Attached is a patch which uses libsres and libval from DNSSEC-Tools to perform DNSSEC validation locally.
-- Robert Story Senior Software Engineer SPARTA (dba Cobham Analytic Soloutions)
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rstory/.rcfiles/diff-ignore --new-file clean/wget-1.12/configure.ac wget-1.12/configure.ac
--- clean/wget-1.12/configure.ac 2009-09-22 12:39:49.000000000 -0400
+++ wget-1.12/configure.ac 2009-10-26 18:50:43.000000000 -0400
@@ -544,6 +544,36 @@ if test "X$iri" != "Xno"; then
fi
fi
+dnl
+dnl Check for dnssec validator library if configured
+dnl
+AC_ARG_WITH(dnssec-local-validation,
+ [ --with-dnssec-local-validation Enable local DNSSEC validation using libval (default=no)], want_dnssec=$withval, want_dnssec=no)
+if test "x$want_dnssec" = "xyes"; then
+ AC_CHECK_HEADERS(validator/validator.h)
+ if test "$ac_cv_header_validator_validator_h" != yes; then
+ AC_MSG_ERROR(Can't find validator.h (from dnssec-tools))
+ fi
+ AC_CHECK_LIB(ssl, SHA1_Init)
+ AC_CHECK_LIB(sres, query_send)
+ if test "$ac_cv_lib_sres_query_send" != yes; then
+ AC_MSG_ERROR(Can't find libsres (from dnssec-tools))
+ fi
+ AC_CHECK_LIB(val, p_val_status,[LIBS="$LIBS -lval"])
+ if test "x$ac_cv_lib_val_p_val_status" = "xno"; then
+ AC_CHECK_LIB(pthread, pthread_rwlock_init)
+ AC_CHECK_LIB(val-threads, p_val_status,
+ [LIBS="$LIBS -lval-threads -lpthread" LIBVAL_SUFFIX="-threads"],
+ AC_MSG_ERROR(Can't find libval or libval-threads (from dnssec-tools)))
+ fi
+ if test "x$ac_cv_lib_val_p_val_status" = "xyes" -o "x$ac_cv_lib_val_threads_p_val_status" = "xyes"; then
+ AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
+ [Define if you want local DNSSEC validation support])
+ fi
+ AC_MSG_NOTICE([support for dnssec validator compiled in])
+fi
+
+
dnl Needed by src/Makefile.am
AM_CONDITIONAL([IRI_IS_ENABLED], [test "X$iri" != "Xno"])
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rstory/.rcfiles/diff-ignore --new-file clean/wget-1.12/src/host.c wget-1.12/src/host.c
--- clean/wget-1.12/src/host.c 2009-09-21 23:00:05.000000000 -0400
+++ wget-1.12/src/host.c 2009-10-29 16:12:43.000000000 -0400
@@ -35,6 +35,11 @@ as that of the covered work. */
#include <string.h>
#include <assert.h>
+/* Support for dnssec validation */
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif /* DNSSEC_LOCAL_VALIDATION */
+
#ifndef WINDOWS
# include <sys/types.h>
# include <sys/socket.h>
@@ -378,7 +383,19 @@ static void
getaddrinfo_with_timeout_callback (void *arg)
{
struct gaiwt_context *ctx = (struct gaiwt_context *)arg;
+#ifndef DNSSEC_LOCAL_VALIDATION
ctx->exit_code = getaddrinfo (ctx->node, ctx->service, ctx->hints, ctx->res);
+#else
+ int err = 0;
+ val_status_t vstatus;
+ err = val_getaddrinfo((val_context_t *)NULL, ctx->node,
+ ctx->service, ctx->hints, ctx->res, &vstatus);
+ if ((NULL != ctx->res) && (0 == val_istrusted(vstatus))) {
+ DEBUGP(("DNSSEC status: %s [%d]\n", p_val_error(vstatus), vstatus));
+ err = DNSSECAI_FAIL;
+ }
+ ctx->exit_code = err;
+#endif
}
/* Just like getaddrinfo, except it times out after TIMEOUT seconds.
@@ -776,9 +793,15 @@ lookup_host (const char *host, int flags
err = getaddrinfo_with_timeout (host, NULL, &hints, &res, timeout);
if (err != 0 || res == NULL)
{
- if (!silent)
+ if (!silent) {
+#ifndef DNSSEC_LOCAL_VALIDATION
logprintf (LOG_VERBOSE, _("failed: %s.\n"),
err != EAI_SYSTEM ? gai_strerror (err) : strerror (errno));
+#else
+ logprintf (LOG_VERBOSE, _("failed: %s.\n"),
+ err != EAI_SYSTEM ? dnssec_strerror (err) : strerror (errno));
+#endif
+ }
return NULL;
}
al = address_list_from_addrinfo (res);
@@ -904,3 +927,29 @@ host_cleanup (void)
host_name_addresses_map = NULL;
}
}
+
+#ifdef DNSSEC_LOCAL_VALIDATION
+/* DNSSEC additional proecudures
+
+ dnssec_strerror - looks for dnssec errors (currently there is
+ only one), passes back dnssec specific error
+ string or calls the system gai_strerror. */
+
+static const char* dnssecai_fail_string = "DNS resoloution not trusted";
+static const char* dnssecai_noerror_string = "No Error";
+
+const char *dnssec_strerror(int ecode)
+{
+ switch (ecode) {
+ case 0:
+ return (dnssecai_noerror_string);
+ case DNSSECAI_FAIL:
+ return (dnssecai_fail_string);
+ }
+ /* default response*/
+ return (gai_strerror(ecode));
+} /* denssec_strerror */
+
+
+/* End DNSSEC Additional procedures */
+#endif
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rstory/.rcfiles/diff-ignore --new-file clean/wget-1.12/src/host.h wget-1.12/src/host.h
--- clean/wget-1.12/src/host.h 2009-09-04 12:31:54.000000000 -0400
+++ wget-1.12/src/host.h 2009-10-26 18:53:05.000000000 -0400
@@ -97,6 +97,11 @@ const char *print_address (const ip_addr
bool is_valid_ipv6_address (const char *, const char *);
#endif
+#ifdef DNSSEC_LOCAL_VALIDATION
+#define DNSSECAI_FAIL -600 /* sharing number space with netdb.h errors */
+const char *dnssec_strerror(int ecode);
+#endif
+
bool accept_domain (struct url *);
bool sufmatch (const char **, const char *);
README
Description: Binary data
signature.asc
Description: PGP signature
