summaryrefslogtreecommitdiff
path: root/debian/patches/sshfp_with_server_cert_upstr
diff options
context:
space:
mode:
authorMatthew Vernon <mcv21@cam.ac.uk>2014-03-26 15:40:41 +0000
committerMatthew Vernon <mcv21@cam.ac.uk>2014-03-26 15:51:46 +0000
commit0789c0d760ff7a61156a5d567e9f8b9f8195ff6e (patch)
treeddb6377e86eb122c15c9fdcb67bed56c23cf028f /debian/patches/sshfp_with_server_cert_upstr
parentc0c05f0952597c4c821c6cc658f029f5bfd6c68c (diff)
parent63d5fa28e16d96db6bac2dbe3fcecb65328f8966 (diff)
merge patched into master
Diffstat (limited to 'debian/patches/sshfp_with_server_cert_upstr')
-rw-r--r--debian/patches/sshfp_with_server_cert_upstr83
1 files changed, 83 insertions, 0 deletions
diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr
new file mode 100644
index 000000000..dd642d2a3
--- /dev/null
+++ b/debian/patches/sshfp_with_server_cert_upstr
@@ -0,0 +1,83 @@
1From 63d5fa28e16d96db6bac2dbe3fcecb65328f8966 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <mcv21@cam.ac.uk>
3Date: Wed, 26 Mar 2014 15:32:23 +0000
4Subject: Attempt SSHFP lookup even if server presents a certificate
5
6If an ssh server presents a certificate to the client, then the client
7does not check the DNS for SSHFP records. This means that a malicious
8server can essentially disable DNS-host-key-checking, which means the
9client will fall back to asking the user (who will just say "yes" to
10the fingerprint, sadly).
11
12This patch is by Damien Miller (of openssh upstream). It's simpler
13than the patch by Mark Wooding which I applied yesterday; a copy is
14taken of the proffered key/cert, the key extracted from the cert (if
15necessary), and then the DNS consulted.
16
17Signed-off-by: Matthew Vernon <matthew@debian.org>
18Bug-Debian: http://bugs.debian.org/742513
19Patch-Name: sshfp_with_server_cert_upstr
20---
21 sshconnect.c | 42 ++++++++++++++++++++++++++----------------
22 1 file changed, 26 insertions(+), 16 deletions(-)
23
24diff --git a/sshconnect.c b/sshconnect.c
25index 87c3770..324f5e0 100644
26--- a/sshconnect.c
27+++ b/sshconnect.c
28@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
29 {
30 int flags = 0;
31 char *fp;
32+ Key *plain = NULL;
33
34 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
35 debug("Server host key: %s %s", key_type(host_key), fp);
36 free(fp);
37
38- /* XXX certs are not yet supported for DNS */
39- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
40- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
41- if (flags & DNS_VERIFY_FOUND) {
42-
43- if (options.verify_host_key_dns == 1 &&
44- flags & DNS_VERIFY_MATCH &&
45- flags & DNS_VERIFY_SECURE)
46- return 0;
47-
48- if (flags & DNS_VERIFY_MATCH) {
49- matching_host_key_dns = 1;
50- } else {
51- warn_changed_key(host_key);
52- error("Update the SSHFP RR in DNS with the new "
53- "host key to get rid of this message.");
54+ if (options.verify_host_key_dns) {
55+ /*
56+ * XXX certs are not yet supported for DNS, so downgrade
57+ * them and try the plain key.
58+ */
59+ plain = key_from_private(host_key);
60+ if (key_is_cert(plain))
61+ key_drop_cert(plain);
62+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
63+ if (flags & DNS_VERIFY_FOUND) {
64+ if (options.verify_host_key_dns == 1 &&
65+ flags & DNS_VERIFY_MATCH &&
66+ flags & DNS_VERIFY_SECURE) {
67+ key_free(plain);
68+ return 0;
69+ }
70+ if (flags & DNS_VERIFY_MATCH) {
71+ matching_host_key_dns = 1;
72+ } else {
73+ warn_changed_key(plain);
74+ error("Update the SSHFP RR in DNS "
75+ "with the new host key to get rid "
76+ "of this message.");
77+ }
78 }
79 }
80+ key_free(plain);
81 }
82
83 return check_host_key(host, hostaddr, options.port, host_key, RDRW,