232	rdata_offset += len;
		233	}
		234	}
		235	}
		236
		237	*res = rrset;
		238	result = ERRSET_SUCCESS;
		239
		240	fail:
		241	/* freerrset(rrset); */
		242	ldns_rdf_deep_free(domain);
		243	ldns_pkt_free(pkt);
		244	ldns_rr_list_deep_free(rrsigs);
		245	ldns_rr_list_deep_free(rrdata);
		246	ldns_resolver_deep_free(ldns_res);
		247
		248	return result;
		249	}
		250
		251
		252	void
		253	freerrset(struct rrsetinfo *rrset)
		254	{
		255	u_int16_t i;
		256
		257	if (rrset == NULL)
		258	return;
		259
		260	if (rrset->rri_rdatas) {
		261	for (i = 0; i < rrset->rri_nrdatas; i++) {
		262	if (rrset->rri_rdatas[i].rdi_data == NULL)
		263	break;
		264	free(rrset->rri_rdatas[i].rdi_data);
		265	}
		266	free(rrset->rri_rdatas);
		267	}
		268
		269	if (rrset->rri_sigs) {
		270	for (i = 0; i < rrset->rri_nsigs; i++) {
		271	if (rrset->rri_sigs[i].rdi_data == NULL)
		272	break;
		273	free(rrset->rri_sigs[i].rdi_data);
		274	}
		275	free(rrset->rri_sigs);
		276	}
		277
		278	if (rrset->rri_name)
		279	free(rrset->rri_name);
		280	free(rrset);
		281	}
		282
		283
		284	#endif /* !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS) */


diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 98876673d..dc6fe0533 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c
@@ -47,7 +47,7 @@
47		47
48	#include "includes.h"	48	#include "includes.h"
49		49
50	#ifndef HAVE_GETRRSETBYNAME	50	#if !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS)
51		51
52	#include <stdlib.h>	52	#include <stdlib.h>
53	#include <string.h>	53	#include <string.h>
@@ -607,4 +607,4 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
607	return (n);	607	return (n);
608	}	608	}
609		609
610	#endif /* !defined(HAVE_GETRRSETBYNAME) */	610	#endif /* !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS) */