diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/configure.in ../ncftp-3.2.0/configure.in
--- /usr/local/src/clean/ncftp-3.2.0/configure.in 2006-08-05 17:47:58.000000000 -0400
+++ ../ncftp-3.2.0/configure.in 2007-05-01 18:57:45.000000000 -0400
@@ -79,6 +79,33 @@ dnl if test "$nc_cv_readline" = yes ; th
dnl wi_LIB_READLINE
dnl fi
+dnl
+dnl DNSSEC
+dnl
+# Check whether user wants DNSSEC local validation support
+AC_ARG_WITH(dnssec-local-validation,
+ [ --with-dnssec-local-validation Enable local DNSSEC validation using libval (no)], want_dnssec=$enableval, want_dnssec=no)
+if ! test "x-$want_dnssec" = "x-no" ; then
+ AC_CHECK_HEADERS(validator/validator.h)
+ if test "$ac_cv_header_validator_validator_h" != yes; then
+ AC_MSG_ERROR(Can't find validator.h)
+ fi
+ AC_CHECK_LIB(ssl, SHA1_Init,,AC_MSG_ERROR([Can't find SSL library]))
+ AC_CHECK_LIB(sres, query_send,,AC_MSG_ERROR([Can't find libsres]))
+ AC_CHECK_LIB(val, p_val_status,
+ LIBS="$LIBS -lval"
+ have_val_res_query=yes,
+ [ AC_CHECK_LIB(pthread, pthread_rwlock_init)
+ AC_CHECK_LIB(val-threads, p_val_status,
+ have_val_res_query=yes
+ LIBS="-lval-threads $LIBS"
+ LIBVAL_SUFFIX="-threads",
+ AC_MSG_ERROR(Can't find libval or libval-threads))
+ ])
+ AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
+ [Define if you want local DNSSEC validation support])
+fi
+
dnl ---------------------------------------------------------------------------
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/libncftp/ftp.c ../ncftp-3.2.0/libncftp/ftp.c
--- /usr/local/src/clean/ncftp-3.2.0/libncftp/ftp.c 2005-01-01 16:27:07.000000000 -0500
+++ ../ncftp-3.2.0/libncftp/ftp.c 2007-05-02 12:59:26.000000000 -0400
@@ -119,7 +119,7 @@ OpenControlConnection(const FTPCIPtr cip
volatile int sock2fd = -1;
ResponsePtr rp = NULL;
char **volatile curaddr;
- int hpok;
+ int hpok, hprc;
struct hostent hp;
char *volatile fhost;
unsigned int fport;
@@ -159,11 +159,19 @@ OpenControlConnection(const FTPCIPtr cip
cip->servCtlAddr.sin_port = (unsigned short) fport;
- if (GetHostEntry(&hp, fhost, &ip_address, cip->buf, cip->bufSize) != 0) {
+ hprc = GetHostEntry(&hp, fhost, &ip_address, cip->buf, cip->bufSize);
+ if (hprc != 0) {
hpok = 0;
/* Okay, no Host entry, but maybe we have a numeric address
* in ip_address we can try.
*/
+#ifdef DNSSEC_LOCAL_VALIDATION
+ if (hprc == -2) {
+ FTPLogError(cip, kDontPerror, "%s: untrusted DNS response.\n", fhost);
+ cip->errNo = kErrHostUnknown;
+ return (kErrHostUnknown);
+ }
+#endif
if (ip_address.s_addr == INADDR_NONE) {
FTPLogError(cip, kDontPerror, "%s: unknown host.\n", fhost);
cip->errNo = kErrHostUnknown;
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/libncftp/syshdrs.h ../ncftp-3.2.0/libncftp/syshdrs.h
--- /usr/local/src/clean/ncftp-3.2.0/libncftp/syshdrs.h 2006-07-31 14:14:28.000000000 -0400
+++ ../ncftp-3.2.0/libncftp/syshdrs.h 2007-04-26 12:10:50.000000000 -0400
@@ -348,4 +348,8 @@ extern ssize_t nsendmsg(int, const struc
#include "util.h"
#include "ftp.h"
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif
+
/* eof */
Binary files /usr/local/src/clean/ncftp-3.2.0/libncftp/syshdrs.h.gch and ../ncftp-3.2.0/libncftp/syshdrs.h.gch differ
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/ncftp/cmds.c ../ncftp-3.2.0/ncftp/cmds.c
--- /usr/local/src/clean/ncftp-3.2.0/ncftp/cmds.c 2006-08-02 18:32:04.000000000 -0400
+++ ../ncftp-3.2.0/ncftp/cmds.c 2007-05-01 19:44:53.000000000 -0400
@@ -2218,7 +2218,7 @@ LookupCmd(const int argc, char **const a
const char *host;
char **cpp;
struct in_addr ip_address;
- int shortMode, optrc;
+ int shortMode, optrc, dnsrc;
char ipStr[16];
GetoptInfo opt;
@@ -2241,11 +2241,17 @@ LookupCmd(const int argc, char **const a
for (i=opt.ind; i<argc; i++) {
hpok = 0;
- if (GetHostEntry(&hp, (host = argv[i]), &ip_address, gConn.buf, gConn.bufSize) == 0)
+ dnsrc = GetHostEntry(&hp, (host = argv[i]), &ip_address, gConn.buf, gConn.bufSize);
+ if (dnsrc == 0)
hpok = 1;
if ((i > opt.ind) && (shortMode == 0))
Trace(-1, "\n");
if (hpok == 0) {
+#ifndef DNSSEC_LOCAL_VALIDATION
+ if (dnsrc == -2)
+ Trace(-1, "DNS response for site %s is untrused.\n", host);
+ else
+#endif
Trace(-1, "Unable to get information about site %s.\n", host);
} else if (shortMode) {
MyInetAddr(ipStr, sizeof(ipStr), hp.h_addr_list, 0);
@@ -2518,6 +2524,13 @@ DoOpen(void)
OpenMsg("Resolving %s...", ohost);
if ((gLoadedBm != 0) && (gBm.lastIP[0] != '\0')) {
result = MyGetHostByName(ipstr, sizeof(ipstr), ohost, 3);
+#ifndef DNSSEC_LOCAL_VALIDATION
+ /*
+ * I think this code is using a previous answer if DNS
+ * fails. So, the question is: should we do the same
+ * thing if the result is -2 (untrusted result)?
+ */
+#endif
if (result < 0) {
(void) STRNCPY(ipstr, gBm.lastIP);
result = 0;
@@ -2529,7 +2542,18 @@ DoOpen(void)
}
if (result < 0) {
(void) printf("\n");
+#ifndef DNSSEC_LOCAL_VALIDATION
(void) printf("Unknown host \"%s\".\n", ohost);
+#else
+ /*
+ * It would be nice to print a little more information,
+ * but that would mean an API change to MyGetHostByName.
+ */
+ (void) printf("%s host \"%s\".\n",
+ (result == -2) ?
+ "Untrusted DNS response for" : "Unknown",
+ ohost);
+#endif
return (-1);
}
(void) STRNCPY(gConn.host, ipstr);
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/ncftp/syshdrs.h ../ncftp-3.2.0/ncftp/syshdrs.h
--- /usr/local/src/clean/ncftp-3.2.0/ncftp/syshdrs.h 2004-01-06 16:41:11.000000000 -0500
+++ ../ncftp-3.2.0/ncftp/syshdrs.h 2007-04-26 12:10:42.000000000 -0400
@@ -280,3 +280,8 @@
#include <Strn.h> /* Library header. */
#include <sio.h> /* Library header. */
#include <ncftp.h> /* Library header. */
+
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif
+
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/ncftp/util.c ../ncftp-3.2.0/ncftp/util.c
--- /usr/local/src/clean/ncftp-3.2.0/ncftp/util.c 2006-08-02 18:31:38.000000000 -0400
+++ ../ncftp-3.2.0/ncftp/util.c 2007-05-02 12:52:47.000000000 -0400
@@ -688,6 +688,9 @@ MyGetHostByName(char *const volatile dst
#ifdef HAVE_INET_ATON
struct in_addr ina;
#endif
+#ifdef DNSSEC_LOCAL_VALIDATION
+ val_status_t val_status;
+#endif
#ifdef HAVE_INET_ATON
if (inet_aton(hn, &ina) != 0) {
@@ -726,12 +729,26 @@ MyGetHostByName(char *const volatile dst
osigalrm = NcSignal(SIGALRM, CancelGetHostByName);
if (t > 0)
(void) alarm((unsigned int) t);
+#ifndef DNSSEC_LOCAL_VALIDATION
hp = gethostbyname(hn);
+#else
+ hp = val_gethostbyname(NULL, hn, &val_status);
+#endif
if (t > 0)
(void) alarm(0);
(void) NcSignal(SIGPIPE, osigpipe);
(void) NcSignal(SIGINT, osigint);
(void) NcSignal(SIGALRM, osigalrm);
+#ifdef DNSSEC_LOCAL_VALIDATION
+ /*
+ * It would be nice to pass a little more information back,
+ * but that would mean an API change to MyGetHostByName.
+ */
+ if ((hp != NULL) && ! val_istrusted(val_status)) {
+ *dst = '\0';
+ return (-2);
+ }
+#endif
if (hp != NULL) {
InetNtoA(dst, ((struct in_addr **) hp->h_addr_list)[0], dsize);
return (0);
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/rsconfig ../ncftp-3.2.0/rsconfig
--- /usr/local/src/clean/ncftp-3.2.0/rsconfig 1969-12-31 19:00:00.000000000 -0500
+++ ../ncftp-3.2.0/rsconfig 2007-05-01 17:37:18.000000000 -0400
@@ -0,0 +1 @@
+CFLAGS="-g -O0" ./configure --cache=$HOME/config.cache --with-local-dnssec-validation --disable-shared
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sh_util/syshdrs.h ../ncftp-3.2.0/sh_util/syshdrs.h
--- /usr/local/src/clean/ncftp-3.2.0/sh_util/syshdrs.h 2002-03-27 05:37:56.000000000 -0500
+++ ../ncftp-3.2.0/sh_util/syshdrs.h 2007-04-26 12:11:06.000000000 -0400
@@ -283,3 +283,8 @@
#include <Strn.h> /* Library header. */
#include <sio.h> /* Library header. */
#include <ncftp.h> /* Library header. */
+
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif
+
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sio/DNSUtil.c ../ncftp-3.2.0/sio/DNSUtil.c
--- /usr/local/src/clean/ncftp-3.2.0/sio/DNSUtil.c 2005-03-24 20:20:00.000000000 -0500
+++ ../ncftp-3.2.0/sio/DNSUtil.c 2007-05-02 12:54:54.000000000 -0400
@@ -24,7 +24,31 @@ extern int getdomainname(char *name, get
int
GetHostByName(struct hostent *const hp, const char *const name, char *const hpbuf, size_t hpbufsize)
{
-#if defined(HAVE_GETHOSTBYNAME_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS))
+#if defined(DNSSEC_LOCAL_VALIDATION)
+ char *usehpbuf;
+ struct hostent *h;
+ int my_h_errno, rc;
+ val_status_t val_status;
+
+ usehpbuf = hpbuf;
+ forever {
+ errno = 0;
+ my_h_errno = 0;
+ h = NULL;
+ memset(usehpbuf, 0, hpbufsize);
+ rc = val_gethostbyname2_r(NULL, name, AF_INET, hp, usehpbuf,
+ hpbufsize, &h, &my_h_errno,
+ &val_status);
+ if ((rc == 0) && (h != NULL)) {
+ if (!val_istrusted(val_status))
+ return (-2);
+ return (0);
+ }
+ if ((rc == 0) && (my_h_errno != 0))
+ errno = ENOENT;
+ break;
+ }
+#elif defined(HAVE_GETHOSTBYNAME_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS))
struct hostent *h;
int h_errno_unused = 0;
memset(hpbuf, 0, hpbufsize);
@@ -110,7 +134,21 @@ GetHostByName(struct hostent *const hp,
int
GetHostByAddr(struct hostent *const hp, void *addr, int asize, int atype, char *const hpbuf, size_t hpbufsize)
{
-#if defined(HAVE_GETHOSTBYADDR_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS))
+#if defined(DNSSEC_LOCAL_VALIDATION)
+ struct hostent *h;
+ int h_errno_unused = 0, rc;
+ val_status_t val_status;
+
+ memset(hpbuf, 0, hpbufsize);
+ rc = val_gethostbyaddr_r(NULL, addr, asize, atype,
+ hp, hpbuf, hpbufsize, &h, &h_errno_unused,
+ &val_status);
+ if ((rc == 0) && (h != NULL)) {
+ if (!val_istrusted(val_status))
+ return (-2);
+ return (0);
+ }
+#elif defined(HAVE_GETHOSTBYADDR_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS))
struct hostent *h;
int h_errno_unused = 0;
memset(hpbuf, 0, hpbufsize);
@@ -177,7 +215,7 @@ int
GetHostEntry(struct hostent *const hp, const char *const host, struct in_addr *const ip_address, char *const hpbuf, size_t hpbufsize)
{
struct in_addr ip;
- int rc = -1;
+ int rc;
/* See if the host was given in the dotted IP format, like "36.44.0.2."
* If it was, inet_addr will convert that to a 32-bit binary value;
@@ -185,7 +223,8 @@ GetHostEntry(struct hostent *const hp, c
*/
ip.s_addr = inet_addr(host);
if (ip.s_addr != INADDR_NONE) {
- if (GetHostByAddr(hp, (char *) &ip, (int) sizeof(ip), AF_INET, hpbuf, hpbufsize) == 0) {
+ rc = GetHostByAddr(hp, (char *) &ip, (int) sizeof(ip), AF_INET, hpbuf, hpbufsize);
+ if (rc == 0) {
rc = 0;
if (ip_address != NULL)
(void) memcpy(&ip_address->s_addr, hp->h_addr_list[0], (size_t) hp->h_length);
@@ -196,12 +235,19 @@ GetHostEntry(struct hostent *const hp, c
/* No IP address, so it must be a hostname, like ftp.wustl.edu. */
if (ip_address != NULL)
ip_address->s_addr = INADDR_NONE;
- if (GetHostByName(hp, host, hpbuf, hpbufsize) == 0) {
- rc = 0;
+ rc = GetHostByName(hp, host, hpbuf, hpbufsize);
+ if (rc == 0) {
if (ip_address != NULL)
(void) memcpy(&ip_address->s_addr, hp->h_addr_list[0], (size_t) hp->h_length);
}
}
+#if defined(DNSSEC_LOCAL_VALIDATION)
+ if ((rc < 0) && (rc != -2))
+ rc = -1;
+#else
+ if ((rc < 0) && (rc != -1))
+ rc = -1;
+#endif
return (rc);
} /* GetHostEntry */
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sio/StrAddr.c ../ncftp-3.2.0/sio/StrAddr.c
--- /usr/local/src/clean/ncftp-3.2.0/sio/StrAddr.c 2002-10-12 17:07:16.000000000 -0400
+++ ../ncftp-3.2.0/sio/StrAddr.c 2007-05-02 12:54:17.000000000 -0400
@@ -265,8 +265,16 @@ AddrStrToAddr(const char * const s, stru
sa->sin_family = AF_INET;
sa->sin_addr.s_addr = ipnum;
} else {
+#ifdef DNSSEC_LOCAL_VALIDATION
+ val_status_t val_status;
+ errno = 0;
+ hp = val_gethostbyname(NULL,hostcp,&val_status);
+ if ((hp != NULL) && (!val_istrusted(val_status)))
+ hp = NULL;
+#else
errno = 0;
hp = gethostbyname(hostcp);
+#endif
if (hp == NULL) {
if (errno == 0)
errno = ENOENT;
@@ -297,7 +305,14 @@ AddrToAddrStr(char *const dst, size_t ds
InetNtoA(addrName, &saddrp->sin_addr, sizeof(addrName));
addrNamePtr = addrName;
} else {
+#ifdef DNSSEC_LOCAL_VALIDATION
+ val_status_t val_status;
+ hp = val_gethostbyaddr(NULL, (const char*)&saddrp->sin_addr, sizeof(struct in_addr), AF_INET, &val_status);
+ if ((hp != NULL) && (!val_istrusted(val_status)))
+ hp = NULL;
+#else
hp = gethostbyaddr((gethost_addrptr_t) &saddrp->sin_addr, sizeof(struct in_addr), AF_INET);
+#endif
if ((hp != NULL) && (hp->h_name != NULL) && (hp->h_name[0] != '\0')) {
addrNamePtr = hp->h_name;
} else {
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sio/syshdrs.h ../ncftp-3.2.0/sio/syshdrs.h
--- /usr/local/src/clean/ncftp-3.2.0/sio/syshdrs.h 2005-03-24 20:13:56.000000000 -0500
+++ ../ncftp-3.2.0/sio/syshdrs.h 2007-04-26 12:09:40.000000000 -0400
@@ -212,4 +212,8 @@ extern ssize_t nsendmsg(int, const struc
# endif
#endif /* SOCKS */
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif
+
/* eof */
Binary files /usr/local/src/clean/ncftp-3.2.0/sio/syshdrs.h.gch and ../ncftp-3.2.0/sio/syshdrs.h.gch differ
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/Strn/syshdrs.h ../ncftp-3.2.0/Strn/syshdrs.h
--- /usr/local/src/clean/ncftp-3.2.0/Strn/syshdrs.h 2004-01-07 01:07:05.000000000 -0500
+++ ../ncftp-3.2.0/Strn/syshdrs.h 2007-04-26 12:10:52.000000000 -0400
@@ -57,4 +57,8 @@
extern char *strdup(const char *const src);
#endif
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif
+
/* eof */
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/vis/syshdrs.h ../ncftp-3.2.0/vis/syshdrs.h
--- /usr/local/src/clean/ncftp-3.2.0/vis/syshdrs.h 2004-01-07 01:07:37.000000000 -0500
+++ ../ncftp-3.2.0/vis/syshdrs.h 2007-04-26 12:10:45.000000000 -0400
@@ -348,3 +348,8 @@
#include <Strn.h> /* Library header. */
#include <sio.h> /* Because ../ncftp/util.c needs it. */
#include <ncftp.h> /* Mostly for utility routines it has. */
+
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif
+
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
ccd6d20295ff28f0d90115b0394355f1
>
files
>
169
