Bugzilla – Attachment 2746 Details for
Bug 2119
SSHFP with DNSSEC – no trust anchors given, validation always fails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to add ldns trust anchor from file on OSX
patch-add-ldns-anchor.diff (text/plain), 2.79 KB, created by
scott-mindrot
on 2015-11-05 07:57:07 AEDT
(
hide
)
Description:
Patch to add ldns trust anchor from file on OSX
Filename:
MIME Type:
Creator:
scott-mindrot
Created:
2015-11-05 07:57:07 AEDT
Size:
2.79 KB
patch
obsolete
>diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in >index 3c5e3b7..737a16f 100644 >--- a/openbsd-compat/Makefile.in >+++ b/openbsd-compat/Makefile.in >@@ -5,11 +5,13 @@ piddir=@piddir@ > srcdir=@srcdir@ > top_srcdir=@top_srcdir@ > >+PATHS= -DSSHDIR=\"$(sysconfdir)\" >+ > VPATH=@srcdir@ > CC=@CC@ > LD=@LD@ > CFLAGS=@CFLAGS@ >-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ >+CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ $(PATHS) @DEFS@ > LIBS=@LIBS@ > AR=@AR@ > RANLIB=@RANLIB@ >diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c >index 4647b62..a388cbb 100644 >--- a/openbsd-compat/getrrsetbyname-ldns.c >+++ b/openbsd-compat/getrrsetbyname-ldns.c >@@ -49,6 +49,7 @@ > > #include <stdlib.h> > #include <string.h> >+#include <sys/stat.h> > > #include <ldns/ldns.h> > >@@ -59,6 +60,50 @@ > #define malloc(x) (xmalloc(x)) > #define calloc(x, y) (xcalloc((x),(y))) > >+#ifdef __APPLE__ >+ >+#include "pathnames.h" >+ >+/** >+ * Adding trust anchor directly is only necessary on OSX as >+ * configd will overwrite /etc/resolv.conf when the network >+ * configuration changes (eg new DNS from DHCP), so the ldns >+ * "anchor" keyword for the trusted-key in that file is lost. >+ */ >+static void _add_ldns_trust_key(ldns_resolver *ldns_res, >+ const char *filename) >+{ >+ ldns_rr *new_rr; >+ struct stat sbuf; >+ >+ /* check if file exists (avoid error in ldns_read_anchor_file) */ >+ debug2("ldns: attempt to load trust anchor from file %s", filename); >+ if(stat(filename, &sbuf) != 0) { >+ debug2("ldns: file not found"); >+ return; >+ } >+ >+ /* read the RR from the file */ >+ if((new_rr = ldns_read_anchor_file(filename))) { >+ /* check if RR already in resolver's anchors */ >+ ldns_rr_list *cur_anchors = >+ ldns_resolver_dnssec_anchors(ldns_res); >+ if(ldns_rr_list_contains_rr(cur_anchors, new_rr)) { >+ debug2("ldns: anchor already in trust chain"); >+ } >+ else { >+ if(ldns_resolver_push_dnssec_anchor(ldns_res, new_rr) >+ == LDNS_STATUS_OK) >+ debug2("ldns: new anchor added to trust chain"); >+ else >+ debug2("ldns: failed to add anchor to trust chain (invalid type?)"); >+ } >+ } >+ ldns_rr_free(new_rr); >+} >+ >+#endif >+ > int > getrrsetbyname(const char *hostname, unsigned int rdclass, > unsigned int rdtype, unsigned int flags, >@@ -152,6 +197,13 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, > } else { /* AD is not set, try autonomous validation */ > ldns_rr_list * trusted_keys = ldns_rr_list_new(); > >+#ifdef __APPLE__ >+ /* look for the trusted-key.key in both global and >+ ssh-specific locations */ >+ _add_ldns_trust_key(ldns_res, ETCDIR "/trusted-key.key"); >+ _add_ldns_trust_key(ldns_res, SSHDIR "/trusted-key.key"); >+#endif >+ > debug2("ldns: trying to validate RRset"); > /* Get eventual sigs */ > rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2746">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2119
: 2746