* New upstream release (http://www.openssh.com/txt/release-6.1).

- Enable pre-auth sandboxing by default for new installs. - Allow "PermitOpen none" to refuse all port-forwarding requests (closes: #543683).
author: Colin Watson <cjwatson@debian.org> 2012-09-07 00:20:47 +0100
committer: Colin Watson <cjwatson@debian.org> 2012-09-07 00:20:47 +0100
commit: eab78da6a54225de06271d9c8da650f04a55ed88 (patch)
tree: aa258ca77515939f6d89317ff67fbcb0bca08b24 /dns.c
parent: a26f5de49df59322fde07f7be91b3e3969c9c238 (diff)
parent: c6a2c0334e45419875687d250aed9bea78480f2e (diff)
1 files changed, 69 insertions, 34 deletions
diff --git a/dns.c b/dns.c
index dfa4c1ed3..bbe7f5023 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.27 2010/08/31 11:54:45 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */
 /*
 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -78,27 +78,46 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
    u_char **digest, u_int *digest_len, Key *key)
 {
        int success = 0;
+        enum fp_type fp_type = 0;
        switch (key->type) {
        case KEY_RSA:
                *algorithm = SSHFP_KEY_RSA;
+                if (!*digest_type)
+                        *digest_type = SSHFP_HASH_SHA1;
                break;
        case KEY_DSA:
                *algorithm = SSHFP_KEY_DSA;
+                if (!*digest_type)
+                        *digest_type = SSHFP_HASH_SHA1;
+                break;
+        case KEY_ECDSA:
+                *algorithm = SSHFP_KEY_ECDSA;
+                if (!*digest_type)
+                        *digest_type = SSHFP_HASH_SHA256;
                break;
-        /* XXX KEY_ECDSA */
        default:
                *algorithm = SSHFP_KEY_RESERVED; /* 0 */
+                *digest_type = SSHFP_HASH_RESERVED; /* 0 */
+        }
+        switch (*digest_type) {
+        case SSHFP_HASH_SHA1:
+                fp_type = SSH_FP_SHA1;
+                break;
+        case SSHFP_HASH_SHA256:
+                fp_type = SSH_FP_SHA256;
+                break;
+        default:
+                *digest_type = SSHFP_HASH_RESERVED; /* 0 */
        }
-        if (*algorithm) {
+        if (*algorithm && *digest_type) {
-                *digest_type = SSHFP_HASH_SHA1;
+                *digest = key_fingerprint_raw(key, fp_type, digest_len);
-                *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
                if (*digest == NULL)
                        fatal("dns_read_key: null from key_fingerprint_raw()");
                success = 1;
        } else {
-                *digest_type = SSHFP_HASH_RESERVED;
                *digest = NULL;
                *digest_len = 0;
                success = 0;
@@ -181,7 +200,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
        struct rrsetinfo *fingerprints = NULL;
        u_int8_t hostkey_algorithm;
-        u_int8_t hostkey_digest_type;
+        u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
        u_char *hostkey_digest;
        u_int hostkey_digest_len;
@@ -228,7 +247,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                    fingerprints->rri_nrdatas);
        }
-        /* Initialize host key parameters */
+        /* Initialize default host key parameters */
        if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
            &hostkey_digest, &hostkey_digest_len, hostkey)) {
                error("Error calculating host key fingerprint.");
@@ -252,16 +271,27 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                        continue;
                }
+                if (hostkey_digest_type != dnskey_digest_type) {
+                        hostkey_digest_type = dnskey_digest_type;
+                        xfree(hostkey_digest);
+                        /* Initialize host key parameters */
+                        if (!dns_read_key(&hostkey_algorithm,
+                            &hostkey_digest_type, &hostkey_digest,
+                            &hostkey_digest_len, hostkey)) {
+                                error("Error calculating key fingerprint.");
+                                freerrset(fingerprints);
+                                return -1;
+                        }
+                }
                /* Check if the current key is the same as the given key */
                if (hostkey_algorithm == dnskey_algorithm &&
                    hostkey_digest_type == dnskey_digest_type) {
                        if (hostkey_digest_len == dnskey_digest_len &&
-                            memcmp(hostkey_digest, dnskey_digest,
+                            timingsafe_bcmp(hostkey_digest, dnskey_digest,
-                            hostkey_digest_len) == 0) {
+                            hostkey_digest_len) == 0)
                                *flags |= DNS_VERIFY_MATCH;
-                        }
                }
                xfree(dnskey_digest);
        }
@@ -287,31 +317,36 @@ int
 export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
 {
        u_int8_t rdata_pubkey_algorithm = 0;
-        u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
+        u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
+        u_int8_t dtype;
        u_char *rdata_digest;
-        u_int rdata_digest_len;
+        u_int i, rdata_digest_len;
-        u_int i;
        int success = 0;
-        if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
+        for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
-            &rdata_digest, &rdata_digest_len, key)) {
+                rdata_digest_type = dtype;
+                if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
-                if (generic)
+                    &rdata_digest, &rdata_digest_len, key)) {
-                        fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
+                        if (generic) {
-                            DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
+                                fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ",
-                            rdata_pubkey_algorithm, rdata_digest_type);
+                                    hostname, DNS_RDATATYPE_SSHFP,
-                else
+                                    2 + rdata_digest_len,
-                        fprintf(f, "%s IN SSHFP %d %d ", hostname,
+                                    rdata_pubkey_algorithm, rdata_digest_type);
-                            rdata_pubkey_algorithm, rdata_digest_type);
+                        } else {
+                                fprintf(f, "%s IN SSHFP %d %d ", hostname,
+                                    rdata_pubkey_algorithm, rdata_digest_type);
+                        }
+                        for (i = 0; i < rdata_digest_len; i++)
+                                fprintf(f, "%02x", rdata_digest[i]);
+                        fprintf(f, "\n");
+                        xfree(rdata_digest); /* from key_fingerprint_raw() */
+                        success = 1;
+                }
+        }
-                for (i = 0; i < rdata_digest_len; i++)
+        /* No SSHFP record was generated at all */
-                        fprintf(f, "%02x", rdata_digest[i]);
+        if (success == 0) {
-                fprintf(f, "\n");
+                error("%s: unsupported algorithm and/or digest_type", __func__);
-                xfree(rdata_digest); /* from key_fingerprint_raw() */
-                success = 1;
-        } else {
-                error("export_dns_rr: unsupported algorithm");
        }
        return success;
author	Colin Watson <cjwatson@debian.org>	2012-09-07 00:20:47 +0100
committer	Colin Watson <cjwatson@debian.org>	2012-09-07 00:20:47 +0100
commit	eab78da6a54225de06271d9c8da650f04a55ed88 (patch)
tree	aa258ca77515939f6d89317ff67fbcb0bca08b24 /dns.c
parent	a26f5de49df59322fde07f7be91b3e3969c9c238 (diff)
parent	c6a2c0334e45419875687d250aed9bea78480f2e (diff)

diff --git a/dns.c b/dns.c index dfa4c1ed3..bbe7f5023 100644 --- a/dns.c +++ b/dns.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dns.c,v 1.27 2010/08/31 11:54:45 djm Exp $ */	1	/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2003 Wesley Griffin. All rights reserved.	4	* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -78,27 +78,46 @@ dns_read_key(u_int8_t algorithm, u_int8_t digest_type,
78	u_char *digest, u_int digest_len, Key *key)	78	u_char *digest, u_int digest_len, Key *key)
79	{	79	{
80	int success = 0;	80	int success = 0;
		81	enum fp_type fp_type = 0;
81		82
82	switch (key->type) {	83	switch (key->type) {
83	case KEY_RSA:	84	case KEY_RSA:
84	*algorithm = SSHFP_KEY_RSA;	85	*algorithm = SSHFP_KEY_RSA;
		86	if (!*digest_type)
		87	*digest_type = SSHFP_HASH_SHA1;
85	break;	88	break;
86	case KEY_DSA:	89	case KEY_DSA:
87	*algorithm = SSHFP_KEY_DSA;	90	*algorithm = SSHFP_KEY_DSA;
		91	if (!*digest_type)
		92	*digest_type = SSHFP_HASH_SHA1;
		93	break;
		94	case KEY_ECDSA:
		95	*algorithm = SSHFP_KEY_ECDSA;
		96	if (!*digest_type)
		97	*digest_type = SSHFP_HASH_SHA256;
88	break;	98	break;
89	/* XXX KEY_ECDSA */
90	default:	99	default:
91	algorithm = SSHFP_KEY_RESERVED; / 0 */	100	algorithm = SSHFP_KEY_RESERVED; / 0 */
		101	digest_type = SSHFP_HASH_RESERVED; / 0 */
		102	}
		103
		104	switch (*digest_type) {
		105	case SSHFP_HASH_SHA1:
		106	fp_type = SSH_FP_SHA1;
		107	break;
		108	case SSHFP_HASH_SHA256:
		109	fp_type = SSH_FP_SHA256;
		110	break;
		111	default:
		112	digest_type = SSHFP_HASH_RESERVED; / 0 */
92	}	113	}
93		114
94	if (*algorithm) {	115	if (algorithm && digest_type) {
95	*digest_type = SSHFP_HASH_SHA1;	116	*digest = key_fingerprint_raw(key, fp_type, digest_len);
96	*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
97	if (*digest == NULL)	117	if (*digest == NULL)
98	fatal("dns_read_key: null from key_fingerprint_raw()");	118	fatal("dns_read_key: null from key_fingerprint_raw()");
99	success = 1;	119	success = 1;
100	} else {	120	} else {
101	*digest_type = SSHFP_HASH_RESERVED;
102	*digest = NULL;	121	*digest = NULL;
103	*digest_len = 0;	122	*digest_len = 0;
104	success = 0;	123	success = 0;
@@ -181,7 +200,7 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
181	struct rrsetinfo *fingerprints = NULL;	200	struct rrsetinfo *fingerprints = NULL;
182		201
183	u_int8_t hostkey_algorithm;	202	u_int8_t hostkey_algorithm;
184	u_int8_t hostkey_digest_type;	203	u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
185	u_char *hostkey_digest;	204	u_char *hostkey_digest;
186	u_int hostkey_digest_len;	205	u_int hostkey_digest_len;
187		206
@@ -228,7 +247,7 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
228	fingerprints->rri_nrdatas);	247	fingerprints->rri_nrdatas);
229	}	248	}
230		249
231	/* Initialize host key parameters */	250	/* Initialize default host key parameters */
232	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,	251	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
233	&hostkey_digest, &hostkey_digest_len, hostkey)) {	252	&hostkey_digest, &hostkey_digest_len, hostkey)) {
234	error("Error calculating host key fingerprint.");	253	error("Error calculating host key fingerprint.");
@@ -252,16 +271,27 @@ verify_host_key_dns(const char hostname, struct sockaddr address,
252	continue;	271	continue;
253	}	272	}
254		273
		274	if (hostkey_digest_type != dnskey_digest_type) {
		275	hostkey_digest_type = dnskey_digest_type;
		276	xfree(hostkey_digest);
		277
		278	/* Initialize host key parameters */
		279	if (!dns_read_key(&hostkey_algorithm,
		280	&hostkey_digest_type, &hostkey_digest,
		281	&hostkey_digest_len, hostkey)) {
		282	error("Error calculating key fingerprint.");
		283	freerrset(fingerprints);
		284	return -1;
		285	}
		286	}
		287
255	/* Check if the current key is the same as the given key */	288	/* Check if the current key is the same as the given key */
256	if (hostkey_algorithm == dnskey_algorithm &&	289	if (hostkey_algorithm == dnskey_algorithm &&
257	hostkey_digest_type == dnskey_digest_type) {	290	hostkey_digest_type == dnskey_digest_type) {
258
259	if (hostkey_digest_len == dnskey_digest_len &&	291	if (hostkey_digest_len == dnskey_digest_len &&
260	memcmp(hostkey_digest, dnskey_digest,	292	timingsafe_bcmp(hostkey_digest, dnskey_digest,
261	hostkey_digest_len) == 0) {	293	hostkey_digest_len) == 0)
262
263	*flags \|= DNS_VERIFY_MATCH;	294	*flags \|= DNS_VERIFY_MATCH;
264	}
265	}	295	}
266	xfree(dnskey_digest);	296	xfree(dnskey_digest);
267	}	297	}
@@ -287,31 +317,36 @@ int
287	export_dns_rr(const char hostname, Key key, FILE *f, int generic)	317	export_dns_rr(const char hostname, Key key, FILE *f, int generic)
288	{	318	{
289	u_int8_t rdata_pubkey_algorithm = 0;	319	u_int8_t rdata_pubkey_algorithm = 0;
290	u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;	320	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
		321	u_int8_t dtype;
291	u_char *rdata_digest;	322	u_char *rdata_digest;
292	u_int rdata_digest_len;	323	u_int i, rdata_digest_len;
293
294	u_int i;
295	int success = 0;	324	int success = 0;
296		325
297	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,	326	for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
298	&rdata_digest, &rdata_digest_len, key)) {	327	rdata_digest_type = dtype;
299		328	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
300	if (generic)	329	&rdata_digest, &rdata_digest_len, key)) {
301	fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,	330	if (generic) {
302	DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,	331	fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ",
303	rdata_pubkey_algorithm, rdata_digest_type);	332	hostname, DNS_RDATATYPE_SSHFP,
304	else	333	2 + rdata_digest_len,
305	fprintf(f, "%s IN SSHFP %d %d ", hostname,	334	rdata_pubkey_algorithm, rdata_digest_type);
306	rdata_pubkey_algorithm, rdata_digest_type);	335	} else {
		336	fprintf(f, "%s IN SSHFP %d %d ", hostname,
		337	rdata_pubkey_algorithm, rdata_digest_type);
		338	}
		339	for (i = 0; i < rdata_digest_len; i++)
		340	fprintf(f, "%02x", rdata_digest[i]);
		341	fprintf(f, "\n");
		342	xfree(rdata_digest); /* from key_fingerprint_raw() */
		343	success = 1;
		344	}
		345	}
307		346
308	for (i = 0; i < rdata_digest_len; i++)	347	/* No SSHFP record was generated at all */
309	fprintf(f, "%02x", rdata_digest[i]);	348	if (success == 0) {
310	fprintf(f, "\n");	349	error("%s: unsupported algorithm and/or digest_type", __func__);
311	xfree(rdata_digest); /* from key_fingerprint_raw() */
312	success = 1;
313	} else {
314	error("export_dns_rr: unsupported algorithm");
315	}	350	}
316		351
317	return success;	352	return success;