merge patched into master

author: Matthew Vernon <mcv21@cam.ac.uk> 2014-03-26 15:40:41 +0000
committer: Matthew Vernon <mcv21@cam.ac.uk> 2014-03-26 15:51:46 +0000
commit: 0789c0d760ff7a61156a5d567e9f8b9f8195ff6e (patch)
tree: ddb6377e86eb122c15c9fdcb67bed56c23cf028f /debian/patches/sshfp_with_server_cert_upstr
parent: c0c05f0952597c4c821c6cc658f029f5bfd6c68c (diff)
parent: 63d5fa28e16d96db6bac2dbe3fcecb65328f8966 (diff)
1 files changed, 83 insertions, 0 deletions
diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr
new file mode 100644
index 000000000..dd642d2a3
--- /dev/null
+++ b/debian/patches/sshfp_with_server_cert_upstr
@@ -0,0 +1,83 @@
+From 63d5fa28e16d96db6bac2dbe3fcecb65328f8966 Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <mcv21@cam.ac.uk>
+Date: Wed, 26 Mar 2014 15:32:23 +0000
+Subject: Attempt SSHFP lookup even if server presents a certificate
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+This patch is by Damien Miller (of openssh upstream). It's simpler
+than the patch by Mark Wooding which I applied yesterday; a copy is
+taken of the proffered key/cert, the key extracted from the cert (if
+necessary), and then the DNS consulted.
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Bug-Debian: http://bugs.debian.org/742513
+Patch-Name: sshfp_with_server_cert_upstr
+---
+ sshconnect.c |   42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+diff --git a/sshconnect.c b/sshconnect.c
+index 87c3770..324f5e0 100644
+--- a/sshconnect.c
+++ b/sshconnect.c
+@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+        int flags = 0;
+        char *fp;
+       Key *plain = NULL;
+ 
+        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+        debug("Server host key: %s %s", key_type(host_key), fp);
+        free(fp);
+ 
+-       /* XXX certs are not yet supported for DNS */
+-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-               if (flags & DNS_VERIFY_FOUND) {
+-
+-                       if (options.verify_host_key_dns == 1 &&
+-                           flags & DNS_VERIFY_MATCH &&
+-                           flags & DNS_VERIFY_SECURE)
+-                               return 0;
+-
+-                       if (flags & DNS_VERIFY_MATCH) {
+-                               matching_host_key_dns = 1;
+-                       } else {
+-                               warn_changed_key(host_key);
+-                               error("Update the SSHFP RR in DNS with the new "
+-                                   "host key to get rid of this message.");
+       if (options.verify_host_key_dns) {
+               /*
+                * XXX certs are not yet supported for DNS, so downgrade
+                * them and try the plain key.
+                */
+               plain = key_from_private(host_key);
+               if (key_is_cert(plain))
+                       key_drop_cert(plain);
+               if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+                       if (flags & DNS_VERIFY_FOUND) {
+                               if (options.verify_host_key_dns == 1 &&
+                                   flags & DNS_VERIFY_MATCH &&
+                                   flags & DNS_VERIFY_SECURE) {
+                                       key_free(plain);
+                                       return 0;
+                               }
+                               if (flags & DNS_VERIFY_MATCH) {
+                                       matching_host_key_dns = 1;
+                               } else {
+                                       warn_changed_key(plain);
+                                       error("Update the SSHFP RR in DNS "
+                                           "with the new host key to get rid "
+                                           "of this message.");
+                               }
+                        }
+                }
+               key_free(plain);
+        }
+ 
+        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
author	Matthew Vernon <mcv21@cam.ac.uk>	2014-03-26 15:40:41 +0000
committer	Matthew Vernon <mcv21@cam.ac.uk>	2014-03-26 15:51:46 +0000
commit	0789c0d760ff7a61156a5d567e9f8b9f8195ff6e (patch)
tree	ddb6377e86eb122c15c9fdcb67bed56c23cf028f /debian/patches/sshfp_with_server_cert_upstr
parent	c0c05f0952597c4c821c6cc658f029f5bfd6c68c (diff)
parent	63d5fa28e16d96db6bac2dbe3fcecb65328f8966 (diff)

diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr new file mode 100644 index 000000000..dd642d2a3 --- /dev/null +++ b/debian/patches/sshfp_with_server_cert_upstr
@@ -0,0 +1,83 @@
	1	From 63d5fa28e16d96db6bac2dbe3fcecb65328f8966 Mon Sep 17 00:00:00 2001
	2	From: Matthew Vernon <mcv21@cam.ac.uk>
	3	Date: Wed, 26 Mar 2014 15:32:23 +0000
	4	Subject: Attempt SSHFP lookup even if server presents a certificate
	5
	6	If an ssh server presents a certificate to the client, then the client
	7	does not check the DNS for SSHFP records. This means that a malicious
	8	server can essentially disable DNS-host-key-checking, which means the
	9	client will fall back to asking the user (who will just say "yes" to
	10	the fingerprint, sadly).
	11
	12	This patch is by Damien Miller (of openssh upstream). It's simpler
	13	than the patch by Mark Wooding which I applied yesterday; a copy is
	14	taken of the proffered key/cert, the key extracted from the cert (if
	15	necessary), and then the DNS consulted.
	16
	17	Signed-off-by: Matthew Vernon <matthew@debian.org>
	18	Bug-Debian: http://bugs.debian.org/742513
	19	Patch-Name: sshfp_with_server_cert_upstr
	20	---
	21	sshconnect.c \| 42 ++++++++++++++++++++++++++----------------
	22	1 file changed, 26 insertions(+), 16 deletions(-)
	23
	24	diff --git a/sshconnect.c b/sshconnect.c
	25	index 87c3770..324f5e0 100644
	26	--- a/sshconnect.c
	27	+++ b/sshconnect.c
	28	@@ -1224,29 +1224,39 @@ verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
	29	{
	30	int flags = 0;
	31	char *fp;
	32	+ Key *plain = NULL;
	33
	34	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
	35	debug("Server host key: %s %s", key_type(host_key), fp);
	36	free(fp);
	37
	38	- /* XXX certs are not yet supported for DNS */
	39	- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
	40	- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
	41	- if (flags & DNS_VERIFY_FOUND) {
	42	-
	43	- if (options.verify_host_key_dns == 1 &&
	44	- flags & DNS_VERIFY_MATCH &&
	45	- flags & DNS_VERIFY_SECURE)
	46	- return 0;
	47	-
	48	- if (flags & DNS_VERIFY_MATCH) {
	49	- matching_host_key_dns = 1;
	50	- } else {
	51	- warn_changed_key(host_key);
	52	- error("Update the SSHFP RR in DNS with the new "
	53	- "host key to get rid of this message.");
	54	+ if (options.verify_host_key_dns) {
	55	+ /*
	56	+ * XXX certs are not yet supported for DNS, so downgrade
	57	+ * them and try the plain key.
	58	+ */
	59	+ plain = key_from_private(host_key);
	60	+ if (key_is_cert(plain))
	61	+ key_drop_cert(plain);
	62	+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
	63	+ if (flags & DNS_VERIFY_FOUND) {
	64	+ if (options.verify_host_key_dns == 1 &&
	65	+ flags & DNS_VERIFY_MATCH &&
	66	+ flags & DNS_VERIFY_SECURE) {
	67	+ key_free(plain);
	68	+ return 0;
	69	+ }
	70	+ if (flags & DNS_VERIFY_MATCH) {
	71	+ matching_host_key_dns = 1;
	72	+ } else {
	73	+ warn_changed_key(plain);
	74	+ error("Update the SSHFP RR in DNS "
	75	+ "with the new host key to get rid "
	76	+ "of this message.");
	77	+ }
	78	}
	79	}
	80	+ key_free(plain);
	81	}
	82
	83	return check_host_key(host, hostaddr, options.port, host_key, RDRW,