From 986cee729815fcaf02d98f93a8824b0992edf3b6 Mon Sep 17 00:00:00 2001 From: Jan F. Chadima Date: Jul 30 2009 08:29:01 +0000 Subject: Added dnssec support. --- diff --git a/openssh-5.2p1-edns.patch b/openssh-5.2p1-edns.patch new file mode 100644 index 0000000..f3e431e --- /dev/null +++ b/openssh-5.2p1-edns.patch @@ -0,0 +1,72 @@ +diff -up openssh-5.2p1/dns.c.rh205842 openssh-5.2p1/dns.c +--- openssh-5.2p1/dns.c.rh205842 2009-07-27 16:25:28.000000000 +0200 ++++ openssh-5.2p1/dns.c 2009-07-27 16:40:59.000000000 +0200 +@@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname + { + u_int counter; + int result; ++ unsigned int rrset_flags = 0; + struct rrsetinfo *fingerprints = NULL; + + u_int8_t hostkey_algorithm; +@@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname + return -1; + } + ++ /* ++ * Original getrrsetbyname function, found on OpenBSD for example, ++ * doesn't accept any flag and prerequisite for obtaining AD bit in ++ * DNS response is set by "options edns0" in resolv.conf. ++ * ++ * Our version is more clever and use RRSET_FORCE_EDNS0 flag. ++ */ ++#ifndef HAVE_GETRRSETBYNAME ++ rrset_flags |= RRSET_FORCE_EDNS0; ++#endif + result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, +- DNS_RDATATYPE_SSHFP, 0, &fingerprints); ++ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); ++ + if (result) { + verbose("DNS lookup error: %s", dns_result_totext(result)); + return -1; +diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.c +--- openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 2009-07-27 16:22:23.000000000 +0200 ++++ openssh-5.2p1/openbsd-compat/getrrsetbyname.c 2009-07-27 16:41:55.000000000 +0200 +@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns + goto fail; + } + +- /* don't allow flags yet, unimplemented */ +- if (flags) { ++ /* Allow RRSET_FORCE_EDNS0 flag only. */ ++ if ((flags & !RRSET_FORCE_EDNS0) != 0) { + result = ERRSET_INVAL; + goto fail; + } +@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns + #endif /* DEBUG */ + + #ifdef RES_USE_DNSSEC +- /* turn on DNSSEC if EDNS0 is configured */ +- if (_resp->options & RES_USE_EDNS0) +- _resp->options |= RES_USE_DNSSEC; ++ /* turn on DNSSEC if required */ ++ if (flags & RRSET_FORCE_EDNS0) ++ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); + #endif /* RES_USE_DNSEC */ + + /* make query */ +diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.h +--- openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 2009-07-27 16:35:02.000000000 +0200 ++++ openssh-5.2p1/openbsd-compat/getrrsetbyname.h 2009-07-27 16:36:09.000000000 +0200 +@@ -72,6 +72,9 @@ + #ifndef RRSET_VALIDATED + # define RRSET_VALIDATED 1 + #endif ++#ifndef RRSET_FORCE_EDNS0 ++# define RRSET_FORCE_EDNS0 0x0001 ++#endif + + /* + * Return codes for getrrsetbyname() diff --git a/openssh.spec b/openssh.spec index da98d9a..d61b0f4 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 16%{?dist}%{?rescue_rel} +Release: 17%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -102,6 +102,7 @@ Patch67: openssh-5.2p1-xmodifiers.patch Patch68: openssh-5.2p1-pathmax.patch Patch69: openssh-5.2p1-selabel.patch Patch70: openssh-5.2p1-sesftp.patch +Patch71: openssh-5.2p1-edns.patch License: BSD Group: Applications/Internet @@ -238,6 +239,7 @@ an X11 passphrase dialog for OpenSSH. %patch68 -p1 -b .pathmax %patch69 -p1 -b .selabel %patch70 -p1 -b .sesftp +%patch71 -p1 -b .edns autoreconf @@ -472,6 +474,9 @@ fi %endif %changelog +* Thu Jul 30 2009 Jan F. Chadima - 5.2p1-17 +- Added dnssec support. + * Sat Jul 25 2009 Fedora Release Engineering - 5.2p1-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild