94 lines
3 KiB
Diff
94 lines
3 KiB
Diff
From 4b42694c1823a9eb69a972c53cf79ce289b2c810 Mon Sep 17 00:00:00 2001
|
|
From: Colin Watson <cjwatson@debian.org>
|
|
Date: Sun, 9 Feb 2014 16:10:01 +0000
|
|
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
|
|
|
|
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
|
|
|
|
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
|
|
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
|
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
|
|
Last-Update: 2023-06-19
|
|
|
|
Patch-Name: dnssec-sshfp.patch
|
|
---
|
|
dns.c | 14 +++++++++++++-
|
|
openbsd-compat/getrrsetbyname.c | 10 +++++-----
|
|
openbsd-compat/getrrsetbyname.h | 3 +++
|
|
3 files changed, 21 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/dns.c b/dns.c
|
|
index 939241440..bf47a079f 100644
|
|
--- a/dns.c
|
|
+++ b/dns.c
|
|
@@ -198,6 +198,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
|
|
{
|
|
u_int counter;
|
|
int result;
|
|
+ unsigned int rrset_flags = 0;
|
|
struct rrsetinfo *fingerprints = NULL;
|
|
|
|
u_int8_t hostkey_algorithm;
|
|
@@ -220,8 +221,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
|
|
return -1;
|
|
}
|
|
|
|
+ /*
|
|
+ * Original getrrsetbyname function, found on OpenBSD for example,
|
|
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
|
|
+ * DNS response is set by "options edns0" in resolv.conf.
|
|
+ *
|
|
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
|
|
+ */
|
|
+#ifndef HAVE_GETRRSETBYNAME
|
|
+ rrset_flags |= RRSET_FORCE_EDNS0;
|
|
+#endif
|
|
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
|
|
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
|
|
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
|
|
+
|
|
if (result) {
|
|
verbose("DNS lookup error: %s", dns_result_totext(result));
|
|
return -1;
|
|
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
|
|
index ad35148c9..add519441 100644
|
|
--- a/openbsd-compat/getrrsetbyname.c
|
|
+++ b/openbsd-compat/getrrsetbyname.c
|
|
@@ -214,8 +214,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
|
|
goto fail;
|
|
}
|
|
|
|
- /* don't allow flags yet, unimplemented */
|
|
- if (flags) {
|
|
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
|
|
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
|
|
result = ERRSET_INVAL;
|
|
goto fail;
|
|
}
|
|
@@ -231,9 +231,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
|
|
#endif /* DEBUG */
|
|
|
|
#ifdef RES_USE_DNSSEC
|
|
- /* turn on DNSSEC if EDNS0 is configured */
|
|
- if (_resp->options & RES_USE_EDNS0)
|
|
- _resp->options |= RES_USE_DNSSEC;
|
|
+ /* turn on DNSSEC if required */
|
|
+ if (flags & RRSET_FORCE_EDNS0)
|
|
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
|
|
#endif /* RES_USE_DNSEC */
|
|
|
|
/* make query */
|
|
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
|
|
index 1283f5506..dbbc85a2a 100644
|
|
--- a/openbsd-compat/getrrsetbyname.h
|
|
+++ b/openbsd-compat/getrrsetbyname.h
|
|
@@ -72,6 +72,9 @@
|
|
#ifndef RRSET_VALIDATED
|
|
# define RRSET_VALIDATED 1
|
|
#endif
|
|
+#ifndef RRSET_FORCE_EDNS0
|
|
+# define RRSET_FORCE_EDNS0 0x0001
|
|
+#endif
|
|
|
|
/*
|
|
* Return codes for getrrsetbyname()
|