| | 1 | diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in |
| | 2 | index 3c5e3b7..737a16f 100644 |
| | 3 | --- a/openbsd-compat/Makefile.in |
| | 4 | +++ b/openbsd-compat/Makefile.in |
| | 5 | @@ -5,11 +5,13 @@ piddir=@piddir@ |
| | 6 | srcdir=@srcdir@ |
| | 7 | top_srcdir=@top_srcdir@ |
| | 8 | |
| | 9 | +PATHS= -DSSHDIR=\"$(sysconfdir)\" |
| | 10 | + |
| | 11 | VPATH=@srcdir@ |
| | 12 | CC=@CC@ |
| | 13 | LD=@LD@ |
| | 14 | CFLAGS=@CFLAGS@ |
| | 15 | -CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
| | 16 | +CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ $(PATHS) @DEFS@ |
| | 17 | LIBS=@LIBS@ |
| | 18 | AR=@AR@ |
| | 19 | RANLIB=@RANLIB@ |
| | 20 | diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c |
| | 21 | index 4647b62..a388cbb 100644 |
| | 22 | --- a/openbsd-compat/getrrsetbyname-ldns.c |
| | 23 | +++ b/openbsd-compat/getrrsetbyname-ldns.c |
| | 24 | @@ -49,6 +49,7 @@ |
| | 25 | |
| | 26 | #include <stdlib.h> |
| | 27 | #include <string.h> |
| | 28 | +#include <sys/stat.h> |
| | 29 | |
| | 30 | #include <ldns/ldns.h> |
| | 31 | |
| | 32 | @@ -59,6 +60,50 @@ |
| | 33 | #define malloc(x) (xmalloc(x)) |
| | 34 | #define calloc(x, y) (xcalloc((x),(y))) |
| | 35 | |
| | 36 | +#ifdef __APPLE__ |
| | 37 | + |
| | 38 | +#include "pathnames.h" |
| | 39 | + |
| | 40 | +/** |
| | 41 | + * Adding trust anchor directly is only necessary on OSX as |
| | 42 | + * configd will overwrite /etc/resolv.conf when the network |
| | 43 | + * configuration changes (eg new DNS from DHCP), so the ldns |
| | 44 | + * "anchor" keyword for the trusted-key in that file is lost. |
| | 45 | + */ |
| | 46 | +static void _add_ldns_trust_key(ldns_resolver *ldns_res, |
| | 47 | + const char *filename) |
| | 48 | +{ |
| | 49 | + ldns_rr *new_rr; |
| | 50 | + struct stat sbuf; |
| | 51 | + |
| | 52 | + /* check if file exists (avoid error in ldns_read_anchor_file) */ |
| | 53 | + debug2("ldns: attempt to load trust anchor from file %s", filename); |
| | 54 | + if(stat(filename, &sbuf) != 0) { |
| | 55 | + debug2("ldns: file not found"); |
| | 56 | + return; |
| | 57 | + } |
| | 58 | + |
| | 59 | + /* read the RR from the file */ |
| | 60 | + if((new_rr = ldns_read_anchor_file(filename))) { |
| | 61 | + /* check if RR already in resolver's anchors */ |
| | 62 | + ldns_rr_list *cur_anchors = |
| | 63 | + ldns_resolver_dnssec_anchors(ldns_res); |
| | 64 | + if(ldns_rr_list_contains_rr(cur_anchors, new_rr)) { |
| | 65 | + debug2("ldns: anchor already in trust chain"); |
| | 66 | + } |
| | 67 | + else { |
| | 68 | + if(ldns_resolver_push_dnssec_anchor(ldns_res, new_rr) |
| | 69 | + == LDNS_STATUS_OK) |
| | 70 | + debug2("ldns: new anchor added to trust chain"); |
| | 71 | + else |
| | 72 | + debug2("ldns: failed to add anchor to trust chain (invalid type?)"); |
| | 73 | + } |
| | 74 | + } |
| | 75 | + ldns_rr_free(new_rr); |
| | 76 | +} |
| | 77 | + |
| | 78 | +#endif |
| | 79 | + |
| | 80 | int |
| | 81 | getrrsetbyname(const char *hostname, unsigned int rdclass, |
| | 82 | unsigned int rdtype, unsigned int flags, |
| | 83 | @@ -152,6 +197,13 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, |
| | 84 | } else { /* AD is not set, try autonomous validation */ |
| | 85 | ldns_rr_list * trusted_keys = ldns_rr_list_new(); |
| | 86 | |
| | 87 | +#ifdef __APPLE__ |
| | 88 | + /* look for the trusted-key.key in both global and |
| | 89 | + ssh-specific locations */ |
| | 90 | + _add_ldns_trust_key(ldns_res, ETCDIR "/trusted-key.key"); |
| | 91 | + _add_ldns_trust_key(ldns_res, SSHDIR "/trusted-key.key"); |
| | 92 | +#endif |
| | 93 | + |
| | 94 | debug2("ldns: trying to validate RRset"); |
| | 95 | /* Get eventual sigs */ |
| | 96 | rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, |
