summaryrefslogtreecommitdiffstats
path: root/debian/patches/dnssec-sshfp.patch
blob: 90bf81274d176244a5b93f6db5690fa5572ec2ec (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
From bdf9d563e4ecfcf17de88d67df844af469c3d77e Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2023-06-19

Patch-Name: dnssec-sshfp.patch
---
 dns.c                           | 14 +++++++++++++-
 openbsd-compat/getrrsetbyname.c | 10 +++++-----
 openbsd-compat/getrrsetbyname.h |  3 +++
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/dns.c b/dns.c
index 939241440..bf47a079f 100644
--- a/dns.c
+++ b/dns.c
@@ -198,6 +198,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 {
 	u_int counter;
 	int result;
+	unsigned int rrset_flags = 0;
 	struct rrsetinfo *fingerprints = NULL;
 
 	u_int8_t hostkey_algorithm;
@@ -220,8 +221,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 		return -1;
 	}
 
+	/*
+	 * Original getrrsetbyname function, found on OpenBSD for example,
+	 * doesn't accept any flag and prerequisite for obtaining AD bit in
+	 * DNS response is set by "options edns0" in resolv.conf.
+	 *
+	 * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+	 */
+#ifndef HAVE_GETRRSETBYNAME
+	rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
 	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
-	    DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+	    DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
 	if (result) {
 		verbose("DNS lookup error: %s", dns_result_totext(result));
 		return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 8f5939840..6091a2591 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -214,8 +214,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 		goto fail;
 	}
 
-	/* don't allow flags yet, unimplemented */
-	if (flags) {
+	/* Allow RRSET_FORCE_EDNS0 flag only. */
+	if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
 		result = ERRSET_INVAL;
 		goto fail;
 	}
@@ -231,9 +231,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 #endif /* DEBUG */
 
 #ifdef RES_USE_DNSSEC
-	/* turn on DNSSEC if EDNS0 is configured */
-	if (_resp->options & RES_USE_EDNS0)
-		_resp->options |= RES_USE_DNSSEC;
+	/* turn on DNSSEC if required  */
+	if (flags & RRSET_FORCE_EDNS0)
+		_resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
 #endif /* RES_USE_DNSEC */
 
 	/* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
 #ifndef RRSET_VALIDATED
 # define RRSET_VALIDATED	1
 #endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0	0x0001
+#endif
 
 /*
  * Return codes for getrrsetbyname()