diff options
author | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:10:01 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 23:43:41 +0000 |
commit | d77a569da1afcb73c6ddfc934092461eeb4edb53 (patch) | |
tree | f007d489e634963951cc5e3b0e853743032b63d6 | |
parent | 7231af57ca3efb451ace1b8e056fa0e52c67654e (diff) |
Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
-rw-r--r-- | dns.c | 14 | ||||
-rw-r--r-- | openbsd-compat/getrrsetbyname.c | 10 | ||||
-rw-r--r-- | openbsd-compat/getrrsetbyname.h | 3 |
3 files changed, 21 insertions, 6 deletions
@@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
196 | { | 196 | { |
197 | u_int counter; | 197 | u_int counter; |
198 | int result; | 198 | int result; |
199 | unsigned int rrset_flags = 0; | ||
199 | struct rrsetinfo *fingerprints = NULL; | 200 | struct rrsetinfo *fingerprints = NULL; |
200 | 201 | ||
201 | u_int8_t hostkey_algorithm; | 202 | u_int8_t hostkey_algorithm; |
@@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
219 | return -1; | 220 | return -1; |
220 | } | 221 | } |
221 | 222 | ||
223 | /* | ||
224 | * Original getrrsetbyname function, found on OpenBSD for example, | ||
225 | * doesn't accept any flag and prerequisite for obtaining AD bit in | ||
226 | * DNS response is set by "options edns0" in resolv.conf. | ||
227 | * | ||
228 | * Our version is more clever and use RRSET_FORCE_EDNS0 flag. | ||
229 | */ | ||
230 | #ifndef HAVE_GETRRSETBYNAME | ||
231 | rrset_flags |= RRSET_FORCE_EDNS0; | ||
232 | #endif | ||
222 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, | 233 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, |
223 | DNS_RDATATYPE_SSHFP, 0, &fingerprints); | 234 | DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); |
235 | |||
224 | if (result) { | 236 | if (result) { |
225 | verbose("DNS lookup error: %s", dns_result_totext(result)); | 237 | verbose("DNS lookup error: %s", dns_result_totext(result)); |
226 | return -1; | 238 | return -1; |
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index dc6fe0533..e061a290a 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c | |||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
209 | goto fail; | 209 | goto fail; |
210 | } | 210 | } |
211 | 211 | ||
212 | /* don't allow flags yet, unimplemented */ | 212 | /* Allow RRSET_FORCE_EDNS0 flag only. */ |
213 | if (flags) { | 213 | if ((flags & !RRSET_FORCE_EDNS0) != 0) { |
214 | result = ERRSET_INVAL; | 214 | result = ERRSET_INVAL; |
215 | goto fail; | 215 | goto fail; |
216 | } | 216 | } |
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
226 | #endif /* DEBUG */ | 226 | #endif /* DEBUG */ |
227 | 227 | ||
228 | #ifdef RES_USE_DNSSEC | 228 | #ifdef RES_USE_DNSSEC |
229 | /* turn on DNSSEC if EDNS0 is configured */ | 229 | /* turn on DNSSEC if required */ |
230 | if (_resp->options & RES_USE_EDNS0) | 230 | if (flags & RRSET_FORCE_EDNS0) |
231 | _resp->options |= RES_USE_DNSSEC; | 231 | _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); |
232 | #endif /* RES_USE_DNSEC */ | 232 | #endif /* RES_USE_DNSEC */ |
233 | 233 | ||
234 | /* make query */ | 234 | /* make query */ |
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h | |||
@@ -72,6 +72,9 @@ | |||
72 | #ifndef RRSET_VALIDATED | 72 | #ifndef RRSET_VALIDATED |
73 | # define RRSET_VALIDATED 1 | 73 | # define RRSET_VALIDATED 1 |
74 | #endif | 74 | #endif |
75 | #ifndef RRSET_FORCE_EDNS0 | ||
76 | # define RRSET_FORCE_EDNS0 0x0001 | ||
77 | #endif | ||
75 | 78 | ||
76 | /* | 79 | /* |
77 | * Return codes for getrrsetbyname() | 80 | * Return codes for getrrsetbyname() |