Attachment #2060 for bug #1672




	AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
fi

LIBVAL_MSG="no"
# Check whether user wants DNSSEC local validation support
AC_ARG_WITH(local-dnssec-validation,
	[  --with-local-dnssec-validation Enable local DNSSEC validation using libval],
	[ if test "x$withval" != "xno" ; then
 		if test "x$withval" != "xyes" ; then
			CPPFLAGS="$CPPFLAGS -I${withval}"
			LDFLAGS="$LDFLAGS -L${withval}"
			if test ! -z "$need_dash_r" ; then
				LDFLAGS="$LDFLAGS -R${withval}"
 		fi
			if test ! -z "$blibpath" ; then
				blibpath="$blibpath:${withval}"
 		fi
 	    fi
		AC_CHECK_HEADERS(validator/validator.h)
		if test "$ac_cv_header_validator_validator_h" != yes; then
			AC_MSG_ERROR(Can't find validator.h)
		fi
		AC_CHECK_LIB(sres, query_send)
		if test "$ac_cv_lib_sres_query_send" != yes; then
			AC_MSG_ERROR(Can't find libsres)
		fi
		LIBVAL_SUFFIX=""
		AC_CHECK_LIB(val, p_val_status,LIBS="$LIBS -lval",
			[ AC_CHECK_LIB(pthread, pthread_rwlock_init)
			  AC_CHECK_LIB(val-threads, p_val_status,
				[ LIBS="$LIBS -lval-threads -lpthread"
				  LIBVAL_SUFFIX="-threads"],
				AC_MSG_ERROR(Can't find libval or libval-threads))
			])
		AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
			[Define if you want local DNSSEC validation support])
		LIBVAL_MSG="yes, libval${LIBVAL_SUFFIX}"
	else
# Check libraries needed by DNS fingerprint support
AC_SEARCH_LIBS(getrrsetbyname, resolv,
	[AC_DEFINE(HAVE_GETRRSETBYNAME, 1,

			    [Define if HEADER.ad exists in arpa/nameser.h])],,
			[#include <arpa/nameser.h>])
	])
	 fi]
)

AC_MSG_CHECKING(if struct __res_state _res is an extern)
AC_LINK_IFELSE([

echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"
echo "   Local DNSSEC validation support: $LIBVAL_MSG"
echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo "                  BSD Auth support: $BSD_AUTH_MSG"

Lines 35-40 Link Here

(-)clean/openssh-5.3p1/dns.c (-2 / +101 lines)
35	#include <stdio.h>	35	#include <stdio.h>
36	#include <string.h>	36	#include <string.h>
37		37
		38	#ifdef DNSSEC_LOCAL_VALIDATION
		39	# include <validator/validator.h>
		40	#endif
		41
38	#include "xmalloc.h"	42	#include "xmalloc.h"
39	#include "key.h"	43	#include "key.h"
40	#include "dns.h"	44	#include "dns.h"
Lines 177-189 Link Here
177	u_int counter;	181	u_int counter;
178	int result;	182	int result;
179	unsigned int rrset_flags = 0;	183	unsigned int rrset_flags = 0;
180	struct rrsetinfo *fingerprints = NULL;
181		184
182	u_int8_t hostkey_algorithm;	185	u_int8_t hostkey_algorithm;
183	u_int8_t hostkey_digest_type;	186	u_int8_t hostkey_digest_type;
184	u_char *hostkey_digest;	187	u_char *hostkey_digest;
185	u_int hostkey_digest_len;	188	u_int hostkey_digest_len;
186		189
		190	#ifndef DNSSEC_LOCAL_VALIDATION
		191	struct rrsetinfo *fingerprints = NULL;
		192	#else
		193	struct val_result_chain val_res, val_results = NULL;
		194
		195	#endif
		196
187	u_int8_t dnskey_algorithm;	197	u_int8_t dnskey_algorithm;
188	u_int8_t dnskey_digest_type;	198	u_int8_t dnskey_digest_type;
189	u_char *dnskey_digest;	199	u_char *dnskey_digest;
Lines 210-215 Link Here
210	#ifndef HAVE_GETRRSETBYNAME	220	#ifndef HAVE_GETRRSETBYNAME
211	rrset_flags \|= RRSET_FORCE_EDNS0;	221	rrset_flags \|= RRSET_FORCE_EDNS0;
212	#endif	222	#endif
		223	#ifndef DNSSEC_LOCAL_VALIDATION
213	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,	224	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
214	DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);	225	DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
215		226
Lines 219-225 Link Here
219	}	230	}
220		231
221	if (fingerprints->rri_flags & RRSET_VALIDATED) {	232	if (fingerprints->rri_flags & RRSET_VALIDATED) {
222	*flags \|= DNS_VERIFY_SECURE;	233	*flags \|= (DNS_VERIFY_SECURE\|DNS_VERIFY_TRUSTED);
223	debug("found %d secure fingerprints in DNS",	234	debug("found %d secure fingerprints in DNS",
224	fingerprints->rri_nrdatas);	235	fingerprints->rri_nrdatas);
225	} else {	236	} else {
Lines 267-272 Link Here
267		278
268	xfree(hostkey_digest); /* from key_fingerprint_raw() */	279	xfree(hostkey_digest); /* from key_fingerprint_raw() */
269	freerrset(fingerprints);	280	freerrset(fingerprints);
		281	#else
		282
		283	result = val_resolve_and_check(NULL, hostname, DNS_RDATACLASS_IN,
		284	DNS_RDATATYPE_SSHFP, 0, &val_results);
		285	if (result != VAL_NO_ERROR){
		286	verbose("DNS lookup error: %s", p_ac_status(val_results->val_rc_status));
		287	return -1;
		288	}
		289
		290	/* Initialize host key parameters */
		291	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
		292	&hostkey_digest, &hostkey_digest_len, hostkey)) {
		293	error("Error calculating host key fingerprint.");
		294	val_free_result_chain(val_results);
		295	return -1;
		296	}
		297
		298	counter = 0;
		299	for (val_res = val_results; val_res; val_res = val_res->val_rc_next) {
		300	struct val_rrset_rec *val_rrset;
		301	struct val_rr_rec *rr;
		302
		303	val_rrset = val_res->val_rc_rrset;
		304	if ((NULL == val_rrset) \|\| (NULL == val_rrset->val_rrset_data))
		305	continue;
		306
		307	for(rr = val_rrset->val_rrset_data; rr;
		308	rr = rr->rr_next) {
		309
		310	if (NULL == rr->rr_rdata)
		311	continue;
		312
		313	/*
		314	* Extract the key from the answer. Ignore any badly
		315	* formatted fingerprints.
		316	*/
		317	if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
		318	&dnskey_digest, &dnskey_digest_len,
		319	rr->rr_rdata,
		320	rr->rr_rdata_length)) {
		321	verbose("Error parsing fingerprint from DNS.");
		322	continue;
		323	}
		324
		325	++counter;
		326
		327	/* Check if the current key is the same as the given key */
		328	if (hostkey_algorithm == dnskey_algorithm &&
		329	hostkey_digest_type == dnskey_digest_type) {
		330
		331	if (hostkey_digest_len == dnskey_digest_len &&
		332	memcmp(hostkey_digest, dnskey_digest,
		333	hostkey_digest_len) == 0) {
		334
		335	debug("found matching fingerprints in DNS");
		336	*flags \|= DNS_VERIFY_MATCH;
		337
		338
		339
		340	}
		341	}
		342	xfree(dnskey_digest);
		343	}
		344	if (val_istrusted(val_res->val_rc_status)) {
345	/*
346	* local validation can result in a non-secure, but trusted
347	* response. For example, in a corporate network the authoritative
348	* server for internal DNS may be on the internal network, behind
349	* a firewall. Local validation policy can be configured to trust
350	* these results without using DNSSEC to validate them.
351	*/
352	*flags \|= DNS_VERIFY_TRUSTED;
353	if (val_isvalidated(val_res->val_rc_status)) {
354	*flags \|= DNS_VERIFY_SECURE;
355	debug("found %d trusted fingerprints in DNS", counter);
356	} else {
357	debug("found %d trusted, but not validated, fingerprints in DNS", counter);
358	}
359	} else {
360	debug("found %d un-trusted fingerprints in DNS", counter);
361	}
362	}
363	if(counter)
364	*flags \|= DNS_VERIFY_FOUND;
365
366	xfree(hostkey_digest); /* from key_fingerprint_raw() */
367	val_free_result_chain(val_results);
368	#endif /* */
270		369
271	if (*flags & DNS_VERIFY_FOUND)	370	if (*flags & DNS_VERIFY_FOUND)
272	if (*flags & DNS_VERIFY_MATCH)	371	if (*flags & DNS_VERIFY_MATCH)

Lines 45-50 Link Here

(-)clean/openssh-5.3p1/dns.h (+1 lines)
45	#define DNS_VERIFY_FOUND 0x00000001	45	#define DNS_VERIFY_FOUND 0x00000001
46	#define DNS_VERIFY_MATCH 0x00000002	46	#define DNS_VERIFY_MATCH 0x00000002
47	#define DNS_VERIFY_SECURE 0x00000004	47	#define DNS_VERIFY_SECURE 0x00000004
		48	#define DNS_VERIFY_TRUSTED 0x00000008
48		49
49	int verify_host_key_dns(const char , struct sockaddr , Key , int );	50	int verify_host_key_dns(const char , struct sockaddr , Key , int );
50	int export_dns_rr(const char , Key , FILE *, int);	51	int export_dns_rr(const char , Key , FILE *, int);

Lines 133-138 Link Here

(-)clean/openssh-5.3p1/readconf.c (+22 lines)
133	oHashKnownHosts,	133	oHashKnownHosts,
134	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,	134	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
135	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,	135	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
		136	oStrictDnssecChecking, oAutoAnswerValidatedKeys,
136	oDeprecated, oUnsupported	137	oDeprecated, oUnsupported
137	} OpCodes;	138	} OpCodes;
138		139
Lines 249-254 Link Here
249	#else	250	#else
250	{ "zeroknowledgepasswordauthentication", oUnsupported },	251	{ "zeroknowledgepasswordauthentication", oUnsupported },
251	#endif	252	#endif
		253	#ifdef DNSSEC_LOCAL_VALIDATION
		254	{ "strictdnssecchecking", oStrictDnssecChecking },
		255	{ "autoanswervalidatedkeys", oAutoAnswerValidatedKeys },
		256	#else
		257	{ "strictdnssecchecking", oUnsupported },
		258	{ "autoanswervalidatedkeys", oUnsupported },
		259	#endif
252		260
253	{ NULL, oBadOption }	261	{ NULL, oBadOption }
254	};	262	};
Lines 535-540 Link Here
535	*intptr = value;	543	*intptr = value;
536	break;	544	break;
537		545
		546	case oStrictDnssecChecking:
		547	intptr = &options->strict_dnssec_checking;
		548	goto parse_yesnoask;
		549
		550	case oAutoAnswerValidatedKeys:
		551	intptr = &options->autoanswer_validated_keys;
		552	goto parse_yesnoask;
		553
538	case oCompression:	554	case oCompression:
539	intptr = &options->compression;	555	intptr = &options->compression;
540	goto parse_flag;	556	goto parse_flag;
Lines 1096-1101 Link Here
1096	options->batch_mode = -1;	1112	options->batch_mode = -1;
1097	options->check_host_ip = -1;	1113	options->check_host_ip = -1;
1098	options->strict_host_key_checking = -1;	1114	options->strict_host_key_checking = -1;
		1115	options->strict_dnssec_checking = -1;
		1116	options->autoanswer_validated_keys = -1;
1099	options->compression = -1;	1117	options->compression = -1;
1100	options->tcp_keep_alive = -1;	1118	options->tcp_keep_alive = -1;
1101	options->compression_level = -1;	1119	options->compression_level = -1;
Lines 1207-1212 Link Here
1207	options->check_host_ip = 1;	1225	options->check_host_ip = 1;
1208	if (options->strict_host_key_checking == -1)	1226	if (options->strict_host_key_checking == -1)
1209	options->strict_host_key_checking = 2; /* 2 is default */	1227	options->strict_host_key_checking = 2; /* 2 is default */
		1228	if (options->strict_dnssec_checking == -1)
		1229	options->strict_dnssec_checking = 2; /* 2 is default */
		1230	if (options->autoanswer_validated_keys == -1)
		1231	options->autoanswer_validated_keys = 0; /* 0 is default */
1210	if (options->compression == -1)	1232	if (options->compression == -1)
1211	options->compression = 0;	1233	options->compression = 0;
1212	if (options->tcp_keep_alive == -1)	1234	if (options->tcp_keep_alive == -1)

Lines 125-130 typedef struct { Link Here

(-)clean/openssh-5.3p1/readconf.h (+3 lines)
125		125
126	int use_roaming;	126	int use_roaming;
127		127
		128	int strict_dnssec_checking; /* Strict DNSSEC checking. */
		129	int autoanswer_validated_keys;
		130
128	} Options;	131	} Options;
129		132
130	#define SSHCTL_MASTER_NO 0	133	#define SSHCTL_MASTER_NO 0

Lines 26-31 Link Here

(-)clean/openssh-5.3p1/sshconnect.c (-2 / +186 lines)
26	#include <netinet/in.h>	26	#include <netinet/in.h>
27	#include <arpa/inet.h>	27	#include <arpa/inet.h>
28		28
		29	#ifdef DNSSEC_LOCAL_VALIDATION
		30	# include <validator/validator.h>
		31	#endif
		32
29	#include <ctype.h>	33	#include <ctype.h>
30	#include <errno.h>	34	#include <errno.h>
31	#include <fcntl.h>	35	#include <fcntl.h>
Lines 67-72 Link Here
67	char *server_version_string = NULL;	71	char *server_version_string = NULL;
68		72
69	static int matching_host_key_dns = 0;	73	static int matching_host_key_dns = 0;
		74	#ifdef DNSSEC_LOCAL_VALIDATION
		75	static int validated_host_key_dns = 0;
		76	#endif
70		77
71	/* import */	78	/* import */
72	extern Options options;	79	extern Options options;
Lines 77-82 Link Here
77		84
78	static int show_other_keys(const char , Key );	85	static int show_other_keys(const char , Key );
79	static void warn_changed_key(Key *);	86	static void warn_changed_key(Key *);
		87	static int confirm(const char *prompt);
80		88
81	/*	89	/*
82	* Connect to the given ssh server using a proxy command.	90	* Connect to the given ssh server using a proxy command.
Lines 330-336 Link Here
330	int on = 1;	338	int on = 1;
331	int sock = -1, attempt;	339	int sock = -1, attempt;
332	char ntop[NI_MAXHOST], strport[NI_MAXSERV];	340	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
333	struct addrinfo hints, ai, aitop;	341	struct addrinfo hints;
		342	struct addrinfo ai, aitop = NULL;
		343	#ifdef DNSSEC_LOCAL_VALIDATION
		344	val_status_t val_status;
		345	#endif
334		346
335	debug2("ssh_connect: needpriv %d", needpriv);	347	debug2("ssh_connect: needpriv %d", needpriv);
336		348
Lines 344-352 Link Here
344	hints.ai_family = family;	356	hints.ai_family = family;
345	hints.ai_socktype = SOCK_STREAM;	357	hints.ai_socktype = SOCK_STREAM;
346	snprintf(strport, sizeof strport, "%u", port);	358	snprintf(strport, sizeof strport, "%u", port);
		359	#ifndef DNSSEC_LOCAL_VALIDATION
347	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)	360	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
348	fatal("%s: Could not resolve hostname %.100s: %s", __progname,	361	fatal("%s: Could not resolve hostname %.100s: %s", __progname,
349	host, ssh_gai_strerror(gaierr));	362	host, ssh_gai_strerror(gaierr));
		363	#else
		364	gaierr = val_getaddrinfo(NULL, host, strport, &hints, &aitop,
		365	&val_status);
		366	debug2("ssh_connect: gaierr %d, val_status %d / %s; trusted: %d",
		367	gaierr, val_status, p_val_status(val_status),
		368	val_istrusted(val_status));
		369	if (gaierr != 0) {
		370	if (VAL_GETADDRINFO_HAS_STATUS(gaierr) &&
		371	!val_istrusted(val_status)) {
		372	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		373	error("@ WARNING: UNTRUSTED ERROR IN DNS RESOLUTION FOR HOST! @");
		374	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		375	error("The authenticity of DNS response is not trusted (%s).",
		376	p_val_status(val_status));
		377	}
		378	fatal("%s: Could not resolve hostname %.100s: %s", __progname,
		379	host, ssh_gai_strerror(gaierr));
		380	}
		381	if (!val_istrusted(val_status)) {
		382	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		383	error("@ WARNING: UNTRUSTED DNS RESOLUTION FOR HOST IP ADRRESS! @");
		384	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		385	error("The authenticity of DNS data for the host '%.200s' "
		386	"can't be established.", host);
		387	if (options.strict_dnssec_checking == 1) {
		388	fatal("DNS resolution is not trusted (%s) "
		389	"and you have requested strict checking",
		390	p_val_status(val_status));
		391	} else if (options.strict_dnssec_checking == 2) {
		392	char msg[1024];
		393	for (ai = aitop; ai; ai = ai->ai_next) {
		394	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
		395	continue;
		396	if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
		397	ntop, sizeof(ntop), strport, sizeof(strport),
		398	NI_NUMERICHOST\|NI_NUMERICSERV) != 0) {
		399	error("ssh_connect: getnameinfo failed");
		400	continue;
		401	}
		402	error(" IP address %s port %s", ntop, strport);
		403	}
		404	snprintf(msg,sizeof(msg),
		405	"Are you sure you want to attempt to connect "
		406	"(yes/no)? ");
		407	if (!confirm(msg))
		408	return (-1);
		409	}
		410	}
		411	#endif /* DNSSEC_LOCAL_VALIDATION */
350		412
351	for (attempt = 0; attempt < connection_attempts; attempt++) {	413	for (attempt = 0; attempt < connection_attempts; attempt++) {
352	if (attempt > 0) {	414	if (attempt > 0) {
Lines 768-773 Link Here
768	}	830	}
769	break;	831	break;
770	case HOST_NEW:	832	case HOST_NEW:
		833	debug("Host '%.200s' new.", host);
771	if (options.host_key_alias == NULL && port != 0 &&	834	if (options.host_key_alias == NULL && port != 0 &&
772	port != SSH_DEFAULT_PORT) {	835	port != SSH_DEFAULT_PORT) {
773	debug("checking without port identifier");	836	debug("checking without port identifier");
Lines 814-819 Link Here
814	"No matching host key fingerprint"	877	"No matching host key fingerprint"
815	" found in DNS.\n");	878	" found in DNS.\n");
816	}	879	}
		880	#ifdef DNSSEC_LOCAL_VALIDATION
		881	if (options.autoanswer_validated_keys &&
		882	validated_host_key_dns && matching_host_key_dns) {
		883	snprintf(msg, sizeof(msg),
		884	"The authenticity of host '%.200s (%s)' was "
		885	" validated via DNSSEC%s",
		886	host, ip, msg1);
		887	logit(msg);
		888	xfree(fp);
		889	} else {
		890	#endif
817	snprintf(msg, sizeof(msg),	891	snprintf(msg, sizeof(msg),
818	"The authenticity of host '%.200s (%s)' can't be "	892	"The authenticity of host '%.200s (%s)' can't be "
819	"established%s\n"	893	"established%s\n"
Lines 828-833 Link Here
828	xfree(fp);	902	xfree(fp);
829	if (!confirm(msg))	903	if (!confirm(msg))
830	goto fail;	904	goto fail;
		905	#ifdef DNSSEC_LOCAL_VALIDATION
		906	}
		907	#endif
831	}	908	}
832	/*	909	/*
833	* If not in strict mode, add the key automatically to the	910	* If not in strict mode, add the key automatically to the
Lines 903-908 Link Here
903	key_msg = "is unchanged";	980	key_msg = "is unchanged";
904	else	981	else
905	key_msg = "has a different value";	982	key_msg = "has a different value";
		983	#ifdef DNSSEC_LOCAL_VALIDATION
		984	if (!validated_host_key_dns) {
906	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	985	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
907	error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");	986	error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
908	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	987	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
Lines 911-916 Link Here
911	error("%s. This could either mean that", key_msg);	990	error("%s. This could either mean that", key_msg);
912	error("DNS SPOOFING is happening or the IP address for the host");	991	error("DNS SPOOFING is happening or the IP address for the host");
913	error("and its host key have changed at the same time.");	992	error("and its host key have changed at the same time.");
		993	}
		994	else {
		995	#endif
		996	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		997	error("@ WARNING: HOST IP ADDRESS HAS CHANGED! @");
		998	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		999	error("The %s host key for %s has changed,", type, host);
		1000	error("and the key for the according IP address %s", ip);
		1001	error("%s. The IP address for the host", key_msg);
		1002	error("and its host key have changed at the same time.");
		1003	#ifdef DNSSEC_LOCAL_VALIDATION
		1004	}
		1005	#endif
914	if (ip_status != HOST_NEW)	1006	if (ip_status != HOST_NEW)
915	error("Offending key for IP in %s:%d", ip_file, ip_line);	1007	error("Offending key for IP in %s:%d", ip_file, ip_line);
916	}	1008	}
Lines 924-934 Link Here
924	* If strict host key checking is in use, the user will have	1016	* If strict host key checking is in use, the user will have
925	* to edit the key manually and we can only abort.	1017	* to edit the key manually and we can only abort.
926	*/	1018	*/
		1019	#ifdef DNSSEC_LOCAL_VALIDATION
		1020	if ((options.strict_host_key_checking == 2) &&
		1021	options.autoanswer_validated_keys &&
		1022	matching_host_key_dns && validated_host_key_dns) {
		1023	logit("The authenticity of host '%.200s (%s)' was "
		1024	" validated via DNSSEC.",
		1025	host, ip);
		1026	/*
		1027	* If not in strict mode, add the key automatically to the
		1028	* local known_hosts file.
		1029	*/
		1030	if (options.check_host_ip && ip_status == HOST_NEW) {
		1031	snprintf(hostline, sizeof(hostline), "%s,%s",
		1032	host, ip);
		1033	hostp = hostline;
		1034	if (options.hash_known_hosts) {
		1035	/* Add hash of host and IP separately */
		1036	r = add_host_to_hostfile(user_hostfile, host,
		1037	host_key, options.hash_known_hosts) &&
		1038	add_host_to_hostfile(user_hostfile, ip,
		1039	host_key, options.hash_known_hosts);
		1040	} else {
		1041	/* Add unhashed "host,ip" */
		1042	r = add_host_to_hostfile(user_hostfile,
		1043	hostline, host_key,
		1044	options.hash_known_hosts);
		1045	}
		1046	} else {
		1047	r = add_host_to_hostfile(user_hostfile, host, host_key,
		1048	options.hash_known_hosts);
		1049	hostp = host;
		1050	}
		1051
		1052	if (!r)
		1053	logit("Failed to add the host to the list of known "
		1054	"hosts (%.500s).", user_hostfile);
		1055	else
		1056	logit("Warning: Permanently added '%.200s' (%s) to the "
		1057	"list of known hosts.", hostp, type);
		1058	}
		1059	else
		1060	#endif
927	if (options.strict_host_key_checking) {	1061	if (options.strict_host_key_checking) {
928	error("%s host key for %.200s has changed and you have "	1062	error("%s host key for %.200s has changed and you have "
929	"requested strict checking.", type, host);	1063	"requested strict checking.", type, host);
930	goto fail;	1064	goto fail;
931	}	1065	} else {
932		1066
933	continue_unsafe:	1067	continue_unsafe:
934	/*	1068	/*
Lines 992-997 Link Here
992	* by that sentence, and ask the user if he/she wishes to	1126	* by that sentence, and ask the user if he/she wishes to
993	* accept the authentication.	1127	* accept the authentication.
994	*/	1128	*/
		1129	}
995	break;	1130	break;
996	case HOST_FOUND:	1131	case HOST_FOUND:
997	fatal("internal error");	1132	fatal("internal error");
Lines 1016-1025 Link Here
1016	error("Exiting, you have requested strict checking.");	1151	error("Exiting, you have requested strict checking.");
1017	goto fail;	1152	goto fail;
1018	} else if (options.strict_host_key_checking == 2) {	1153	} else if (options.strict_host_key_checking == 2) {
		1154	#ifdef DNSSEC_LOCAL_VALIDATION
		1155	if (options.autoanswer_validated_keys &&
		1156	matching_host_key_dns && validated_host_key_dns) {
		1157	logit("%s", msg);
		1158	} else {
		1159	#endif
1019	strlcat(msg, "\nAre you sure you want "	1160	strlcat(msg, "\nAre you sure you want "
1020	"to continue connecting (yes/no)? ", sizeof(msg));	1161	"to continue connecting (yes/no)? ", sizeof(msg));
1021	if (!confirm(msg))	1162	if (!confirm(msg))
1022	goto fail;	1163	goto fail;
		1164	#ifdef DNSSEC_LOCAL_VALIDATION
		1165	}
		1166	#endif
1023	} else {	1167	} else {
1024	logit("%s", msg);	1168	logit("%s", msg);
1025	}	1169	}
Lines 1060-1071 Link Here
1060	if (!key_is_cert(host_key) && options.verify_host_key_dns &&	1204	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
1061	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {	1205	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
1062		1206
		1207	#ifdef DNSSEC_LOCAL_VALIDATION
		1208	/*
		1209	* local validation can result in a non-secure, but trusted
		1210	* response. For example, in a corporate network the authoritative
		1211	* server for internal DNS may be on the internal network, behind
		1212	* a firewall. Local validation policy can be configured to trust
		1213	* these results without using DNSSEC to validate them.
		1214	*/
		1215	if (!(flags & DNS_VERIFY_TRUSTED)) {
		1216	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1217	error("@ WARNING: UNTRUSTED DNS RESOLUTION FOR HOST KEY! @");
		1218	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1219	}
		1220	if (flags & DNS_VERIFY_SECURE)
		1221	validated_host_key_dns = 1;
		1222	#endif
		1223
1063	if (flags & DNS_VERIFY_FOUND) {	1224	if (flags & DNS_VERIFY_FOUND) {
1064		1225
1065	if (options.verify_host_key_dns == 1 &&	1226	if (options.verify_host_key_dns == 1 &&
1066	flags & DNS_VERIFY_MATCH &&	1227	flags & DNS_VERIFY_MATCH &&
1067	flags & DNS_VERIFY_SECURE)	1228	flags & DNS_VERIFY_SECURE)
		1229	#ifndef DNSSEC_LOCAL_VALIDATION
1068	return 0;	1230	return 0;
		1231	#else
		1232	{
		1233	if (flags & DNS_VERIFY_MATCH)
		1234	matching_host_key_dns = 1;
		1235	if (options.autoanswer_validated_keys)
		1236	return check_host_key(host, hostaddr, options.port,
		1237	host_key, RDRW,
		1238	options.user_hostfile,
		1239	options.system_hostfile);
		1240	else
		1241	return 0;
		1242	}
		1243	#endif
1069		1244
1070	if (flags & DNS_VERIFY_MATCH) {	1245	if (flags & DNS_VERIFY_MATCH) {
1071	matching_host_key_dns = 1;	1246	matching_host_key_dns = 1;
Lines 1218-1226 Link Here
1218	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1393	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1219	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");	1394	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
1220	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1395	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1396	#ifdef DNSSEC_LOCAL_VALIDATION
		1397	if (matching_host_key_dns && validated_host_key_dns) {
		1398	error("Howerver, a matching host key, validated by DNSSEC, was found.");
		1399	}
		1400	else {
		1401	#endif
1221	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");	1402	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
1222	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");	1403	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
1223	error("It is also possible that the %s host key has just been changed.", type);	1404	error("It is also possible that the %s host key has just been changed.", type);
		1405	#ifdef DNSSEC_LOCAL_VALIDATION
		1406	}
		1407	#endif
1224	error("The %sfingerprint for the %s key sent by the remote host is\n%s.",	1408	error("The %sfingerprint for the %s key sent by the remote host is\n%s.",
1225	fips_on ? "SHA1 ":"", type, fp);	1409	fips_on ? "SHA1 ":"", type, fp);
1226	error("Please contact your system administrator.");	1410	error("Please contact your system administrator.");

Return to bug 1672

Lines 3433-3438 Link Here

(-)clean/openssh-5.3p1/configure.ac (+38 lines)
3433	AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])	3433	AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
3434	fi	3434	fi
3435		3435
		3436	LIBVAL_MSG="no"
		3437	# Check whether user wants DNSSEC local validation support
		3438	AC_ARG_WITH(local-dnssec-validation,
		3439	[ --with-local-dnssec-validation Enable local DNSSEC validation using libval],
		3440	[ if test "x$withval" != "xno" ; then
		3441	if test "x$withval" != "xyes" ; then
		3442	CPPFLAGS="$CPPFLAGS -I${withval}"
		3443	LDFLAGS="$LDFLAGS -L${withval}"
		3444	if test ! -z "$need_dash_r" ; then
		3445	LDFLAGS="$LDFLAGS -R${withval}"
		3446	fi
		3447	if test ! -z "$blibpath" ; then
		3448	blibpath="$blibpath:${withval}"
		3449	fi
		3450	fi
		3451	AC_CHECK_HEADERS(validator/validator.h)
		3452	if test "$ac_cv_header_validator_validator_h" != yes; then
		3453	AC_MSG_ERROR(Can't find validator.h)
		3454	fi
		3455	AC_CHECK_LIB(sres, query_send)
		3456	if test "$ac_cv_lib_sres_query_send" != yes; then
		3457	AC_MSG_ERROR(Can't find libsres)
		3458	fi
		3459	LIBVAL_SUFFIX=""
		3460	AC_CHECK_LIB(val, p_val_status,LIBS="$LIBS -lval",
		3461	[ AC_CHECK_LIB(pthread, pthread_rwlock_init)
		3462	AC_CHECK_LIB(val-threads, p_val_status,
		3463	[ LIBS="$LIBS -lval-threads -lpthread"
		3464	LIBVAL_SUFFIX="-threads"],
		3465	AC_MSG_ERROR(Can't find libval or libval-threads))
		3466	])
		3467	AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
		3468	[Define if you want local DNSSEC validation support])
		3469	LIBVAL_MSG="yes, libval${LIBVAL_SUFFIX}"
		3470	else
3436	# Check libraries needed by DNS fingerprint support	3471	# Check libraries needed by DNS fingerprint support
3437	AC_SEARCH_LIBS(getrrsetbyname, resolv,	3472	AC_SEARCH_LIBS(getrrsetbyname, resolv,
3438	[AC_DEFINE(HAVE_GETRRSETBYNAME, 1,	3473	[AC_DEFINE(HAVE_GETRRSETBYNAME, 1,
Lines 3486-3491 Link Here
3486	[Define if HEADER.ad exists in arpa/nameser.h])],,	3521	[Define if HEADER.ad exists in arpa/nameser.h])],,
3487	[#include <arpa/nameser.h>])	3522	[#include <arpa/nameser.h>])
3488	])	3523	])
		3524	fi]
		3525	)
3489		3526
3490	AC_MSG_CHECKING(if struct __res_state _res is an extern)	3527	AC_MSG_CHECKING(if struct __res_state _res is an extern)
3491	AC_LINK_IFELSE([	3528	AC_LINK_IFELSE([
Lines 4351-4356 Link Here
4351	echo " MD5 password support: $MD5_MSG"	4388	echo " MD5 password support: $MD5_MSG"
4352	echo " libedit support: $LIBEDIT_MSG"	4389	echo " libedit support: $LIBEDIT_MSG"
4353	echo " Solaris process contract support: $SPC_MSG"	4390	echo " Solaris process contract support: $SPC_MSG"
		4391	echo " Local DNSSEC validation support: $LIBVAL_MSG"
4354	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"	4392	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
4355	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"	4393	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
4356	echo " BSD Auth support: $BSD_AUTH_MSG"	4394	echo " BSD Auth support: $BSD_AUTH_MSG"