Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is

installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
author: Colin Watson <cjwatson@debian.org> 2010-04-06 23:19:19 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-04-06 23:19:19 +0100
commit: a2e78317862f864feee24cf0e1dbfb203e9f041b (patch)
tree: a70b35a031dffeb7c3e19c8792777214c2bce753 /debian/patches
parent: 428aab9f60494d0d3fc0b7147fa16d21d9d332e2 (diff)
2 files changed, 83 insertions, 0 deletions
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
new file mode 100644
index 000000000..a71b42f0f
--- /dev/null
+++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,82 @@
+Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
+ This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
+Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
+Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
+Last-Update: 2010-04-06
+Index: b/dns.c
+===================================================================
+--- a/dns.c
+++ b/dns.c
+@@ -176,6 +176,7 @@
+ {
+        u_int counter;
+        int result;
+       unsigned int rrset_flags = 0;
+        struct rrsetinfo *fingerprints = NULL;
+ 
+        u_int8_t hostkey_algorithm;
+@@ -199,8 +200,19 @@
+                return -1;
+        }
+ 
+       /*
+        * Original getrrsetbyname function, found on OpenBSD for example,
+        * doesn't accept any flag and prerequisite for obtaining AD bit in
+        * DNS response is set by "options edns0" in resolv.conf.
+        *
+        * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+        */
+#ifndef HAVE_GETRRSETBYNAME
+       rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
+        result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
+-           DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+           DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
+        if (result) {
+                verbose("DNS lookup error: %s", dns_result_totext(result));
+                return -1;
+Index: b/openbsd-compat/getrrsetbyname.c
+===================================================================
+--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
+@@ -209,8 +209,8 @@
+                goto fail;
+        }
+ 
+-       /* don't allow flags yet, unimplemented */
+-       if (flags) {
+       /* Allow RRSET_FORCE_EDNS0 flag only. */
+       if ((flags & !RRSET_FORCE_EDNS0) != 0) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+@@ -226,9 +226,9 @@
+ #endif /* DEBUG */
+ 
+ #ifdef RES_USE_DNSSEC
+-       /* turn on DNSSEC if EDNS0 is configured */
+-       if (_resp->options & RES_USE_EDNS0)
+-               _resp->options |= RES_USE_DNSSEC;
+       /* turn on DNSSEC if required  */
+       if (flags & RRSET_FORCE_EDNS0)
+               _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
+ #endif /* RES_USE_DNSEC */
+ 
+        /* make query */
+Index: b/openbsd-compat/getrrsetbyname.h
+===================================================================
+--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
+@@ -72,6 +72,9 @@
+ #ifndef RRSET_VALIDATED
+ # define RRSET_VALIDATED       1
+ #endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0     0x0001
+#endif
+ 
+ /*
+  * Return codes for getrrsetbyname()
diff --git a/debian/patches/series b/debian/patches/series
index 03a17ba91..a75b0a0f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,6 +28,7 @@ scp-quoting.patch
 shell-path.patch
 ssh-copy-id-status-check.patch
 ssh-copy-id-trailing-colons.patch
+dnssec-sshfp.patch
 # Versioning
 package-versioning.patch
author	Colin Watson <cjwatson@debian.org>	2010-04-06 23:19:19 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-04-06 23:19:19 +0100
commit	a2e78317862f864feee24cf0e1dbfb203e9f041b (patch)
tree	a70b35a031dffeb7c3e19c8792777214c2bce753 /debian/patches
parent	428aab9f60494d0d3fc0b7147fa16d21d9d332e2 (diff)

diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch new file mode 100644 index 000000000..a71b42f0f --- /dev/null +++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,82 @@
		1	Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
		2	This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
		3	Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
		4	Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
		5	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
		6	Last-Update: 2010-04-06
		7
		8	Index: b/dns.c
		9	===================================================================
		10	--- a/dns.c
		11	+++ b/dns.c
		12	@@ -176,6 +176,7 @@
		13	{
		14	u_int counter;
		15	int result;
		16	+ unsigned int rrset_flags = 0;
		17	struct rrsetinfo *fingerprints = NULL;
		18
		19	u_int8_t hostkey_algorithm;
		20	@@ -199,8 +200,19 @@
		21	return -1;
		22	}
		23
		24	+ /*
		25	+ * Original getrrsetbyname function, found on OpenBSD for example,
		26	+ * doesn't accept any flag and prerequisite for obtaining AD bit in
		27	+ * DNS response is set by "options edns0" in resolv.conf.
		28	+ *
		29	+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
		30	+ */
		31	+#ifndef HAVE_GETRRSETBYNAME
		32	+ rrset_flags \|= RRSET_FORCE_EDNS0;
		33	+#endif
		34	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
		35	- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
		36	+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
		37	+
		38	if (result) {
		39	verbose("DNS lookup error: %s", dns_result_totext(result));
		40	return -1;
		41	Index: b/openbsd-compat/getrrsetbyname.c
		42	===================================================================
		43	--- a/openbsd-compat/getrrsetbyname.c
		44	+++ b/openbsd-compat/getrrsetbyname.c
		45	@@ -209,8 +209,8 @@
		46	goto fail;
		47	}
		48
		49	- /* don't allow flags yet, unimplemented */
		50	- if (flags) {
		51	+ /* Allow RRSET_FORCE_EDNS0 flag only. */
		52	+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
		53	result = ERRSET_INVAL;
		54	goto fail;
		55	}
		56	@@ -226,9 +226,9 @@
		57	#endif /* DEBUG */
		58
		59	#ifdef RES_USE_DNSSEC
		60	- /* turn on DNSSEC if EDNS0 is configured */
		61	- if (_resp->options & RES_USE_EDNS0)
		62	- _resp->options \|= RES_USE_DNSSEC;
		63	+ /* turn on DNSSEC if required */
		64	+ if (flags & RRSET_FORCE_EDNS0)
		65	+ _resp->options \|= (RES_USE_EDNS0\|RES_USE_DNSSEC);
		66	#endif /* RES_USE_DNSEC */
		67
		68	/* make query */
		69	Index: b/openbsd-compat/getrrsetbyname.h
		70	===================================================================
		71	--- a/openbsd-compat/getrrsetbyname.h
		72	+++ b/openbsd-compat/getrrsetbyname.h
		73	@@ -72,6 +72,9 @@
		74	#ifndef RRSET_VALIDATED
		75	# define RRSET_VALIDATED 1
		76	#endif
		77	+#ifndef RRSET_FORCE_EDNS0
		78	+# define RRSET_FORCE_EDNS0 0x0001
		79	+#endif
		80
		81	/*
		82	* Return codes for getrrsetbyname()


diff --git a/debian/patches/series b/debian/patches/series index 03a17ba91..a75b0a0f5 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -28,6 +28,7 @@ scp-quoting.patch
28	shell-path.patch	28	shell-path.patch
29	ssh-copy-id-status-check.patch	29	ssh-copy-id-status-check.patch
30	ssh-copy-id-trailing-colons.patch	30	ssh-copy-id-trailing-colons.patch
		31	dnssec-sshfp.patch
31		32
32	# Versioning	33	# Versioning
33	package-versioning.patch	34	package-versioning.patch