6 files changed, 113 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog
index e2ce33bfb..0ec794b93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:5.4p1-2) UNRELEASED; urgency=low
+  * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
+    installed, the host key is published in an SSHFP RR secured with DNSSEC,
+    and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
+    verification (closes: #572049).
+ -- Colin Watson <cjwatson@debian.org>  Tue, 06 Apr 2010 23:16:39 +0100
 openssh (1:5.4p1-1) unstable; urgency=low
  * New upstream release (LP: #535029).
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
new file mode 100644
index 000000000..a71b42f0f
--- /dev/null
+++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,82 @@
+Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
+ This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
+Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
+Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
+Last-Update: 2010-04-06
+Index: b/dns.c
+===================================================================
+--- a/dns.c
+++ b/dns.c
+@@ -176,6 +176,7 @@
+ {
+        u_int counter;
+        int result;
+       unsigned int rrset_flags = 0;
+        struct rrsetinfo *fingerprints = NULL;
+ 
+        u_int8_t hostkey_algorithm;
+@@ -199,8 +200,19 @@
+                return -1;
+        }
+ 
+       /*
+        * Original getrrsetbyname function, found on OpenBSD for example,
+        * doesn't accept any flag and prerequisite for obtaining AD bit in
+        * DNS response is set by "options edns0" in resolv.conf.
+        *
+        * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+        */
+#ifndef HAVE_GETRRSETBYNAME
+       rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
+        result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
+-           DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+           DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
+        if (result) {
+                verbose("DNS lookup error: %s", dns_result_totext(result));
+                return -1;
+Index: b/openbsd-compat/getrrsetbyname.c
+===================================================================
+--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
+@@ -209,8 +209,8 @@
+                goto fail;
+        }
+ 
+-       /* don't allow flags yet, unimplemented */
+-       if (flags) {
+       /* Allow RRSET_FORCE_EDNS0 flag only. */
+       if ((flags & !RRSET_FORCE_EDNS0) != 0) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+@@ -226,9 +226,9 @@
+ #endif /* DEBUG */
+ 
+ #ifdef RES_USE_DNSSEC
+-       /* turn on DNSSEC if EDNS0 is configured */
+-       if (_resp->options & RES_USE_EDNS0)
+-               _resp->options |= RES_USE_DNSSEC;
+       /* turn on DNSSEC if required  */
+       if (flags & RRSET_FORCE_EDNS0)
+               _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
+ #endif /* RES_USE_DNSEC */
+ 
+        /* make query */
+Index: b/openbsd-compat/getrrsetbyname.h
+===================================================================
+--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
+@@ -72,6 +72,9 @@
+ #ifndef RRSET_VALIDATED
+ # define RRSET_VALIDATED       1
+ #endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0     0x0001
+#endif
+ 
+ /*
+  * Return codes for getrrsetbyname()
diff --git a/debian/patches/series b/debian/patches/series
index 03a17ba91..a75b0a0f5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,6 +28,7 @@ scp-quoting.patch
 shell-path.patch
 ssh-copy-id-status-check.patch
 ssh-copy-id-trailing-colons.patch
+dnssec-sshfp.patch
 # Versioning
 package-versioning.patch
diff --git a/dns.c b/dns.c
index 2e7bb5aae..30c89ebec 100644
--- a/dns.c
+++ b/dns.c
@@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 {
        u_int counter;
        int result;
+        unsigned int rrset_flags = 0;
        struct rrsetinfo *fingerprints = NULL;
        u_int8_t hostkey_algorithm;
@@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                return -1;
        }
+        /*
+         * Original getrrsetbyname function, found on OpenBSD for example,
+         * doesn't accept any flag and prerequisite for obtaining AD bit in
+         * DNS response is set by "options edns0" in resolv.conf.
+         *
+         * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+         */
+#ifndef HAVE_GETRRSETBYNAME
+        rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
        result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
-            DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+            DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
        if (result) {
                verbose("DNS lookup error: %s", dns_result_totext(result));
                return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 98876673d..011821198 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
                goto fail;
        }
-        /* don't allow flags yet, unimplemented */
+        /* Allow RRSET_FORCE_EDNS0 flag only. */
-        if (flags) {
+        if ((flags & !RRSET_FORCE_EDNS0) != 0) {
                result = ERRSET_INVAL;
                goto fail;
        }
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 #endif /* DEBUG */
 #ifdef RES_USE_DNSSEC
-        /* turn on DNSSEC if EDNS0 is configured */
+        /* turn on DNSSEC if required  */
-        if (_resp->options & RES_USE_EDNS0)
+        if (flags & RRSET_FORCE_EDNS0)
-                _resp->options |= RES_USE_DNSSEC;
+                _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
 #endif /* RES_USE_DNSEC */
        /* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
 #ifndef RRSET_VALIDATED
 # define RRSET_VALIDATED        1
 #endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0      0x0001
+#endif
 /*
 * Return codes for getrrsetbyname()

diff --git a/debian/changelog b/debian/changelog index e2ce33bfb..0ec794b93 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,12 @@
		1	openssh (1:5.4p1-2) UNRELEASED; urgency=low
		2
		3	* Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
		4	installed, the host key is published in an SSHFP RR secured with DNSSEC,
		5	and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
		6	verification (closes: #572049).
		7
		8	-- Colin Watson <cjwatson@debian.org> Tue, 06 Apr 2010 23:16:39 +0100
		9
1	openssh (1:5.4p1-1) unstable; urgency=low	10	openssh (1:5.4p1-1) unstable; urgency=low
2		11
3	* New upstream release (LP: #535029).	12	* New upstream release (LP: #535029).


diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch new file mode 100644 index 000000000..a71b42f0f --- /dev/null +++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,82 @@
		1	Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
		2	This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
		3	Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
		4	Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
		5	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
		6	Last-Update: 2010-04-06
		7
		8	Index: b/dns.c
		9	===================================================================
		10	--- a/dns.c
		11	+++ b/dns.c
		12	@@ -176,6 +176,7 @@
		13	{
		14	u_int counter;
		15	int result;
		16	+ unsigned int rrset_flags = 0;
		17	struct rrsetinfo *fingerprints = NULL;
		18
		19	u_int8_t hostkey_algorithm;
		20	@@ -199,8 +200,19 @@
		21	return -1;
		22	}
		23
		24	+ /*
		25	+ * Original getrrsetbyname function, found on OpenBSD for example,
		26	+ * doesn't accept any flag and prerequisite for obtaining AD bit in
		27	+ * DNS response is set by "options edns0" in resolv.conf.
		28	+ *
		29	+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
		30	+ */
		31	+#ifndef HAVE_GETRRSETBYNAME
		32	+ rrset_flags \|= RRSET_FORCE_EDNS0;
		33	+#endif
		34	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
		35	- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
		36	+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
		37	+
		38	if (result) {
		39	verbose("DNS lookup error: %s", dns_result_totext(result));
		40	return -1;
		41	Index: b/openbsd-compat/getrrsetbyname.c
		42	===================================================================
		43	--- a/openbsd-compat/getrrsetbyname.c
		44	+++ b/openbsd-compat/getrrsetbyname.c
		45	@@ -209,8 +209,8 @@
		46	goto fail;
		47	}
		48
		49	- /* don't allow flags yet, unimplemented */
		50	- if (flags) {
		51	+ /* Allow RRSET_FORCE_EDNS0 flag only. */
		52	+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
		53	result = ERRSET_INVAL;
		54	goto fail;
		55	}
		56	@@ -226,9 +226,9 @@
		57	#endif /* DEBUG */
		58
		59	#ifdef RES_USE_DNSSEC
		60	- /* turn on DNSSEC if EDNS0 is configured */
		61	- if (_resp->options & RES_USE_EDNS0)
		62	- _resp->options \|= RES_USE_DNSSEC;
		63	+ /* turn on DNSSEC if required */
		64	+ if (flags & RRSET_FORCE_EDNS0)
		65	+ _resp->options \|= (RES_USE_EDNS0\|RES_USE_DNSSEC);
		66	#endif /* RES_USE_DNSEC */
		67
		68	/* make query */
		69	Index: b/openbsd-compat/getrrsetbyname.h
		70	===================================================================
		71	--- a/openbsd-compat/getrrsetbyname.h
		72	+++ b/openbsd-compat/getrrsetbyname.h
		73	@@ -72,6 +72,9 @@
		74	#ifndef RRSET_VALIDATED
		75	# define RRSET_VALIDATED 1
		76	#endif
		77	+#ifndef RRSET_FORCE_EDNS0
		78	+# define RRSET_FORCE_EDNS0 0x0001
		79	+#endif
		80
		81	/*
		82	* Return codes for getrrsetbyname()


diff --git a/debian/patches/series b/debian/patches/series index 03a17ba91..a75b0a0f5 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -28,6 +28,7 @@ scp-quoting.patch
28	shell-path.patch	28	shell-path.patch
29	ssh-copy-id-status-check.patch	29	ssh-copy-id-status-check.patch
30	ssh-copy-id-trailing-colons.patch	30	ssh-copy-id-trailing-colons.patch
		31	dnssec-sshfp.patch
31		32
32	# Versioning	33	# Versioning
33	package-versioning.patch	34	package-versioning.patch


diff --git a/dns.c b/dns.c index 2e7bb5aae..30c89ebec 100644 --- a/dns.c +++ b/dns.c
@@ -176,6 +176,7 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
176	{	176	{
177	u_int counter;	177	u_int counter;
178	int result;	178	int result;
		179	unsigned int rrset_flags = 0;
179	struct rrsetinfo *fingerprints = NULL;	180	struct rrsetinfo *fingerprints = NULL;
180		181
181	u_int8_t hostkey_algorithm;	182	u_int8_t hostkey_algorithm;
@@ -199,8 +200,19 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
199	return -1;	200	return -1;
200	}	201	}
201		202
		203	/*
		204	* Original getrrsetbyname function, found on OpenBSD for example,
		205	* doesn't accept any flag and prerequisite for obtaining AD bit in
		206	* DNS response is set by "options edns0" in resolv.conf.
		207	*
		208	* Our version is more clever and use RRSET_FORCE_EDNS0 flag.
		209	*/
		210	#ifndef HAVE_GETRRSETBYNAME
		211	rrset_flags \|= RRSET_FORCE_EDNS0;
		212	#endif
202	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,	213	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
203	DNS_RDATATYPE_SSHFP, 0, &fingerprints);	214	DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
		215
204	if (result) {	216	if (result) {
205	verbose("DNS lookup error: %s", dns_result_totext(result));	217	verbose("DNS lookup error: %s", dns_result_totext(result));
206	return -1;	218	return -1;


diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 98876673d..011821198 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
209	goto fail;	209	goto fail;
210	}	210	}
211		211
212	/* don't allow flags yet, unimplemented */	212	/* Allow RRSET_FORCE_EDNS0 flag only. */
213	if (flags) {	213	if ((flags & !RRSET_FORCE_EDNS0) != 0) {
214	result = ERRSET_INVAL;	214	result = ERRSET_INVAL;
215	goto fail;	215	goto fail;
216	}	216	}
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
226	#endif /* DEBUG */	226	#endif /* DEBUG */
227		227
228	#ifdef RES_USE_DNSSEC	228	#ifdef RES_USE_DNSSEC
229	/* turn on DNSSEC if EDNS0 is configured */	229	/* turn on DNSSEC if required */
230	if (_resp->options & RES_USE_EDNS0)	230	if (flags & RRSET_FORCE_EDNS0)
231	_resp->options \|= RES_USE_DNSSEC;	231	_resp->options \|= (RES_USE_EDNS0\|RES_USE_DNSSEC);
232	#endif /* RES_USE_DNSEC */	232	#endif /* RES_USE_DNSEC */
233		233
234	/* make query */	234	/* make query */


diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
72	#ifndef RRSET_VALIDATED	72	#ifndef RRSET_VALIDATED
73	# define RRSET_VALIDATED 1	73	# define RRSET_VALIDATED 1
74	#endif	74	#endif
		75	#ifndef RRSET_FORCE_EDNS0
		76	# define RRSET_FORCE_EDNS0 0x0001
		77	#endif
75		78
76	/*	79	/*
77	* Return codes for getrrsetbyname()	80	* Return codes for getrrsetbyname()