diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/configure.in ../ncftp-3.2.0/configure.in --- /usr/local/src/clean/ncftp-3.2.0/configure.in 2006-08-05 17:47:58.000000000 -0400 +++ ../ncftp-3.2.0/configure.in 2007-05-01 18:57:45.000000000 -0400 @@ -79,6 +79,33 @@ dnl if test "$nc_cv_readline" = yes ; th dnl wi_LIB_READLINE dnl fi +dnl +dnl DNSSEC +dnl +# Check whether user wants DNSSEC local validation support +AC_ARG_WITH(dnssec-local-validation, + [ --with-dnssec-local-validation Enable local DNSSEC validation using libval (no)], want_dnssec=$enableval, want_dnssec=no) +if ! test "x-$want_dnssec" = "x-no" ; then + AC_CHECK_HEADERS(validator/validator.h) + if test "$ac_cv_header_validator_validator_h" != yes; then + AC_MSG_ERROR(Can't find validator.h) + fi + AC_CHECK_LIB(ssl, SHA1_Init,,AC_MSG_ERROR([Can't find SSL library])) + AC_CHECK_LIB(sres, query_send,,AC_MSG_ERROR([Can't find libsres])) + AC_CHECK_LIB(val, p_val_status, + LIBS="$LIBS -lval" + have_val_res_query=yes, + [ AC_CHECK_LIB(pthread, pthread_rwlock_init) + AC_CHECK_LIB(val-threads, p_val_status, + have_val_res_query=yes + LIBS="-lval-threads $LIBS" + LIBVAL_SUFFIX="-threads", + AC_MSG_ERROR(Can't find libval or libval-threads)) + ]) + AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1, + [Define if you want local DNSSEC validation support]) +fi + dnl --------------------------------------------------------------------------- diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/libncftp/ftp.c ../ncftp-3.2.0/libncftp/ftp.c --- /usr/local/src/clean/ncftp-3.2.0/libncftp/ftp.c 2005-01-01 16:27:07.000000000 -0500 +++ ../ncftp-3.2.0/libncftp/ftp.c 2007-05-02 12:59:26.000000000 -0400 @@ -119,7 +119,7 @@ OpenControlConnection(const FTPCIPtr cip volatile int sock2fd = -1; ResponsePtr rp = NULL; char **volatile curaddr; - int hpok; + int hpok, hprc; struct hostent hp; char *volatile fhost; unsigned int fport; @@ -159,11 +159,19 @@ OpenControlConnection(const FTPCIPtr cip cip->servCtlAddr.sin_port = (unsigned short) fport; - if (GetHostEntry(&hp, fhost, &ip_address, cip->buf, cip->bufSize) != 0) { + hprc = GetHostEntry(&hp, fhost, &ip_address, cip->buf, cip->bufSize); + if (hprc != 0) { hpok = 0; /* Okay, no Host entry, but maybe we have a numeric address * in ip_address we can try. */ +#ifdef DNSSEC_LOCAL_VALIDATION + if (hprc == -2) { + FTPLogError(cip, kDontPerror, "%s: untrusted DNS response.\n", fhost); + cip->errNo = kErrHostUnknown; + return (kErrHostUnknown); + } +#endif if (ip_address.s_addr == INADDR_NONE) { FTPLogError(cip, kDontPerror, "%s: unknown host.\n", fhost); cip->errNo = kErrHostUnknown; diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/libncftp/syshdrs.h ../ncftp-3.2.0/libncftp/syshdrs.h --- /usr/local/src/clean/ncftp-3.2.0/libncftp/syshdrs.h 2006-07-31 14:14:28.000000000 -0400 +++ ../ncftp-3.2.0/libncftp/syshdrs.h 2007-04-26 12:10:50.000000000 -0400 @@ -348,4 +348,8 @@ extern ssize_t nsendmsg(int, const struc #include "util.h" #include "ftp.h" +#ifdef DNSSEC_LOCAL_VALIDATION +#include <validator/validator.h> +#endif + /* eof */ Binary files /usr/local/src/clean/ncftp-3.2.0/libncftp/syshdrs.h.gch and ../ncftp-3.2.0/libncftp/syshdrs.h.gch differ diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/ncftp/cmds.c ../ncftp-3.2.0/ncftp/cmds.c --- /usr/local/src/clean/ncftp-3.2.0/ncftp/cmds.c 2006-08-02 18:32:04.000000000 -0400 +++ ../ncftp-3.2.0/ncftp/cmds.c 2007-05-01 19:44:53.000000000 -0400 @@ -2218,7 +2218,7 @@ LookupCmd(const int argc, char **const a const char *host; char **cpp; struct in_addr ip_address; - int shortMode, optrc; + int shortMode, optrc, dnsrc; char ipStr[16]; GetoptInfo opt; @@ -2241,11 +2241,17 @@ LookupCmd(const int argc, char **const a for (i=opt.ind; i<argc; i++) { hpok = 0; - if (GetHostEntry(&hp, (host = argv[i]), &ip_address, gConn.buf, gConn.bufSize) == 0) + dnsrc = GetHostEntry(&hp, (host = argv[i]), &ip_address, gConn.buf, gConn.bufSize); + if (dnsrc == 0) hpok = 1; if ((i > opt.ind) && (shortMode == 0)) Trace(-1, "\n"); if (hpok == 0) { +#ifndef DNSSEC_LOCAL_VALIDATION + if (dnsrc == -2) + Trace(-1, "DNS response for site %s is untrused.\n", host); + else +#endif Trace(-1, "Unable to get information about site %s.\n", host); } else if (shortMode) { MyInetAddr(ipStr, sizeof(ipStr), hp.h_addr_list, 0); @@ -2518,6 +2524,13 @@ DoOpen(void) OpenMsg("Resolving %s...", ohost); if ((gLoadedBm != 0) && (gBm.lastIP[0] != '\0')) { result = MyGetHostByName(ipstr, sizeof(ipstr), ohost, 3); +#ifndef DNSSEC_LOCAL_VALIDATION + /* + * I think this code is using a previous answer if DNS + * fails. So, the question is: should we do the same + * thing if the result is -2 (untrusted result)? + */ +#endif if (result < 0) { (void) STRNCPY(ipstr, gBm.lastIP); result = 0; @@ -2529,7 +2542,18 @@ DoOpen(void) } if (result < 0) { (void) printf("\n"); +#ifndef DNSSEC_LOCAL_VALIDATION (void) printf("Unknown host \"%s\".\n", ohost); +#else + /* + * It would be nice to print a little more information, + * but that would mean an API change to MyGetHostByName. + */ + (void) printf("%s host \"%s\".\n", + (result == -2) ? + "Untrusted DNS response for" : "Unknown", + ohost); +#endif return (-1); } (void) STRNCPY(gConn.host, ipstr); diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/ncftp/syshdrs.h ../ncftp-3.2.0/ncftp/syshdrs.h --- /usr/local/src/clean/ncftp-3.2.0/ncftp/syshdrs.h 2004-01-06 16:41:11.000000000 -0500 +++ ../ncftp-3.2.0/ncftp/syshdrs.h 2007-04-26 12:10:42.000000000 -0400 @@ -280,3 +280,8 @@ #include <Strn.h> /* Library header. */ #include <sio.h> /* Library header. */ #include <ncftp.h> /* Library header. */ + +#ifdef DNSSEC_LOCAL_VALIDATION +#include <validator/validator.h> +#endif + diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/ncftp/util.c ../ncftp-3.2.0/ncftp/util.c --- /usr/local/src/clean/ncftp-3.2.0/ncftp/util.c 2006-08-02 18:31:38.000000000 -0400 +++ ../ncftp-3.2.0/ncftp/util.c 2007-05-02 12:52:47.000000000 -0400 @@ -688,6 +688,9 @@ MyGetHostByName(char *const volatile dst #ifdef HAVE_INET_ATON struct in_addr ina; #endif +#ifdef DNSSEC_LOCAL_VALIDATION + val_status_t val_status; +#endif #ifdef HAVE_INET_ATON if (inet_aton(hn, &ina) != 0) { @@ -726,12 +729,26 @@ MyGetHostByName(char *const volatile dst osigalrm = NcSignal(SIGALRM, CancelGetHostByName); if (t > 0) (void) alarm((unsigned int) t); +#ifndef DNSSEC_LOCAL_VALIDATION hp = gethostbyname(hn); +#else + hp = val_gethostbyname(NULL, hn, &val_status); +#endif if (t > 0) (void) alarm(0); (void) NcSignal(SIGPIPE, osigpipe); (void) NcSignal(SIGINT, osigint); (void) NcSignal(SIGALRM, osigalrm); +#ifdef DNSSEC_LOCAL_VALIDATION + /* + * It would be nice to pass a little more information back, + * but that would mean an API change to MyGetHostByName. + */ + if ((hp != NULL) && ! val_istrusted(val_status)) { + *dst = '\0'; + return (-2); + } +#endif if (hp != NULL) { InetNtoA(dst, ((struct in_addr **) hp->h_addr_list)[0], dsize); return (0); diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/rsconfig ../ncftp-3.2.0/rsconfig --- /usr/local/src/clean/ncftp-3.2.0/rsconfig 1969-12-31 19:00:00.000000000 -0500 +++ ../ncftp-3.2.0/rsconfig 2007-05-01 17:37:18.000000000 -0400 @@ -0,0 +1 @@ +CFLAGS="-g -O0" ./configure --cache=$HOME/config.cache --with-local-dnssec-validation --disable-shared diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sh_util/syshdrs.h ../ncftp-3.2.0/sh_util/syshdrs.h --- /usr/local/src/clean/ncftp-3.2.0/sh_util/syshdrs.h 2002-03-27 05:37:56.000000000 -0500 +++ ../ncftp-3.2.0/sh_util/syshdrs.h 2007-04-26 12:11:06.000000000 -0400 @@ -283,3 +283,8 @@ #include <Strn.h> /* Library header. */ #include <sio.h> /* Library header. */ #include <ncftp.h> /* Library header. */ + +#ifdef DNSSEC_LOCAL_VALIDATION +#include <validator/validator.h> +#endif + diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sio/DNSUtil.c ../ncftp-3.2.0/sio/DNSUtil.c --- /usr/local/src/clean/ncftp-3.2.0/sio/DNSUtil.c 2005-03-24 20:20:00.000000000 -0500 +++ ../ncftp-3.2.0/sio/DNSUtil.c 2007-05-02 12:54:54.000000000 -0400 @@ -24,7 +24,31 @@ extern int getdomainname(char *name, get int GetHostByName(struct hostent *const hp, const char *const name, char *const hpbuf, size_t hpbufsize) { -#if defined(HAVE_GETHOSTBYNAME_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS)) +#if defined(DNSSEC_LOCAL_VALIDATION) + char *usehpbuf; + struct hostent *h; + int my_h_errno, rc; + val_status_t val_status; + + usehpbuf = hpbuf; + forever { + errno = 0; + my_h_errno = 0; + h = NULL; + memset(usehpbuf, 0, hpbufsize); + rc = val_gethostbyname2_r(NULL, name, AF_INET, hp, usehpbuf, + hpbufsize, &h, &my_h_errno, + &val_status); + if ((rc == 0) && (h != NULL)) { + if (!val_istrusted(val_status)) + return (-2); + return (0); + } + if ((rc == 0) && (my_h_errno != 0)) + errno = ENOENT; + break; + } +#elif defined(HAVE_GETHOSTBYNAME_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS)) struct hostent *h; int h_errno_unused = 0; memset(hpbuf, 0, hpbufsize); @@ -110,7 +134,21 @@ GetHostByName(struct hostent *const hp, int GetHostByAddr(struct hostent *const hp, void *addr, int asize, int atype, char *const hpbuf, size_t hpbufsize) { -#if defined(HAVE_GETHOSTBYADDR_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS)) +#if defined(DNSSEC_LOCAL_VALIDATION) + struct hostent *h; + int h_errno_unused = 0, rc; + val_status_t val_status; + + memset(hpbuf, 0, hpbufsize); + rc = val_gethostbyaddr_r(NULL, addr, asize, atype, + hp, hpbuf, hpbufsize, &h, &h_errno_unused, + &val_status); + if ((rc == 0) && (h != NULL)) { + if (!val_istrusted(val_status)) + return (-2); + return (0); + } +#elif defined(HAVE_GETHOSTBYADDR_R) && (defined(SOLARIS) || defined(IRIX) || defined(BSDOS)) struct hostent *h; int h_errno_unused = 0; memset(hpbuf, 0, hpbufsize); @@ -177,7 +215,7 @@ int GetHostEntry(struct hostent *const hp, const char *const host, struct in_addr *const ip_address, char *const hpbuf, size_t hpbufsize) { struct in_addr ip; - int rc = -1; + int rc; /* See if the host was given in the dotted IP format, like "36.44.0.2." * If it was, inet_addr will convert that to a 32-bit binary value; @@ -185,7 +223,8 @@ GetHostEntry(struct hostent *const hp, c */ ip.s_addr = inet_addr(host); if (ip.s_addr != INADDR_NONE) { - if (GetHostByAddr(hp, (char *) &ip, (int) sizeof(ip), AF_INET, hpbuf, hpbufsize) == 0) { + rc = GetHostByAddr(hp, (char *) &ip, (int) sizeof(ip), AF_INET, hpbuf, hpbufsize); + if (rc == 0) { rc = 0; if (ip_address != NULL) (void) memcpy(&ip_address->s_addr, hp->h_addr_list[0], (size_t) hp->h_length); @@ -196,12 +235,19 @@ GetHostEntry(struct hostent *const hp, c /* No IP address, so it must be a hostname, like ftp.wustl.edu. */ if (ip_address != NULL) ip_address->s_addr = INADDR_NONE; - if (GetHostByName(hp, host, hpbuf, hpbufsize) == 0) { - rc = 0; + rc = GetHostByName(hp, host, hpbuf, hpbufsize); + if (rc == 0) { if (ip_address != NULL) (void) memcpy(&ip_address->s_addr, hp->h_addr_list[0], (size_t) hp->h_length); } } +#if defined(DNSSEC_LOCAL_VALIDATION) + if ((rc < 0) && (rc != -2)) + rc = -1; +#else + if ((rc < 0) && (rc != -1)) + rc = -1; +#endif return (rc); } /* GetHostEntry */ diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sio/StrAddr.c ../ncftp-3.2.0/sio/StrAddr.c --- /usr/local/src/clean/ncftp-3.2.0/sio/StrAddr.c 2002-10-12 17:07:16.000000000 -0400 +++ ../ncftp-3.2.0/sio/StrAddr.c 2007-05-02 12:54:17.000000000 -0400 @@ -265,8 +265,16 @@ AddrStrToAddr(const char * const s, stru sa->sin_family = AF_INET; sa->sin_addr.s_addr = ipnum; } else { +#ifdef DNSSEC_LOCAL_VALIDATION + val_status_t val_status; + errno = 0; + hp = val_gethostbyname(NULL,hostcp,&val_status); + if ((hp != NULL) && (!val_istrusted(val_status))) + hp = NULL; +#else errno = 0; hp = gethostbyname(hostcp); +#endif if (hp == NULL) { if (errno == 0) errno = ENOENT; @@ -297,7 +305,14 @@ AddrToAddrStr(char *const dst, size_t ds InetNtoA(addrName, &saddrp->sin_addr, sizeof(addrName)); addrNamePtr = addrName; } else { +#ifdef DNSSEC_LOCAL_VALIDATION + val_status_t val_status; + hp = val_gethostbyaddr(NULL, (const char*)&saddrp->sin_addr, sizeof(struct in_addr), AF_INET, &val_status); + if ((hp != NULL) && (!val_istrusted(val_status))) + hp = NULL; +#else hp = gethostbyaddr((gethost_addrptr_t) &saddrp->sin_addr, sizeof(struct in_addr), AF_INET); +#endif if ((hp != NULL) && (hp->h_name != NULL) && (hp->h_name[0] != '\0')) { addrNamePtr = hp->h_name; } else { diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/sio/syshdrs.h ../ncftp-3.2.0/sio/syshdrs.h --- /usr/local/src/clean/ncftp-3.2.0/sio/syshdrs.h 2005-03-24 20:13:56.000000000 -0500 +++ ../ncftp-3.2.0/sio/syshdrs.h 2007-04-26 12:09:40.000000000 -0400 @@ -212,4 +212,8 @@ extern ssize_t nsendmsg(int, const struc # endif #endif /* SOCKS */ +#ifdef DNSSEC_LOCAL_VALIDATION +#include <validator/validator.h> +#endif + /* eof */ Binary files /usr/local/src/clean/ncftp-3.2.0/sio/syshdrs.h.gch and ../ncftp-3.2.0/sio/syshdrs.h.gch differ diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/Strn/syshdrs.h ../ncftp-3.2.0/Strn/syshdrs.h --- /usr/local/src/clean/ncftp-3.2.0/Strn/syshdrs.h 2004-01-07 01:07:05.000000000 -0500 +++ ../ncftp-3.2.0/Strn/syshdrs.h 2007-04-26 12:10:52.000000000 -0400 @@ -57,4 +57,8 @@ extern char *strdup(const char *const src); #endif +#ifdef DNSSEC_LOCAL_VALIDATION +#include <validator/validator.h> +#endif + /* eof */ diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rks/.rcfiles/diff-ignore --new-file /usr/local/src/clean/ncftp-3.2.0/vis/syshdrs.h ../ncftp-3.2.0/vis/syshdrs.h --- /usr/local/src/clean/ncftp-3.2.0/vis/syshdrs.h 2004-01-07 01:07:37.000000000 -0500 +++ ../ncftp-3.2.0/vis/syshdrs.h 2007-04-26 12:10:45.000000000 -0400 @@ -348,3 +348,8 @@ #include <Strn.h> /* Library header. */ #include <sio.h> /* Because ../ncftp/util.c needs it. */ #include <ncftp.h> /* Mostly for utility routines it has. */ + +#ifdef DNSSEC_LOCAL_VALIDATION +#include <validator/validator.h> +#endif +