rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
f09e2e
diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
f09e2e
--- openssh-5.9p1/dns.c.edns	2010-08-31 14:41:14.000000000 +0200
f09e2e
+++ openssh-5.9p1/dns.c	2011-09-09 08:05:27.782440497 +0200
f09e2e
@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
f09e2e
 {
f09e2e
 	u_int counter;
f09e2e
 	int result;
f09e2e
+	unsigned int rrset_flags = 0;
f09e2e
 	struct rrsetinfo *fingerprints = NULL;
f09e2e
 
f09e2e
 	u_int8_t hostkey_algorithm;
f09e2e
@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
f09e2e
 		return -1;
f09e2e
 	}
f09e2e
 
f09e2e
+	/*
f09e2e
+	 * Original getrrsetbyname function, found on OpenBSD for example,
f09e2e
+	 * doesn't accept any flag and prerequisite for obtaining AD bit in
f09e2e
+	 * DNS response is set by "options edns0" in resolv.conf.
f09e2e
+	 *
f09e2e
+	 * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
f09e2e
+	 */
f09e2e
+#ifndef HAVE_GETRRSETBYNAME
f09e2e
+	rrset_flags |= RRSET_FORCE_EDNS0;
f09e2e
+#endif
f09e2e
 	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
f09e2e
-	    DNS_RDATATYPE_SSHFP, 0, &fingerprints);
f09e2e
+	    DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
f09e2e
+
f09e2e
 	if (result) {
f09e2e
 		verbose("DNS lookup error: %s", dns_result_totext(result));
f09e2e
 		return -1;
f09e2e
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
f09e2e
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns	2009-07-13 03:38:23.000000000 +0200
f09e2e
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c	2011-09-09 15:03:39.930500801 +0200
f09e2e
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
f09e2e
 		goto fail;
f09e2e
 	}
f09e2e
 
f09e2e
-	/* don't allow flags yet, unimplemented */
f09e2e
-	if (flags) {
f09e2e
+	/* Allow RRSET_FORCE_EDNS0 flag only. */
f09e2e
+	if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
f09e2e
 		result = ERRSET_INVAL;
f09e2e
 		goto fail;
f09e2e
 	}
f09e2e
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns
f09e2e
 #endif /* DEBUG */
f09e2e
 
f09e2e
 #ifdef RES_USE_DNSSEC
f09e2e
-	/* turn on DNSSEC if EDNS0 is configured */
f09e2e
-	if (_resp->options & RES_USE_EDNS0)
f09e2e
-		_resp->options |= RES_USE_DNSSEC;
f09e2e
+	/* turn on DNSSEC if required  */
f09e2e
+	if (flags & RRSET_FORCE_EDNS0)
f09e2e
+		_resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
f09e2e
 #endif /* RES_USE_DNSEC */
f09e2e
 
f09e2e
 	/* make query */
f09e2e
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
f09e2e
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns	2007-10-26 08:26:50.000000000 +0200
f09e2e
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h	2011-09-09 08:05:27.965438689 +0200
f09e2e
@@ -72,6 +72,9 @@
f09e2e
 #ifndef RRSET_VALIDATED
f09e2e
 # define RRSET_VALIDATED	1
f09e2e
 #endif
f09e2e
+#ifndef RRSET_FORCE_EDNS0
f09e2e
+# define RRSET_FORCE_EDNS0	0x0001
f09e2e
+#endif
f09e2e
 
f09e2e
 /*
f09e2e
  * Return codes for getrrsetbyname()