1 files changed, 94 insertions, 0 deletions
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
new file mode 100644
index 000000000..e2acdf1a2
--- /dev/null
+++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,94 @@
+From 0ee33d93c5c7a5fbb8b027aa24e7c9668125fda9 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:01 +0000
+Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
+This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
+Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
+Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
+Last-Update: 2010-04-06
+Patch-Name: dnssec-sshfp.patch
+---
+ dns.c                           | 14 +++++++++++++-
+ openbsd-compat/getrrsetbyname.c | 10 +++++-----
+ openbsd-compat/getrrsetbyname.h |  3 +++
+ 3 files changed, 21 insertions(+), 6 deletions(-)
+diff --git a/dns.c b/dns.c
+index ff1a2c41c..82ec97199 100644
+--- a/dns.c
+++ b/dns.c
+@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
+ {
+        u_int counter;
+        int result;
+       unsigned int rrset_flags = 0;
+        struct rrsetinfo *fingerprints = NULL;
+ 
+        u_int8_t hostkey_algorithm;
+@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
+                return -1;
+        }
+ 
+       /*
+        * Original getrrsetbyname function, found on OpenBSD for example,
+        * doesn't accept any flag and prerequisite for obtaining AD bit in
+        * DNS response is set by "options edns0" in resolv.conf.
+        *
+        * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+        */
+#ifndef HAVE_GETRRSETBYNAME
+       rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
+        result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
+-           DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+           DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
+        if (result) {
+                verbose("DNS lookup error: %s", dns_result_totext(result));
+                return -1;
+diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
+index dc6fe0533..e061a290a 100644
+--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
+@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+                goto fail;
+        }
+ 
+-       /* don't allow flags yet, unimplemented */
+-       if (flags) {
+       /* Allow RRSET_FORCE_EDNS0 flag only. */
+       if ((flags & !RRSET_FORCE_EDNS0) != 0) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ #endif /* DEBUG */
+ 
+ #ifdef RES_USE_DNSSEC
+-       /* turn on DNSSEC if EDNS0 is configured */
+-       if (_resp->options & RES_USE_EDNS0)
+-               _resp->options |= RES_USE_DNSSEC;
+       /* turn on DNSSEC if required  */
+       if (flags & RRSET_FORCE_EDNS0)
+               _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
+ #endif /* RES_USE_DNSEC */
+ 
+        /* make query */
+diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
+index 1283f5506..dbbc85a2a 100644
+--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
+@@ -72,6 +72,9 @@
+ #ifndef RRSET_VALIDATED
+ # define RRSET_VALIDATED       1
+ #endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0     0x0001
+#endif
+ 
+ /*
+  * Return codes for getrrsetbyname()

diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch new file mode 100644 index 000000000..e2acdf1a2 --- /dev/null +++ b/debian/patches/dnssec-sshfp.patch
@@ -0,0 +1,94 @@
	1	From 0ee33d93c5c7a5fbb8b027aa24e7c9668125fda9 Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:01 +0000
	4	Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
	5
	6	This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
	7
	8	Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
	9	Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
	10	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
	11	Last-Update: 2010-04-06
	12
	13	Patch-Name: dnssec-sshfp.patch
	14	---
	15	dns.c \| 14 +++++++++++++-
	16	openbsd-compat/getrrsetbyname.c \| 10 +++++-----
	17	openbsd-compat/getrrsetbyname.h \| 3 +++
	18	3 files changed, 21 insertions(+), 6 deletions(-)
	19
	20	diff --git a/dns.c b/dns.c
	21	index ff1a2c41c..82ec97199 100644
	22	--- a/dns.c
	23	+++ b/dns.c
	24	@@ -211,6 +211,7 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
	25	{
	26	u_int counter;
	27	int result;
	28	+ unsigned int rrset_flags = 0;
	29	struct rrsetinfo *fingerprints = NULL;
	30
	31	u_int8_t hostkey_algorithm;
	32	@@ -234,8 +235,19 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
	33	return -1;
	34	}
	35
	36	+ /*
	37	+ * Original getrrsetbyname function, found on OpenBSD for example,
	38	+ * doesn't accept any flag and prerequisite for obtaining AD bit in
	39	+ * DNS response is set by "options edns0" in resolv.conf.
	40	+ *
	41	+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
	42	+ */
	43	+#ifndef HAVE_GETRRSETBYNAME
	44	+ rrset_flags \|= RRSET_FORCE_EDNS0;
	45	+#endif
	46	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
	47	- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
	48	+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
	49	+
	50	if (result) {
	51	verbose("DNS lookup error: %s", dns_result_totext(result));
	52	return -1;
	53	diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
	54	index dc6fe0533..e061a290a 100644
	55	--- a/openbsd-compat/getrrsetbyname.c
	56	+++ b/openbsd-compat/getrrsetbyname.c
	57	@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
	58	goto fail;
	59	}
	60
	61	- /* don't allow flags yet, unimplemented */
	62	- if (flags) {
	63	+ /* Allow RRSET_FORCE_EDNS0 flag only. */
	64	+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
	65	result = ERRSET_INVAL;
	66	goto fail;
	67	}
	68	@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
	69	#endif /* DEBUG */
	70
	71	#ifdef RES_USE_DNSSEC
	72	- /* turn on DNSSEC if EDNS0 is configured */
	73	- if (_resp->options & RES_USE_EDNS0)
	74	- _resp->options \|= RES_USE_DNSSEC;
	75	+ /* turn on DNSSEC if required */
	76	+ if (flags & RRSET_FORCE_EDNS0)
	77	+ _resp->options \|= (RES_USE_EDNS0\|RES_USE_DNSSEC);
	78	#endif /* RES_USE_DNSEC */
	79
	80	/* make query */
	81	diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
	82	index 1283f5506..dbbc85a2a 100644
	83	--- a/openbsd-compat/getrrsetbyname.h
	84	+++ b/openbsd-compat/getrrsetbyname.h
	85	@@ -72,6 +72,9 @@
	86	#ifndef RRSET_VALIDATED
	87	# define RRSET_VALIDATED 1
	88	#endif
	89	+#ifndef RRSET_FORCE_EDNS0
	90	+# define RRSET_FORCE_EDNS0 0x0001
	91	+#endif
	92
	93	/*
	94	* Return codes for getrrsetbyname()