summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-04-06 23:19:19 +0100
committerColin Watson <cjwatson@debian.org>2010-04-06 23:19:19 +0100
commita2e78317862f864feee24cf0e1dbfb203e9f041b (patch)
treea70b35a031dffeb7c3e19c8792777214c2bce753 /debian/patches
parent428aab9f60494d0d3fc0b7147fa16d21d9d332e2 (diff)
Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/dnssec-sshfp.patch82
-rw-r--r--debian/patches/series1
2 files changed, 83 insertions, 0 deletions
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
new file mode 100644
index 000000000..a71b42f0f
--- /dev/null
+++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,82 @@
1Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
2 This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
3Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
4Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
5Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
6Last-Update: 2010-04-06
7
8Index: b/dns.c
9===================================================================
10--- a/dns.c
11+++ b/dns.c
12@@ -176,6 +176,7 @@
13 {
14 u_int counter;
15 int result;
16+ unsigned int rrset_flags = 0;
17 struct rrsetinfo *fingerprints = NULL;
18
19 u_int8_t hostkey_algorithm;
20@@ -199,8 +200,19 @@
21 return -1;
22 }
23
24+ /*
25+ * Original getrrsetbyname function, found on OpenBSD for example,
26+ * doesn't accept any flag and prerequisite for obtaining AD bit in
27+ * DNS response is set by "options edns0" in resolv.conf.
28+ *
29+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
30+ */
31+#ifndef HAVE_GETRRSETBYNAME
32+ rrset_flags |= RRSET_FORCE_EDNS0;
33+#endif
34 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
35- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
36+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
37+
38 if (result) {
39 verbose("DNS lookup error: %s", dns_result_totext(result));
40 return -1;
41Index: b/openbsd-compat/getrrsetbyname.c
42===================================================================
43--- a/openbsd-compat/getrrsetbyname.c
44+++ b/openbsd-compat/getrrsetbyname.c
45@@ -209,8 +209,8 @@
46 goto fail;
47 }
48
49- /* don't allow flags yet, unimplemented */
50- if (flags) {
51+ /* Allow RRSET_FORCE_EDNS0 flag only. */
52+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
53 result = ERRSET_INVAL;
54 goto fail;
55 }
56@@ -226,9 +226,9 @@
57 #endif /* DEBUG */
58
59 #ifdef RES_USE_DNSSEC
60- /* turn on DNSSEC if EDNS0 is configured */
61- if (_resp->options & RES_USE_EDNS0)
62- _resp->options |= RES_USE_DNSSEC;
63+ /* turn on DNSSEC if required */
64+ if (flags & RRSET_FORCE_EDNS0)
65+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
66 #endif /* RES_USE_DNSEC */
67
68 /* make query */
69Index: b/openbsd-compat/getrrsetbyname.h
70===================================================================
71--- a/openbsd-compat/getrrsetbyname.h
72+++ b/openbsd-compat/getrrsetbyname.h
73@@ -72,6 +72,9 @@
74 #ifndef RRSET_VALIDATED
75 # define RRSET_VALIDATED 1
76 #endif
77+#ifndef RRSET_FORCE_EDNS0
78+# define RRSET_FORCE_EDNS0 0x0001
79+#endif
80
81 /*
82 * Return codes for getrrsetbyname()
diff --git a/debian/patches/series b/debian/patches/series
index 03a17ba91..a75b0a0f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,6 +28,7 @@ scp-quoting.patch
28shell-path.patch 28shell-path.patch
29ssh-copy-id-status-check.patch 29ssh-copy-id-status-check.patch
30ssh-copy-id-trailing-colons.patch 30ssh-copy-id-trailing-colons.patch
31dnssec-sshfp.patch
31 32
32# Versioning 33# Versioning
33package-versioning.patch 34package-versioning.patch