Attachment #2150 for bug #1672




with_pam
with_privsep_user
with_sandbox
with_local_dnssec_validation
with_selinux
with_kerberos5
with_privsep_path

  --with-pam              Enable PAM support
  --with-privsep-user=user Specify non-privileged user for privilege separation
  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
  --with-local-dnssec-validation Enable local DNSSEC validation using libval
  --with-selinux          Enable SELinux support
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)


fi

LIBVAL_MSG="no"
# Check whether user wants DNSSEC local validation support

# Check whether --with-local-dnssec-validation was given.
if test "${with_local_dnssec_validation+set}" = set; then :
  withval=$with_local_dnssec_validation;  if test "x$withval" != "xno" ; then
 		if test "x$withval" != "xyes" ; then
			CPPFLAGS="$CPPFLAGS -I${withval}"
			LDFLAGS="$LDFLAGS -L${withval}"
			if test ! -z "$need_dash_r" ; then
				LDFLAGS="$LDFLAGS -R${withval}"
 		fi
			if test ! -z "$blibpath" ; then
				blibpath="$blibpath:${withval}"
 		fi
 	    fi
		for ac_header in validator/validator.h
do :
  ac_fn_c_check_header_mongrel "$LINENO" "validator/validator.h" "ac_cv_header_validator_validator_h" "$ac_includes_default"
if test "x$ac_cv_header_validator_validator_h" = xyes; then :
  cat >>confdefs.h <<_ACEOF
#define HAVE_VALIDATOR_VALIDATOR_H 1
_ACEOF

fi

done

		if test "$ac_cv_header_validator_validator_h" != yes; then
			as_fn_error $? "Can't find validator.h" "$LINENO" 5
		fi
		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for query_send in -lsres" >&5
$as_echo_n "checking for query_send in -lsres... " >&6; }
if ${ac_cv_lib_sres_query_send+:} false; then :
  $as_echo_n "(cached) " >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lsres  $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

/* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
#ifdef __cplusplus
extern "C"
#endif
char query_send ();
int
main ()
{
return query_send ();
  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
  ac_cv_lib_sres_query_send=yes
else
  ac_cv_lib_sres_query_send=no
fi
rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sres_query_send" >&5
$as_echo "$ac_cv_lib_sres_query_send" >&6; }
if test "x$ac_cv_lib_sres_query_send" = xyes; then :
  cat >>confdefs.h <<_ACEOF
#define HAVE_LIBSRES 1
_ACEOF

  LIBS="-lsres $LIBS"

fi

		if test "$ac_cv_lib_sres_query_send" != yes; then
			as_fn_error $? "Can't find libsres" "$LINENO" 5
		fi
		LIBVAL_SUFFIX=""
		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for p_val_status in -lval" >&5
$as_echo_n "checking for p_val_status in -lval... " >&6; }
if ${ac_cv_lib_val_p_val_status+:} false; then :
  $as_echo_n "(cached) " >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lval  $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

/* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
#ifdef __cplusplus
extern "C"
#endif
char p_val_status ();
int
main ()
{
return p_val_status ();
  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
  ac_cv_lib_val_p_val_status=yes
else
  ac_cv_lib_val_p_val_status=no
fi
rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_val_p_val_status" >&5
$as_echo "$ac_cv_lib_val_p_val_status" >&6; }
if test "x$ac_cv_lib_val_p_val_status" = xyes; then :
  LIBS="$LIBS -lval"
else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_rwlock_init in -lpthread" >&5
$as_echo_n "checking for pthread_rwlock_init in -lpthread... " >&6; }
if ${ac_cv_lib_pthread_pthread_rwlock_init+:} false; then :
  $as_echo_n "(cached) " >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lpthread  $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

/* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
#ifdef __cplusplus
extern "C"
#endif
char pthread_rwlock_init ();
int
main ()
{
return pthread_rwlock_init ();
  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
  ac_cv_lib_pthread_pthread_rwlock_init=yes
else
  ac_cv_lib_pthread_pthread_rwlock_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_rwlock_init" >&5
$as_echo "$ac_cv_lib_pthread_pthread_rwlock_init" >&6; }
if test "x$ac_cv_lib_pthread_pthread_rwlock_init" = xyes; then :
  cat >>confdefs.h <<_ACEOF
#define HAVE_LIBPTHREAD 1
_ACEOF

  LIBS="-lpthread $LIBS"

fi

			  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for p_val_status in -lval-threads" >&5
$as_echo_n "checking for p_val_status in -lval-threads... " >&6; }
if ${ac_cv_lib_val_threads_p_val_status+:} false; then :
  $as_echo_n "(cached) " >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lval-threads  $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

/* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
#ifdef __cplusplus
extern "C"
#endif
char p_val_status ();
int
main ()
{
return p_val_status ();
  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
  ac_cv_lib_val_threads_p_val_status=yes
else
  ac_cv_lib_val_threads_p_val_status=no
fi
rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_val_threads_p_val_status" >&5
$as_echo "$ac_cv_lib_val_threads_p_val_status" >&6; }
if test "x$ac_cv_lib_val_threads_p_val_status" = xyes; then :
   LIBS="$LIBS -lval-threads -lpthread"
				  LIBVAL_SUFFIX="-threads"
else
  as_fn_error $? "Can't find libval or libval-threads" "$LINENO" 5
fi


fi

		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_query in -lresolv" >&5
$as_echo_n "checking for res_query in -lresolv... " >&6; }
if ${ac_cv_lib_resolv_res_query+:} false; then :
  $as_echo_n "(cached) " >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lresolv  $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

/* Override any GCC internal prototype to avoid an error.
   Use char because int might match the return type of a GCC
   builtin and then its argument prototype would still apply.  */
#ifdef __cplusplus
extern "C"
#endif
char res_query ();
int
main ()
{
return res_query ();
  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
  ac_cv_lib_resolv_res_query=yes
else
  ac_cv_lib_resolv_res_query=no
fi
rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_query" >&5
$as_echo "$ac_cv_lib_resolv_res_query" >&6; }
if test "x$ac_cv_lib_resolv_res_query" = xyes; then :
  LIBS="$LIBS -lresolv"
fi


$as_echo "#define DNSSEC_LOCAL_VALIDATION 1" >>confdefs.h

		LIBVAL_MSG="yes, libval${LIBVAL_SUFFIX}"
	fi

fi


# Check libraries needed by DNS fingerprint support
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing getrrsetbyname" >&5
$as_echo_n "checking for library containing getrrsetbyname... " >&6; }

echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"
echo "           Solaris project support: $SP_MSG"
echo "   Local DNSSEC validation support: $LIBVAL_MSG"
echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo "                  BSD Auth support: $BSD_AUTH_MSG"




	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
fi

LIBVAL_MSG="no"
# Check whether user wants DNSSEC local validation support
AC_ARG_WITH(local-dnssec-validation,
	[  --with-local-dnssec-validation Enable local DNSSEC validation using libval],
	[ if test "x$withval" != "xno" ; then
 		if test "x$withval" != "xyes" ; then
			CPPFLAGS="$CPPFLAGS -I${withval}"
			LDFLAGS="$LDFLAGS -L${withval}"
			if test ! -z "$need_dash_r" ; then
				LDFLAGS="$LDFLAGS -R${withval}"
 		fi
			if test ! -z "$blibpath" ; then
				blibpath="$blibpath:${withval}"
 		fi
 	    fi
		AC_CHECK_HEADERS(validator/validator.h)
		if test "$ac_cv_header_validator_validator_h" != yes; then
			AC_MSG_ERROR(Can't find validator.h)
		fi
		AC_CHECK_LIB(sres, query_send)
		if test "$ac_cv_lib_sres_query_send" != yes; then
			AC_MSG_ERROR(Can't find libsres)
		fi
		LIBVAL_SUFFIX=""
		AC_CHECK_LIB(val, p_val_status,LIBS="$LIBS -lval",
			[ AC_CHECK_LIB(pthread, pthread_rwlock_init)
			  AC_CHECK_LIB(val-threads, p_val_status,
				[ LIBS="$LIBS -lval-threads -lpthread"
				  LIBVAL_SUFFIX="-threads"],
				AC_MSG_ERROR(Can't find libval or libval-threads))
			])
		AC_CHECK_LIB(resolv, res_query,LIBS="$LIBS -lresolv")
		AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
			[Define if you want local DNSSEC validation support])
		LIBVAL_MSG="yes, libval${LIBVAL_SUFFIX}"
	fi
        ])

# Check libraries needed by DNS fingerprint support
AC_SEARCH_LIBS([getrrsetbyname], [resolv],
	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],

echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"
echo "           Solaris project support: $SP_MSG"
echo "   Local DNSSEC validation support: $LIBVAL_MSG"
echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo "                  BSD Auth support: $BSD_AUTH_MSG"

Lines 35-40 Link Here

(-)a/dns.c (-1 / +94 lines)
35	#include <stdio.h>	35	#include <stdio.h>
36	#include <string.h>	36	#include <string.h>
37		37
		38	#ifdef DNSSEC_LOCAL_VALIDATION
		39	# include <validator/validator.h>
		40	#endif
		41
38	#include "xmalloc.h"	42	#include "xmalloc.h"
39	#include "key.h"	43	#include "key.h"
40	#include "dns.h"	44	#include "dns.h"
Lines 177-183 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
177	{	181	{
178	u_int counter;	182	u_int counter;
179	int result;	183	int result;
		184	#ifndef DNSSEC_LOCAL_VALIDATION
180	struct rrsetinfo *fingerprints = NULL;	185	struct rrsetinfo *fingerprints = NULL;
		186	#else
		187	struct val_result_chain val_res, val_results = NULL;
		188	#endif
181		189
182	u_int8_t hostkey_algorithm;	190	u_int8_t hostkey_algorithm;
183	u_int8_t hostkey_digest_type;	191	u_int8_t hostkey_digest_type;
Lines 200-205 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
200	return -1;	208	return -1;
201	}	209	}
202		210
		211	#ifndef DNSSEC_LOCAL_VALIDATION
203	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,	212	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
204	DNS_RDATATYPE_SSHFP, 0, &fingerprints);	213	DNS_RDATATYPE_SSHFP, 0, &fingerprints);
205	if (result) {	214	if (result) {
Lines 208-214 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
208	}	217	}
209		218
210	if (fingerprints->rri_flags & RRSET_VALIDATED) {	219	if (fingerprints->rri_flags & RRSET_VALIDATED) {
211	*flags \|= DNS_VERIFY_SECURE;	220	*flags \|= (DNS_VERIFY_SECURE\|DNS_VERIFY_TRUSTED);
212	debug("found %d secure fingerprints in DNS",	221	debug("found %d secure fingerprints in DNS",
213	fingerprints->rri_nrdatas);	222	fingerprints->rri_nrdatas);
214	} else {	223	} else {
Lines 257-262 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
257	xfree(hostkey_digest); /* from key_fingerprint_raw() */	266	xfree(hostkey_digest); /* from key_fingerprint_raw() */
258	freerrset(fingerprints);	267	freerrset(fingerprints);
259		268
		269	#else /* DNSSEC_LOCAL_VALIDATION */
		270
		271	result = val_resolve_and_check(NULL, hostname, DNS_RDATACLASS_IN,
		272	DNS_RDATATYPE_SSHFP, 0, &val_results);
		273	if (result != VAL_NO_ERROR){
		274	verbose("DNS lookup error: %s", p_ac_status(val_results->val_rc_status));
		275	return -1;
		276	}
		277
		278	/* Initialize host key parameters */
		279	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
		280	&hostkey_digest, &hostkey_digest_len, hostkey)) {
		281	error("Error calculating host key fingerprint.");
		282	val_free_result_chain(val_results);
		283	return -1;
		284	}
		285
		286	counter = 0;
		287	for (val_res = val_results; val_res; val_res = val_res->val_rc_next) {
		288	struct val_rrset_rec *val_rrset;
		289	struct val_rr_rec *rr;
		290
		291	val_rrset = val_res->val_rc_rrset;
		292	if ((NULL == val_rrset) \|\| (NULL == val_rrset->val_rrset_data))
		293	continue;
		294
		295	for(rr = val_rrset->val_rrset_data; rr;
		296	rr = rr->rr_next) {
		297
		298	if (NULL == rr->rr_rdata)
		299	continue;
		300
		301	/*
		302	* Extract the key from the answer. Ignore any badly
		303	* formatted fingerprints.
		304	*/
		305	if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
		306	&dnskey_digest, &dnskey_digest_len,
		307	rr->rr_rdata,
		308	rr->rr_rdata_length)) {
		309	verbose("Error parsing fingerprint from DNS.");
		310	continue;
		311	}
		312
		313	++counter;
		314
		315	/* Check if the current key is the same as the given key */
		316	if (hostkey_algorithm == dnskey_algorithm &&
		317	hostkey_digest_type == dnskey_digest_type) {
		318	if (hostkey_digest_len == dnskey_digest_len &&
		319	memcmp(hostkey_digest, dnskey_digest,
		320	hostkey_digest_len) == 0) {
		321	debug("found matching fingerprints in DNS");
		322	*flags \|= DNS_VERIFY_MATCH;
		323	}
		324	}
		325	xfree(dnskey_digest);
		326	}
		327	if (val_istrusted(val_res->val_rc_status)) {
		328	/*
		329	* local validation can result in a non-secure, but trusted
		330	* response. For example, in a corporate network the authoritative
		331	* server for internal DNS may be on the internal network, behind
		332	* a firewall. Local validation policy can be configured to trust
333	* these results without using DNSSEC to validate them.
334	*/
335	*flags \|= DNS_VERIFY_TRUSTED;
336	if (val_isvalidated(val_res->val_rc_status)) {
337	*flags \|= DNS_VERIFY_SECURE;
338	debug("found %d trusted fingerprints in DNS", counter);
339	} else {
340	debug("found %d trusted, but not validated, fingerprints in DNS", counter);
341	}
342	} else {
343	debug("found %d un-trusted fingerprints in DNS", counter);
344	}
345	}
346	if(counter)
347	*flags \|= DNS_VERIFY_FOUND;
348
349	xfree(hostkey_digest); /* from key_fingerprint_raw() */
350	val_free_result_chain(val_results);
351	#endif /* DNSSEC_LOCAL_VALIDATION */
352
260	if (*flags & DNS_VERIFY_FOUND)	353	if (*flags & DNS_VERIFY_FOUND)
261	if (*flags & DNS_VERIFY_MATCH)	354	if (*flags & DNS_VERIFY_MATCH)
262	debug("matching host key fingerprint found in DNS");	355	debug("matching host key fingerprint found in DNS");

Lines 45-50 enum sshfp_hashes { Link Here

(-)a/dns.h (+1 lines)
45	#define DNS_VERIFY_FOUND 0x00000001	45	#define DNS_VERIFY_FOUND 0x00000001
46	#define DNS_VERIFY_MATCH 0x00000002	46	#define DNS_VERIFY_MATCH 0x00000002
47	#define DNS_VERIFY_SECURE 0x00000004	47	#define DNS_VERIFY_SECURE 0x00000004
		48	#define DNS_VERIFY_TRUSTED 0x00000008
48		49
49	int verify_host_key_dns(const char , struct sockaddr , Key , int );	50	int verify_host_key_dns(const char , struct sockaddr , Key , int );
50	int export_dns_rr(const char , Key , FILE *, int);	51	int export_dns_rr(const char , Key , FILE *, int);

Lines 134-139 typedef enum { Link Here

(-)a/readconf.c (+22 lines)
134	oHashKnownHosts,	134	oHashKnownHosts,
135	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,	135	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
136	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,	136	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
		137	oStrictDnssecChecking, oAutoAnswerValidatedKeys,
137	oKexAlgorithms, oIPQoS, oRequestTTY,	138	oKexAlgorithms, oIPQoS, oRequestTTY,
138	oDeprecated, oUnsupported	139	oDeprecated, oUnsupported
139	} OpCodes;	140	} OpCodes;
Lines 243-248 static struct { Link Here
243	#else	244	#else
244	{ "zeroknowledgepasswordauthentication", oUnsupported },	245	{ "zeroknowledgepasswordauthentication", oUnsupported },
245	#endif	246	#endif
		247	#ifdef DNSSEC_LOCAL_VALIDATION
		248	{ "strictdnssecchecking", oStrictDnssecChecking },
		249	{ "autoanswervalidatedkeys", oAutoAnswerValidatedKeys },
		250	#else
		251	{ "strictdnssecchecking", oUnsupported },
		252	{ "autoanswervalidatedkeys", oUnsupported },
		253	#endif
246	{ "kexalgorithms", oKexAlgorithms },	254	{ "kexalgorithms", oKexAlgorithms },
247	{ "ipqos", oIPQoS },	255	{ "ipqos", oIPQoS },
248	{ "requesttty", oRequestTTY },	256	{ "requesttty", oRequestTTY },
Lines 519-524 parse_yesnoask: Link Here
519	*intptr = value;	527	*intptr = value;
520	break;	528	break;
521		529
		530	case oStrictDnssecChecking:
		531	intptr = &options->strict_dnssec_checking;
		532	goto parse_yesnoask;
		533
		534	case oAutoAnswerValidatedKeys:
		535	intptr = &options->autoanswer_validated_keys;
		536	goto parse_yesnoask;
		537
522	case oCompression:	538	case oCompression:
523	intptr = &options->compression;	539	intptr = &options->compression;
524	goto parse_flag;	540	goto parse_flag;
Lines 1148-1153 initialize_options(Options * options) Link Here
1148	options->batch_mode = -1;	1164	options->batch_mode = -1;
1149	options->check_host_ip = -1;	1165	options->check_host_ip = -1;
1150	options->strict_host_key_checking = -1;	1166	options->strict_host_key_checking = -1;
		1167	options->strict_dnssec_checking = -1;
		1168	options->autoanswer_validated_keys = -1;
1151	options->compression = -1;	1169	options->compression = -1;
1152	options->tcp_keep_alive = -1;	1170	options->tcp_keep_alive = -1;
1153	options->compression_level = -1;	1171	options->compression_level = -1;
Lines 1255-1260 fill_default_options(Options * options) Link Here
1255	options->check_host_ip = 1;	1273	options->check_host_ip = 1;
1256	if (options->strict_host_key_checking == -1)	1274	if (options->strict_host_key_checking == -1)
1257	options->strict_host_key_checking = 2; /* 2 is default */	1275	options->strict_host_key_checking = 2; /* 2 is default */
		1276	if (options->strict_dnssec_checking == -1)
		1277	options->strict_dnssec_checking = 2; /* 2 is default */
		1278	if (options->autoanswer_validated_keys == -1)
		1279	options->autoanswer_validated_keys = 0; /* 0 is default */
1258	if (options->compression == -1)	1280	if (options->compression == -1)
1259	options->compression = 0;	1281	options->compression = 0;
1260	if (options->tcp_keep_alive == -1)	1282	if (options->tcp_keep_alive == -1)

Lines 134-139 typedef struct { Link Here

(-)a/readconf.h (+3 lines)
134		134
135	int use_roaming;	135	int use_roaming;
136		136
		137	int strict_dnssec_checking; /* Strict DNSSEC checking. */
		138	int autoanswer_validated_keys;
		139
137	int request_tty;	140	int request_tty;
138	} Options;	141	} Options;
139		142

Lines 26-31 Link Here

(-)a/sshconnect.c (-2 / +187 lines)
26	#include <netinet/in.h>	26	#include <netinet/in.h>
27	#include <arpa/inet.h>	27	#include <arpa/inet.h>
28		28
		29	#ifdef DNSSEC_LOCAL_VALIDATION
		30	# include <validator/validator.h>
		31	#endif
		32
29	#include <ctype.h>	33	#include <ctype.h>
30	#include <errno.h>	34	#include <errno.h>
31	#include <fcntl.h>	35	#include <fcntl.h>
Lines 66-71 char *client_version_string = NULL; Link Here
66	char *server_version_string = NULL;	70	char *server_version_string = NULL;
67		71
68	static int matching_host_key_dns = 0;	72	static int matching_host_key_dns = 0;
		73	#ifdef DNSSEC_LOCAL_VALIDATION
		74	static int validated_host_key_dns = 0;
		75	#endif
69		76
70	static pid_t proxy_command_pid = 0;	77	static pid_t proxy_command_pid = 0;
71		78
Lines 77-82 extern uid_t original_effective_uid; Link Here
77		84
78	static int show_other_keys(struct hostkeys , Key );	85	static int show_other_keys(struct hostkeys , Key );
79	static void warn_changed_key(Key *);	86	static void warn_changed_key(Key *);
		87	static int confirm(const char *prompt);
80		88
81	/*	89	/*
82	* Connect to the given ssh server using a proxy command.	90	* Connect to the given ssh server using a proxy command.
Lines 342-348 ssh_connect(const char host, struct sockaddr_storage hostaddr, Link Here
342	int on = 1;	350	int on = 1;
343	int sock = -1, attempt;	351	int sock = -1, attempt;
344	char ntop[NI_MAXHOST], strport[NI_MAXSERV];	352	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
345	struct addrinfo hints, ai, aitop;	353	struct addrinfo hints;
		354	struct addrinfo ai, aitop = NULL;
		355	#ifdef DNSSEC_LOCAL_VALIDATION
		356	val_status_t val_status;
		357	#endif
346		358
347	debug2("ssh_connect: needpriv %d", needpriv);	359	debug2("ssh_connect: needpriv %d", needpriv);
348		360
Lines 356-364 ssh_connect(const char host, struct sockaddr_storage hostaddr, Link Here
356	hints.ai_family = family;	368	hints.ai_family = family;
357	hints.ai_socktype = SOCK_STREAM;	369	hints.ai_socktype = SOCK_STREAM;
358	snprintf(strport, sizeof strport, "%u", port);	370	snprintf(strport, sizeof strport, "%u", port);
		371	#ifndef DNSSEC_LOCAL_VALIDATION
359	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)	372	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
360	fatal("%s: Could not resolve hostname %.100s: %s", __progname,	373	fatal("%s: Could not resolve hostname %.100s: %s", __progname,
361	host, ssh_gai_strerror(gaierr));	374	host, ssh_gai_strerror(gaierr));
		375	#else
		376	gaierr = val_getaddrinfo(NULL, host, strport, &hints, &aitop,
		377	&val_status);
		378	debug2("ssh_connect: gaierr %d, val_status %d / %s; trusted: %d",
		379	gaierr, val_status, p_val_status(val_status),
		380	val_istrusted(val_status));
		381	if (gaierr != 0) {
		382	if (VAL_GETADDRINFO_HAS_STATUS(gaierr) &&
		383	!val_istrusted(val_status)) {
		384	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		385	error("@ WARNING: UNTRUSTED ERROR IN DNS RESOLUTION FOR HOST! @");
		386	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		387	error("The authenticity of DNS response is not trusted (%s).",
		388	p_val_status(val_status));
		389	}
		390	fatal("%s: Could not resolve hostname %.100s: %s", __progname,
		391	host, ssh_gai_strerror(gaierr));
		392	}
		393	if (!val_istrusted(val_status)) {
		394	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		395	error("@ WARNING: UNTRUSTED DNS RESOLUTION FOR HOST IP ADRRESS! @");
		396	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		397	error("The authenticity of DNS data for the host '%.200s' "
		398	"can't be established.", host);
		399	if (options.strict_dnssec_checking == 1) {
		400	fatal("DNS resolution is not trusted (%s) "
		401	"and you have requested strict checking",
		402	p_val_status(val_status));
		403	} else if (options.strict_dnssec_checking == 2) {
		404	char msg[1024];
		405	for (ai = aitop; ai; ai = ai->ai_next) {
		406	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
		407	continue;
		408	if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
		409	ntop, sizeof(ntop), strport, sizeof(strport),
		410	NI_NUMERICHOST\|NI_NUMERICSERV) != 0) {
		411	error("ssh_connect: getnameinfo failed");
		412	continue;
		413	}
		414	error(" IP address %s port %s", ntop, strport);
		415	}
		416	snprintf(msg,sizeof(msg),
		417	"Are you sure you want to attempt to connect "
		418	"(yes/no)? ");
		419	if (!confirm(msg))
		420	return (-1);
		421	}
		422	}
		423	#endif /* DNSSEC_LOCAL_VALIDATION */
362		424
363	for (attempt = 0; attempt < connection_attempts; attempt++) {	425	for (attempt = 0; attempt < connection_attempts; attempt++) {
364	if (attempt > 0) {	426	if (attempt > 0) {
Lines 814-819 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
814	}	876	}
815	break;	877	break;
816	case HOST_NEW:	878	case HOST_NEW:
		879	debug("Host '%.200s' new.", host);
817	if (options.host_key_alias == NULL && port != 0 &&	880	if (options.host_key_alias == NULL && port != 0 &&
818	port != SSH_DEFAULT_PORT) {	881	port != SSH_DEFAULT_PORT) {
819	debug("checking without port identifier");	882	debug("checking without port identifier");
Lines 860-865 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
860	"No matching host key fingerprint"	923	"No matching host key fingerprint"
861	" found in DNS.\n");	924	" found in DNS.\n");
862	}	925	}
		926	#ifdef DNSSEC_LOCAL_VALIDATION
		927	if (options.autoanswer_validated_keys &&
		928	validated_host_key_dns && matching_host_key_dns) {
		929	snprintf(msg, sizeof(msg),
		930	"The authenticity of host '%.200s (%s)' was "
		931	" validated via DNSSEC%s",
		932	host, ip, msg1);
		933	logit(msg);
		934	xfree(fp);
		935	} else {
		936	#endif
863	snprintf(msg, sizeof(msg),	937	snprintf(msg, sizeof(msg),
864	"The authenticity of host '%.200s (%s)' can't be "	938	"The authenticity of host '%.200s (%s)' can't be "
865	"established%s\n"	939	"established%s\n"
Lines 874-879 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
874	xfree(fp);	948	xfree(fp);
875	if (!confirm(msg))	949	if (!confirm(msg))
876	goto fail;	950	goto fail;
		951	#ifdef DNSSEC_LOCAL_VALIDATION
		952	}
		953	#endif
877	}	954	}
878	/*	955	/*
879	* If not in strict mode, add the key automatically to the	956	* If not in strict mode, add the key automatically to the
Lines 948-953 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
948	key_msg = "is unchanged";	1025	key_msg = "is unchanged";
949	else	1026	else
950	key_msg = "has a different value";	1027	key_msg = "has a different value";
		1028	#ifdef DNSSEC_LOCAL_VALIDATION
		1029	if (!validated_host_key_dns) {
951	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1030	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
952	error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");	1031	error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
953	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1032	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
Lines 956-961 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
956	error("%s. This could either mean that", key_msg);	1035	error("%s. This could either mean that", key_msg);
957	error("DNS SPOOFING is happening or the IP address for the host");	1036	error("DNS SPOOFING is happening or the IP address for the host");
958	error("and its host key have changed at the same time.");	1037	error("and its host key have changed at the same time.");
		1038	}
		1039	else {
		1040	#endif
		1041	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1042	error("@ WARNING: HOST IP ADDRESS HAS CHANGED! @");
		1043	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1044	error("The %s host key for %s has changed,", type, host);
		1045	error("and the key for the according IP address %s", ip);
		1046	error("%s. The IP address for the host", key_msg);
		1047	error("and its host key have changed at the same time.");
		1048	#ifdef DNSSEC_LOCAL_VALIDATION
		1049	}
		1050	#endif
959	if (ip_status != HOST_NEW)	1051	if (ip_status != HOST_NEW)
960	error("Offending key for IP in %s:%lu",	1052	error("Offending key for IP in %s:%lu",
961	ip_found->file, ip_found->line);	1053	ip_found->file, ip_found->line);
Lines 971-981 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
971	* If strict host key checking is in use, the user will have	1063	* If strict host key checking is in use, the user will have
972	* to edit the key manually and we can only abort.	1064	* to edit the key manually and we can only abort.
973	*/	1065	*/
		1066	#ifdef DNSSEC_LOCAL_VALIDATION
		1067	if ((options.strict_host_key_checking == 2) &&
		1068	options.autoanswer_validated_keys &&
		1069	matching_host_key_dns && validated_host_key_dns) {
		1070	logit("The authenticity of host '%.200s (%s)' was "
		1071	" validated via DNSSEC.",
		1072	host, ip);
		1073	/*
		1074	* If not in strict mode, add the key automatically to the
		1075	* local known_hosts file.
		1076	*/
		1077	if (options.check_host_ip && ip_status == HOST_NEW) {
		1078	snprintf(hostline, sizeof(hostline), "%s,%s",
		1079	host, ip);
		1080	hostp = hostline;
		1081	if (options.hash_known_hosts) {
		1082	/* Add hash of host and IP separately */
		1083	r = add_host_to_hostfile(user_hostfile, host,
		1084	host_key, options.hash_known_hosts) &&
		1085	add_host_to_hostfile(user_hostfile, ip,
		1086	host_key, options.hash_known_hosts);
		1087	} else {
		1088	/* Add unhashed "host,ip" */
		1089	r = add_host_to_hostfile(user_hostfile,
		1090	hostline, host_key,
		1091	options.hash_known_hosts);
		1092	}
		1093	} else {
		1094	r = add_host_to_hostfile(user_hostfile, host, host_key,
		1095	options.hash_known_hosts);
		1096	hostp = host;
		1097	}
		1098
		1099	if (!r)
		1100	logit("Failed to add the host to the list of known "
		1101	"hosts (%.500s).", user_hostfile);
		1102	else
		1103	logit("Warning: Permanently added '%.200s' (%s) to the "
		1104	"list of known hosts.", hostp, type);
		1105	}
		1106	else
		1107	#endif
974	if (options.strict_host_key_checking) {	1108	if (options.strict_host_key_checking) {
975	error("%s host key for %.200s has changed and you have "	1109	error("%s host key for %.200s has changed and you have "
976	"requested strict checking.", type, host);	1110	"requested strict checking.", type, host);
977	goto fail;	1111	goto fail;
978	}	1112	} else {
979		1113
980	continue_unsafe:	1114	continue_unsafe:
981	/*	1115	/*
Lines 1039-1044 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
1039	* by that sentence, and ask the user if he/she wishes to	1173	* by that sentence, and ask the user if he/she wishes to
1040	* accept the authentication.	1174	* accept the authentication.
1041	*/	1175	*/
		1176	}
1042	break;	1177	break;
1043	case HOST_FOUND:	1178	case HOST_FOUND:
1044	fatal("internal error");	1179	fatal("internal error");
Lines 1063-1072 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
1063	error("Exiting, you have requested strict checking.");	1198	error("Exiting, you have requested strict checking.");
1064	goto fail;	1199	goto fail;
1065	} else if (options.strict_host_key_checking == 2) {	1200	} else if (options.strict_host_key_checking == 2) {
		1201	#ifdef DNSSEC_LOCAL_VALIDATION
		1202	if (options.autoanswer_validated_keys &&
		1203	matching_host_key_dns && validated_host_key_dns) {
		1204	logit("%s", msg);
		1205	} else {
		1206	#endif
1066	strlcat(msg, "\nAre you sure you want "	1207	strlcat(msg, "\nAre you sure you want "
1067	"to continue connecting (yes/no)? ", sizeof(msg));	1208	"to continue connecting (yes/no)? ", sizeof(msg));
1068	if (!confirm(msg))	1209	if (!confirm(msg))
1069	goto fail;	1210	goto fail;
		1211	#ifdef DNSSEC_LOCAL_VALIDATION
		1212	}
		1213	#endif
1070	} else {	1214	} else {
1071	logit("%s", msg);	1215	logit("%s", msg);
1072	}	1216	}
Lines 1118-1129 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1118	/* XXX certs are not yet supported for DNS */	1262	/* XXX certs are not yet supported for DNS */
1119	if (!key_is_cert(host_key) && options.verify_host_key_dns &&	1263	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
1120	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {	1264	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
		1265
		1266	#ifdef DNSSEC_LOCAL_VALIDATION
		1267	/*
		1268	* local validation can result in a non-secure, but trusted
		1269	* response. For example, in a corporate network the authoritative
		1270	* server for internal DNS may be on the internal network, behind
		1271	* a firewall. Local validation policy can be configured to trust
		1272	* these results without using DNSSEC to validate them.
		1273	*/
		1274	if (!(flags & DNS_VERIFY_TRUSTED)) {
		1275	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1276	error("@ WARNING: UNTRUSTED DNS RESOLUTION FOR HOST KEY! @");
		1277	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1278	}
		1279	if (flags & DNS_VERIFY_SECURE)
		1280	validated_host_key_dns = 1;
		1281	#endif
		1282
1121	if (flags & DNS_VERIFY_FOUND) {	1283	if (flags & DNS_VERIFY_FOUND) {
1122		1284
1123	if (options.verify_host_key_dns == 1 &&	1285	if (options.verify_host_key_dns == 1 &&
1124	flags & DNS_VERIFY_MATCH &&	1286	flags & DNS_VERIFY_MATCH &&
1125	flags & DNS_VERIFY_SECURE)	1287	flags & DNS_VERIFY_SECURE)
		1288	#ifndef DNSSEC_LOCAL_VALIDATION
1126	return 0;	1289	return 0;
		1290	#else
		1291	{
		1292	if (flags & DNS_VERIFY_MATCH)
		1293	matching_host_key_dns = 1;
		1294	if (options.autoanswer_validated_keys)
		1295	return check_host_key(host, hostaddr, options.port,
		1296	host_key, RDRW,
		1297	options.user_hostfile,
		1298	options.system_hostfile);
		1299	else
		1300	return 0;
		1301	}
		1302	#endif
1127		1303
1128	if (flags & DNS_VERIFY_MATCH) {	1304	if (flags & DNS_VERIFY_MATCH) {
1129	matching_host_key_dns = 1;	1305	matching_host_key_dns = 1;
Lines 1240-1248 warn_changed_key(Key *host_key) Link Here
1240	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1416	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1241	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");	1417	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
1242	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1418	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1419	#ifdef DNSSEC_LOCAL_VALIDATION
		1420	if (matching_host_key_dns && validated_host_key_dns) {
		1421	error("Howerver, a matching host key, validated by DNSSEC, was found.");
		1422	}
		1423	else {
		1424	#endif
1243	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");	1425	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
1244	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");	1426	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
1245	error("It is also possible that a host key has just been changed.");	1427	error("It is also possible that a host key has just been changed.");
		1428	#ifdef DNSSEC_LOCAL_VALIDATION
		1429	}
		1430	#endif
1246	error("The fingerprint for the %s key sent by the remote host is\n%s.",	1431	error("The fingerprint for the %s key sent by the remote host is\n%s.",
1247	key_type(host_key), fp);	1432	key_type(host_key), fp);
1248	error("Please contact your system administrator.");	1433	error("Please contact your system administrator.");

Return to bug 1672

Lines 3389-3394 if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then Link Here

(-)a/configure.ac (+39 lines)
3389	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])	3389	AC_DEFINE([HAVE_SYS_NERR], [1], [Define if your system defines sys_nerr])
3390	fi	3390	fi
3391		3391
		3392	LIBVAL_MSG="no"
		3393	# Check whether user wants DNSSEC local validation support
		3394	AC_ARG_WITH(local-dnssec-validation,
		3395	[ --with-local-dnssec-validation Enable local DNSSEC validation using libval],
		3396	[ if test "x$withval" != "xno" ; then
		3397	if test "x$withval" != "xyes" ; then
		3398	CPPFLAGS="$CPPFLAGS -I${withval}"
		3399	LDFLAGS="$LDFLAGS -L${withval}"
		3400	if test ! -z "$need_dash_r" ; then
		3401	LDFLAGS="$LDFLAGS -R${withval}"
		3402	fi
		3403	if test ! -z "$blibpath" ; then
		3404	blibpath="$blibpath:${withval}"
		3405	fi
		3406	fi
		3407	AC_CHECK_HEADERS(validator/validator.h)
		3408	if test "$ac_cv_header_validator_validator_h" != yes; then
		3409	AC_MSG_ERROR(Can't find validator.h)
		3410	fi
		3411	AC_CHECK_LIB(sres, query_send)
		3412	if test "$ac_cv_lib_sres_query_send" != yes; then
		3413	AC_MSG_ERROR(Can't find libsres)
		3414	fi
		3415	LIBVAL_SUFFIX=""
		3416	AC_CHECK_LIB(val, p_val_status,LIBS="$LIBS -lval",
		3417	[ AC_CHECK_LIB(pthread, pthread_rwlock_init)
		3418	AC_CHECK_LIB(val-threads, p_val_status,
		3419	[ LIBS="$LIBS -lval-threads -lpthread"
		3420	LIBVAL_SUFFIX="-threads"],
		3421	AC_MSG_ERROR(Can't find libval or libval-threads))
		3422	])
		3423	AC_CHECK_LIB(resolv, res_query,LIBS="$LIBS -lresolv")
		3424	AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
		3425	[Define if you want local DNSSEC validation support])
		3426	LIBVAL_MSG="yes, libval${LIBVAL_SUFFIX}"
		3427	fi
		3428	])
		3429
3392	# Check libraries needed by DNS fingerprint support	3430	# Check libraries needed by DNS fingerprint support
3393	AC_SEARCH_LIBS([getrrsetbyname], [resolv],	3431	AC_SEARCH_LIBS([getrrsetbyname], [resolv],
3394	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],	3432	[AC_DEFINE([HAVE_GETRRSETBYNAME], [1],
Lines 4345-4350 echo " MD5 password support: $MD5_MSG" Link Here
4345	echo " libedit support: $LIBEDIT_MSG"	4383	echo " libedit support: $LIBEDIT_MSG"
4346	echo " Solaris process contract support: $SPC_MSG"	4384	echo " Solaris process contract support: $SPC_MSG"
4347	echo " Solaris project support: $SP_MSG"	4385	echo " Solaris project support: $SP_MSG"
		4386	echo " Local DNSSEC validation support: $LIBVAL_MSG"
4348	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"	4387	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
4349	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"	4388	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
4350	echo " BSD Auth support: $BSD_AUTH_MSG"	4389	echo " BSD Auth support: $BSD_AUTH_MSG"

Lines 733-738 with_prngd_socket Link Here

(-)a/configure (+262 lines)
733	with_pam	733	with_pam
734	with_privsep_user	734	with_privsep_user
735	with_sandbox	735	with_sandbox
		736	with_local_dnssec_validation
736	with_selinux	737	with_selinux
737	with_kerberos5	738	with_kerberos5
738	with_privsep_path	739	with_privsep_path
Lines 1423-1428 Optional Packages: Link Here
1423	--with-pam Enable PAM support	1424	--with-pam Enable PAM support
1424	--with-privsep-user=user Specify non-privileged user for privilege separation	1425	--with-privsep-user=user Specify non-privileged user for privilege separation
1425	--with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)	1426	--with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
		1427	--with-local-dnssec-validation Enable local DNSSEC validation using libval
1426	--with-selinux Enable SELinux support	1428	--with-selinux Enable SELinux support
1427	--with-kerberos5=PATH Enable Kerberos 5 support	1429	--with-kerberos5=PATH Enable Kerberos 5 support
1428	--with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)	1430	--with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
Lines 14537-14542 $as_echo "#define HAVE_SYS_NERR 1" >>confdefs.h Link Here
14537		14539
14538	fi	14540	fi
14539		14541
		14542	LIBVAL_MSG="no"
		14543	# Check whether user wants DNSSEC local validation support
		14544
		14545	# Check whether --with-local-dnssec-validation was given.
		14546	if test "${with_local_dnssec_validation+set}" = set; then :
		14547	withval=$with_local_dnssec_validation; if test "x$withval" != "xno" ; then
		14548	if test "x$withval" != "xyes" ; then
		14549	CPPFLAGS="$CPPFLAGS -I${withval}"
		14550	LDFLAGS="$LDFLAGS -L${withval}"
		14551	if test ! -z "$need_dash_r" ; then
		14552	LDFLAGS="$LDFLAGS -R${withval}"
		14553	fi
		14554	if test ! -z "$blibpath" ; then
		14555	blibpath="$blibpath:${withval}"
		14556	fi
		14557	fi
		14558	for ac_header in validator/validator.h
		14559	do :
		14560	ac_fn_c_check_header_mongrel "$LINENO" "validator/validator.h" "ac_cv_header_validator_validator_h" "$ac_includes_default"
		14561	if test "x$ac_cv_header_validator_validator_h" = xyes; then :
		14562	cat >>confdefs.h <<_ACEOF
		14563	#define HAVE_VALIDATOR_VALIDATOR_H 1
		14564	_ACEOF
		14565
		14566	fi
		14567
		14568	done
		14569
		14570	if test "$ac_cv_header_validator_validator_h" != yes; then
		14571	as_fn_error $? "Can't find validator.h" "$LINENO" 5
		14572	fi
		14573	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for query_send in -lsres" >&5
		14574	$as_echo_n "checking for query_send in -lsres... " >&6; }
		14575	if ${ac_cv_lib_sres_query_send+:} false; then :
		14576	$as_echo_n "(cached) " >&6
		14577	else
		14578	ac_check_lib_save_LIBS=$LIBS
		14579	LIBS="-lsres $LIBS"
		14580	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
		14581	/* end confdefs.h. */
		14582
		14583	/* Override any GCC internal prototype to avoid an error.
		14584	Use char because int might match the return type of a GCC
		14585	builtin and then its argument prototype would still apply. */
		14586	#ifdef __cplusplus
		14587	extern "C"
		14588	#endif
		14589	char query_send ();
		14590	int
		14591	main ()
		14592	{
		14593	return query_send ();
		14594	;
		14595	return 0;
		14596	}
		14597	_ACEOF
		14598	if ac_fn_c_try_link "$LINENO"; then :
		14599	ac_cv_lib_sres_query_send=yes
		14600	else
		14601	ac_cv_lib_sres_query_send=no
		14602	fi
		14603	rm -f core conftest.err conftest.$ac_objext \
		14604	conftest$ac_exeext conftest.$ac_ext
		14605	LIBS=$ac_check_lib_save_LIBS
14606	fi
14607	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sres_query_send" >&5
14608	$as_echo "$ac_cv_lib_sres_query_send" >&6; }
14609	if test "x$ac_cv_lib_sres_query_send" = xyes; then :
14610	cat >>confdefs.h <<_ACEOF
14611	#define HAVE_LIBSRES 1
14612	_ACEOF
14613
14614	LIBS="-lsres $LIBS"
14615
14616	fi
14617
14618	if test "$ac_cv_lib_sres_query_send" != yes; then
14619	as_fn_error $? "Can't find libsres" "$LINENO" 5
14620	fi
14621	LIBVAL_SUFFIX=""
14622	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for p_val_status in -lval" >&5
14623	$as_echo_n "checking for p_val_status in -lval... " >&6; }
14624	if ${ac_cv_lib_val_p_val_status+:} false; then :
14625	$as_echo_n "(cached) " >&6
14626	else
14627	ac_check_lib_save_LIBS=$LIBS
14628	LIBS="-lval $LIBS"
14629	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14630	/* end confdefs.h. */
14631
14632	/* Override any GCC internal prototype to avoid an error.
14633	Use char because int might match the return type of a GCC
14634	builtin and then its argument prototype would still apply. */
14635	#ifdef __cplusplus
14636	extern "C"
14637	#endif
14638	char p_val_status ();
14639	int
14640	main ()
14641	{
14642	return p_val_status ();
14643	;
14644	return 0;
14645	}
14646	_ACEOF
14647	if ac_fn_c_try_link "$LINENO"; then :
14648	ac_cv_lib_val_p_val_status=yes
14649	else
14650	ac_cv_lib_val_p_val_status=no
14651	fi
14652	rm -f core conftest.err conftest.$ac_objext \
14653	conftest$ac_exeext conftest.$ac_ext
14654	LIBS=$ac_check_lib_save_LIBS
14655	fi
14656	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_val_p_val_status" >&5
14657	$as_echo "$ac_cv_lib_val_p_val_status" >&6; }
14658	if test "x$ac_cv_lib_val_p_val_status" = xyes; then :
14659	LIBS="$LIBS -lval"
14660	else
14661	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_rwlock_init in -lpthread" >&5
14662	$as_echo_n "checking for pthread_rwlock_init in -lpthread... " >&6; }
14663	if ${ac_cv_lib_pthread_pthread_rwlock_init+:} false; then :
14664	$as_echo_n "(cached) " >&6
14665	else
14666	ac_check_lib_save_LIBS=$LIBS
14667	LIBS="-lpthread $LIBS"
14668	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14669	/* end confdefs.h. */
14670
14671	/* Override any GCC internal prototype to avoid an error.
14672	Use char because int might match the return type of a GCC
14673	builtin and then its argument prototype would still apply. */
14674	#ifdef __cplusplus
14675	extern "C"
14676	#endif
14677	char pthread_rwlock_init ();
14678	int
14679	main ()
14680	{
14681	return pthread_rwlock_init ();
14682	;
14683	return 0;
14684	}
14685	_ACEOF
14686	if ac_fn_c_try_link "$LINENO"; then :
14687	ac_cv_lib_pthread_pthread_rwlock_init=yes
14688	else
14689	ac_cv_lib_pthread_pthread_rwlock_init=no
14690	fi
14691	rm -f core conftest.err conftest.$ac_objext \
14692	conftest$ac_exeext conftest.$ac_ext
14693	LIBS=$ac_check_lib_save_LIBS
14694	fi
14695	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_rwlock_init" >&5
14696	$as_echo "$ac_cv_lib_pthread_pthread_rwlock_init" >&6; }
14697	if test "x$ac_cv_lib_pthread_pthread_rwlock_init" = xyes; then :
14698	cat >>confdefs.h <<_ACEOF
14699	#define HAVE_LIBPTHREAD 1
14700	_ACEOF
14701
14702	LIBS="-lpthread $LIBS"
14703
14704	fi
14705
14706	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for p_val_status in -lval-threads" >&5
14707	$as_echo_n "checking for p_val_status in -lval-threads... " >&6; }
14708	if ${ac_cv_lib_val_threads_p_val_status+:} false; then :
14709	$as_echo_n "(cached) " >&6
14710	else
14711	ac_check_lib_save_LIBS=$LIBS
14712	LIBS="-lval-threads $LIBS"
14713	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14714	/* end confdefs.h. */
14715
14716	/* Override any GCC internal prototype to avoid an error.
14717	Use char because int might match the return type of a GCC
14718	builtin and then its argument prototype would still apply. */
14719	#ifdef __cplusplus
14720	extern "C"
14721	#endif
14722	char p_val_status ();
14723	int
14724	main ()
14725	{
14726	return p_val_status ();
14727	;
14728	return 0;
14729	}
14730	_ACEOF
14731	if ac_fn_c_try_link "$LINENO"; then :
14732	ac_cv_lib_val_threads_p_val_status=yes
14733	else
14734	ac_cv_lib_val_threads_p_val_status=no
14735	fi
14736	rm -f core conftest.err conftest.$ac_objext \
14737	conftest$ac_exeext conftest.$ac_ext
14738	LIBS=$ac_check_lib_save_LIBS
14739	fi
14740	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_val_threads_p_val_status" >&5
14741	$as_echo "$ac_cv_lib_val_threads_p_val_status" >&6; }
14742	if test "x$ac_cv_lib_val_threads_p_val_status" = xyes; then :
14743	LIBS="$LIBS -lval-threads -lpthread"
14744	LIBVAL_SUFFIX="-threads"
14745	else
14746	as_fn_error $? "Can't find libval or libval-threads" "$LINENO" 5
14747	fi
14748
14749
14750	fi
14751
14752	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_query in -lresolv" >&5
14753	$as_echo_n "checking for res_query in -lresolv... " >&6; }
14754	if ${ac_cv_lib_resolv_res_query+:} false; then :
14755	$as_echo_n "(cached) " >&6
14756	else
14757	ac_check_lib_save_LIBS=$LIBS
14758	LIBS="-lresolv $LIBS"
14759	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14760	/* end confdefs.h. */
14761
14762	/* Override any GCC internal prototype to avoid an error.
14763	Use char because int might match the return type of a GCC
14764	builtin and then its argument prototype would still apply. */
14765	#ifdef __cplusplus
14766	extern "C"
14767	#endif
14768	char res_query ();
14769	int
14770	main ()
14771	{
14772	return res_query ();
14773	;
14774	return 0;
14775	}
14776	_ACEOF
14777	if ac_fn_c_try_link "$LINENO"; then :
14778	ac_cv_lib_resolv_res_query=yes
14779	else
14780	ac_cv_lib_resolv_res_query=no
14781	fi
14782	rm -f core conftest.err conftest.$ac_objext \
14783	conftest$ac_exeext conftest.$ac_ext
14784	LIBS=$ac_check_lib_save_LIBS
14785	fi
14786	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_query" >&5
14787	$as_echo "$ac_cv_lib_resolv_res_query" >&6; }
14788	if test "x$ac_cv_lib_resolv_res_query" = xyes; then :
14789	LIBS="$LIBS -lresolv"
14790	fi
14791
14792
14793	$as_echo "#define DNSSEC_LOCAL_VALIDATION 1" >>confdefs.h
14794
14795	LIBVAL_MSG="yes, libval${LIBVAL_SUFFIX}"
14796	fi
14797
14798	fi
14799
14800
14540	# Check libraries needed by DNS fingerprint support	14801	# Check libraries needed by DNS fingerprint support
14541	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing getrrsetbyname" >&5	14802	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing getrrsetbyname" >&5
14542	$as_echo_n "checking for library containing getrrsetbyname... " >&6; }	14803	$as_echo_n "checking for library containing getrrsetbyname... " >&6; }
Lines 17930-17935 echo " MD5 password support: $MD5_MSG" Link Here
17930	echo " libedit support: $LIBEDIT_MSG"	18191	echo " libedit support: $LIBEDIT_MSG"
17931	echo " Solaris process contract support: $SPC_MSG"	18192	echo " Solaris process contract support: $SPC_MSG"
17932	echo " Solaris project support: $SP_MSG"	18193	echo " Solaris project support: $SP_MSG"
		18194	echo " Local DNSSEC validation support: $LIBVAL_MSG"
17933	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"	18195	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
17934	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"	18196	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
17935	echo " BSD Auth support: $BSD_AUTH_MSG"	18197	echo " BSD Auth support: $BSD_AUTH_MSG"