jreidthompson · jreidthompson · Oct 6, 2023 · Oct 8, 2023 · Oct 9, 2023 · Oct 9, 2023
diff --git a/meson.build b/meson.build
@@ -30,6 +30,10 @@ cc = meson.get_compiler('c')
 # OS-specific settings
 ####################################################################################################################################
 if host_machine.system() == 'linux'
+    # BSD_SOURCE can be removed when support for RHEL7 is dropped,
+    # DEFAULT_SOURCE can be removed when support for RHEL7 is dropped if we rewrite a few hstrerror calls to a generic error message
+    add_global_arguments('-D_DEFAULT_SOURCE', language : 'c')
+    add_global_arguments('-D_BSD_SOURCE', language : 'c')
     add_global_arguments('-D_POSIX_C_SOURCE=200809L', language : 'c')
 elif host_machine.system() == 'darwin'
     add_global_arguments('-D_DARWIN_C_SOURCE', language : 'c')
@@ -174,6 +178,13 @@ if lib_ssh2.found()
     configuration.set('HAVE_LIBSSH2', true, description: 'Is libssh2 present?')
 endif
 
+# Find optional libresolv library
+lib_resolv = cc.find_library('resolv', required: false)
+
+if lib_resolv.found()
+    configuration.set('HAVE_LIBRESOLV', true, description: 'Is libresolv present?')
+endif
+
 # Find optional zstd library
 lib_zstd = dependency('libzstd', version: '>=1.0', required: false)
 

diff --git a/src/build/config/config.yaml b/src/build/config/config.yaml
@@ -2460,6 +2460,14 @@ option:
     command: repo-type
     depend: repo-sftp-host
 
+  repo-sftp-verify-via-sshfp:
+    section: global
+    group: repo
+    type: boolean
+    default: false
+    command: repo-type
+    depend: repo-sftp-host
+
   repo-storage-verify-tls:
     section: global
     group: repo

diff --git a/src/build/configure.ac b/src/build/configure.ac
@@ -15,12 +15,17 @@ AC_PROG_CC
 AC_CANONICAL_HOST
 AC_SUBST(CFLAGS, "${CFLAGS} -std=c99")
 
+# BSD_SOURCE can be removed when support for RHEL7 is dropped
+# DEFAULT_SOURCE can be removed when support for RHEL7 is dropped if we rewrite a few hstrerror calls to a generic error message
+# ----------------------------------------------------------------------------------------------------------------------------------
 case $host_os in
     darwin*)
         AC_SUBST(CPPFLAGS, "${CPPFLAGS} -D_DARWIN_C_SOURCE")
         ;;
 
     linux*)
+        AC_SUBST(CPPFLAGS, "${CPPFLAGS} -D_DEFAULT_SOURCE")
+        AC_SUBST(CPPFLAGS, "${CPPFLAGS} -D_BSD_SOURCE")
         AC_SUBST(CPPFLAGS, "${CPPFLAGS} -D_POSIX_C_SOURCE=200809L")
         ;;
 esac
@@ -113,7 +118,7 @@ AC_CHECK_LIB(
     [AC_CHECK_HEADER(lz4frame.h, [AC_DEFINE(HAVE_LIBLZ4) AC_SUBST(LIBS, "${LIBS} -llz4")],
         [AC_MSG_ERROR([header file <lz4frame.h> is required])])])
 
-# Check optional libSSH2 library
+# Check optional libssh2 library
 # ----------------------------------------------------------------------------------------------------------------------------------
 AC_CHECK_LIB(
     [ssh2], [libssh2_init],
@@ -124,6 +129,14 @@ AC_CHECK_LIB(
     [AC_CHECK_HEADER(libssh2_sftp.h, [],
         [AC_MSG_ERROR([header file <libssh2_sftp.h> is required])])])
 
+# Check for optional resolv library if we have libssh2
+# ----------------------------------------------------------------------------------------------------------------------------------
+if test "x$ac_cv_lib_ssh2_libssh2_init" = "xyes"
+then
+    AC_CHECK_LIB([resolv], [ns_initparse], [], [])
+    AC_HEADER_RESOLV
+fi
+
 # Check optional zst library. Ignore any versions below 1.0.
 # ----------------------------------------------------------------------------------------------------------------------------------
 AC_CHECK_LIB(

diff --git a/src/build/help/help.xml b/src/build/help/help.xml
@@ -1059,6 +1059,17 @@
                         <example>path</example>
                     </config-key>
 
+                    <config-key id="repo-sftp-verify-via-sshfp" name="SFTP Verify Via SSHFP">
+                        <summary>SFTP verify via SSHFP.</summary>
+
+                        <text>
+                            <p>Perform fingerprint verification via SSHFP records. This assumes that DNS resolution is configured to resolve to a DNS server that has been properly configured for DNSSEC and that the path between the host and the DNS server is secure. The OS must support RES_TRUSTAD (ad flag) in order to verify via SSHFP. If any DNS provided fingerprints match, the host will be trusted. If the DNS response ad flag is not set, or no DNS fingerprints are provided, or no DNS fingerprints match the host fingerprint, warnings are logged and <backrest/> will failover to attempt to verify via normal methods.</p>
+                        </text>
+
+                        <default>n</default>
+                        <example>y</example>
+                    </config-key>
+
                     <config-key id="repo-sftp-host" name="SFTP Repository Host">
                         <summary>SFTP repository host.</summary>
 

diff --git a/src/config/config.auto.h b/src/config/config.auto.h
@@ -136,7 +136,7 @@ Option constants
 #define CFGOPT_TYPE                                                 "type"
 #define CFGOPT_VERBOSE                                              "verbose"
 
-#define CFG_OPTION_TOTAL                                            179
+#define CFG_OPTION_TOTAL                                            180
 
 /***********************************************************************************************************************************
 Option value constants
@@ -528,6 +528,7 @@ typedef enum
     cfgOptRepoSftpPrivateKeyFile,
     cfgOptRepoSftpPrivateKeyPassphrase,
     cfgOptRepoSftpPublicKeyFile,
+    cfgOptRepoSftpVerifyViaSshfp,
     cfgOptRepoStorageCaFile,
     cfgOptRepoStorageCaPath,
     cfgOptRepoStorageHost,

diff --git a/src/config/parse.auto.c.inc b/src/config/parse.auto.c.inc
@@ -8733,6 +8733,92 @@ static const ParseRuleOption parseRuleOption[CFG_OPTION_TOTAL] =
         ),                                                                                          // opt/repo-sftp-public-key-file
     ),                                                                                              // opt/repo-sftp-public-key-file
     // -----------------------------------------------------------------------------------------------------------------------------
+    PARSE_RULE_OPTION                                                                              // opt/repo-sftp-verify-via-sshfp
+    (                                                                                              // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_NAME("repo-sftp-verify-via-sshfp"),                                      // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_TYPE(cfgOptTypeBoolean),                                                 // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_NEGATE(true),                                                            // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_RESET(true),                                                             // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_REQUIRED(true),                                                          // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_SECTION(cfgSectionGlobal),                                               // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_GROUP_MEMBER(true),                                                      // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_GROUP_ID(cfgOptGrpRepo),                                                 // opt/repo-sftp-verify-via-sshfp
+                                                                                                   // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_COMMAND_ROLE_MAIN_VALID_LIST                                             // opt/repo-sftp-verify-via-sshfp
+        (                                                                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdAnnotate)                                              // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchiveGet)                                            // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchivePush)                                           // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdBackup)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdCheck)                                                 // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdExpire)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdInfo)                                                  // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdManifest)                                              // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoCreate)                                            // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoGet)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoLs)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoPut)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoRm)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRestore)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdStanzaCreate)                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdStanzaDelete)                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdStanzaUpgrade)                                         // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdVerify)                                                // opt/repo-sftp-verify-via-sshfp
+        ),                                                                                         // opt/repo-sftp-verify-via-sshfp
+                                                                                                   // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_COMMAND_ROLE_ASYNC_VALID_LIST                                            // opt/repo-sftp-verify-via-sshfp
+        (                                                                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchiveGet)                                            // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchivePush)                                           // opt/repo-sftp-verify-via-sshfp
+        ),                                                                                         // opt/repo-sftp-verify-via-sshfp
+                                                                                                   // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_COMMAND_ROLE_LOCAL_VALID_LIST                                            // opt/repo-sftp-verify-via-sshfp
+        (                                                                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchiveGet)                                            // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchivePush)                                           // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdBackup)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRestore)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdVerify)                                                // opt/repo-sftp-verify-via-sshfp
+        ),                                                                                         // opt/repo-sftp-verify-via-sshfp
+                                                                                                   // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTION_COMMAND_ROLE_REMOTE_VALID_LIST                                           // opt/repo-sftp-verify-via-sshfp
+        (                                                                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdAnnotate)                                              // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchiveGet)                                            // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdArchivePush)                                           // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdCheck)                                                 // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdInfo)                                                  // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdManifest)                                              // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoCreate)                                            // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoGet)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoLs)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoPut)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRepoRm)                                                // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdRestore)                                               // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdStanzaCreate)                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdStanzaDelete)                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdStanzaUpgrade)                                         // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTION_COMMAND(cfgCmdVerify)                                                // opt/repo-sftp-verify-via-sshfp
+        ),                                                                                         // opt/repo-sftp-verify-via-sshfp
+                                                                                                   // opt/repo-sftp-verify-via-sshfp
+        PARSE_RULE_OPTIONAL                                                                        // opt/repo-sftp-verify-via-sshfp
+        (                                                                                          // opt/repo-sftp-verify-via-sshfp
+            PARSE_RULE_OPTIONAL_GROUP                                                              // opt/repo-sftp-verify-via-sshfp
+            (                                                                                      // opt/repo-sftp-verify-via-sshfp
+                PARSE_RULE_OPTIONAL_DEPEND                                                         // opt/repo-sftp-verify-via-sshfp
+                (                                                                                  // opt/repo-sftp-verify-via-sshfp
+                    PARSE_RULE_VAL_OPT(cfgOptRepoType),                                            // opt/repo-sftp-verify-via-sshfp
+                    PARSE_RULE_VAL_STRID(parseRuleValStrIdSftp),                                   // opt/repo-sftp-verify-via-sshfp
+                ),                                                                                 // opt/repo-sftp-verify-via-sshfp
+                                                                                                   // opt/repo-sftp-verify-via-sshfp
+                PARSE_RULE_OPTIONAL_DEFAULT                                                        // opt/repo-sftp-verify-via-sshfp
+                (                                                                                  // opt/repo-sftp-verify-via-sshfp
+                    PARSE_RULE_VAL_BOOL_FALSE,                                                     // opt/repo-sftp-verify-via-sshfp
+                ),                                                                                 // opt/repo-sftp-verify-via-sshfp
+            ),                                                                                     // opt/repo-sftp-verify-via-sshfp
+        ),                                                                                         // opt/repo-sftp-verify-via-sshfp
+    ),                                                                                             // opt/repo-sftp-verify-via-sshfp
+    // -----------------------------------------------------------------------------------------------------------------------------
     PARSE_RULE_OPTION                                                                                    // opt/repo-storage-ca-file
     (                                                                                                    // opt/repo-storage-ca-file
         PARSE_RULE_OPTION_NAME("repo-storage-ca-file"),                                                  // opt/repo-storage-ca-file
@@ -10988,6 +11074,7 @@ static const uint8_t optionResolveOrder[] =
     cfgOptRepoSftpPrivateKeyFile,                                                                               // opt-resolve-order
     cfgOptRepoSftpPrivateKeyPassphrase,                                                                         // opt-resolve-order
     cfgOptRepoSftpPublicKeyFile,                                                                                // opt-resolve-order
+    cfgOptRepoSftpVerifyViaSshfp,                                                                               // opt-resolve-order
     cfgOptRepoStorageCaFile,                                                                                    // opt-resolve-order
     cfgOptRepoStorageCaPath,                                                                                    // opt-resolve-order
     cfgOptRepoStorageHost,                                                                                      // opt-resolve-order