diff options
Diffstat (limited to 'debian/patches/dnssec-sshfp.patch')
-rw-r--r-- | debian/patches/dnssec-sshfp.patch | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch new file mode 100644 index 000000000..9bf19dcf8 --- /dev/null +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 6ba1a4137b4cf1418e2b756f1abae3cc549961ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | ||
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | ||
5 | |||
6 | This allows SSHFP DNS records to be verified if glibc 2.11 is installed. | ||
7 | |||
8 | Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup | ||
9 | Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 | ||
10 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 | ||
11 | Last-Update: 2010-04-06 | ||
12 | |||
13 | Patch-Name: dnssec-sshfp.patch | ||
14 | --- | ||
15 | dns.c | 14 +++++++++++++- | ||
16 | openbsd-compat/getrrsetbyname.c | 10 +++++----- | ||
17 | openbsd-compat/getrrsetbyname.h | 3 +++ | ||
18 | 3 files changed, 21 insertions(+), 6 deletions(-) | ||
19 | |||
20 | diff --git a/dns.c b/dns.c | ||
21 | index e813afea..fce2e308 100644 | ||
22 | --- a/dns.c | ||
23 | +++ b/dns.c | ||
24 | @@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | ||
25 | { | ||
26 | u_int counter; | ||
27 | int result; | ||
28 | + unsigned int rrset_flags = 0; | ||
29 | struct rrsetinfo *fingerprints = NULL; | ||
30 | |||
31 | u_int8_t hostkey_algorithm; | ||
32 | @@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | ||
33 | return -1; | ||
34 | } | ||
35 | |||
36 | + /* | ||
37 | + * Original getrrsetbyname function, found on OpenBSD for example, | ||
38 | + * doesn't accept any flag and prerequisite for obtaining AD bit in | ||
39 | + * DNS response is set by "options edns0" in resolv.conf. | ||
40 | + * | ||
41 | + * Our version is more clever and use RRSET_FORCE_EDNS0 flag. | ||
42 | + */ | ||
43 | +#ifndef HAVE_GETRRSETBYNAME | ||
44 | + rrset_flags |= RRSET_FORCE_EDNS0; | ||
45 | +#endif | ||
46 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, | ||
47 | - DNS_RDATATYPE_SSHFP, 0, &fingerprints); | ||
48 | + DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); | ||
49 | + | ||
50 | if (result) { | ||
51 | verbose("DNS lookup error: %s", dns_result_totext(result)); | ||
52 | return -1; | ||
53 | diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c | ||
54 | index dc6fe053..e061a290 100644 | ||
55 | --- a/openbsd-compat/getrrsetbyname.c | ||
56 | +++ b/openbsd-compat/getrrsetbyname.c | ||
57 | @@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | ||
58 | goto fail; | ||
59 | } | ||
60 | |||
61 | - /* don't allow flags yet, unimplemented */ | ||
62 | - if (flags) { | ||
63 | + /* Allow RRSET_FORCE_EDNS0 flag only. */ | ||
64 | + if ((flags & !RRSET_FORCE_EDNS0) != 0) { | ||
65 | result = ERRSET_INVAL; | ||
66 | goto fail; | ||
67 | } | ||
68 | @@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | ||
69 | #endif /* DEBUG */ | ||
70 | |||
71 | #ifdef RES_USE_DNSSEC | ||
72 | - /* turn on DNSSEC if EDNS0 is configured */ | ||
73 | - if (_resp->options & RES_USE_EDNS0) | ||
74 | - _resp->options |= RES_USE_DNSSEC; | ||
75 | + /* turn on DNSSEC if required */ | ||
76 | + if (flags & RRSET_FORCE_EDNS0) | ||
77 | + _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); | ||
78 | #endif /* RES_USE_DNSEC */ | ||
79 | |||
80 | /* make query */ | ||
81 | diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h | ||
82 | index 1283f550..dbbc85a2 100644 | ||
83 | --- a/openbsd-compat/getrrsetbyname.h | ||
84 | +++ b/openbsd-compat/getrrsetbyname.h | ||
85 | @@ -72,6 +72,9 @@ | ||
86 | #ifndef RRSET_VALIDATED | ||
87 | # define RRSET_VALIDATED 1 | ||
88 | #endif | ||
89 | +#ifndef RRSET_FORCE_EDNS0 | ||
90 | +# define RRSET_FORCE_EDNS0 0x0001 | ||
91 | +#endif | ||
92 | |||
93 | /* | ||
94 | * Return codes for getrrsetbyname() | ||