diff options
-rw-r--r-- | sshconnect.c | 67 |
1 files changed, 47 insertions, 20 deletions
diff --git a/sshconnect.c b/sshconnect.c index 87c3770c0..b8510d201 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1218,36 +1218,63 @@ fail: | |||
1218 | return -1; | 1218 | return -1; |
1219 | } | 1219 | } |
1220 | 1220 | ||
1221 | static int | ||
1222 | check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
1223 | { | ||
1224 | int rc = -1; | ||
1225 | int flags = 0; | ||
1226 | Key *raw_key = NULL; | ||
1227 | |||
1228 | if (!options.verify_host_key_dns) | ||
1229 | goto done; | ||
1230 | |||
1231 | /* XXX certs are not yet supported for DNS; try looking the raw key | ||
1232 | * up in the DNS anyway. | ||
1233 | */ | ||
1234 | if (key_is_cert(host_key)) { | ||
1235 | debug2("Extracting key from cert for SSHFP lookup"); | ||
1236 | raw_key = key_from_private(host_key); | ||
1237 | if (key_drop_cert(raw_key)) | ||
1238 | fatal("Couldn't drop certificate"); | ||
1239 | host_key = raw_key; | ||
1240 | } | ||
1241 | |||
1242 | if (verify_host_key_dns(host, hostaddr, host_key, &flags)) | ||
1243 | goto done; | ||
1244 | |||
1245 | if (flags & DNS_VERIFY_FOUND) { | ||
1246 | |||
1247 | if (options.verify_host_key_dns == 1 && | ||
1248 | flags & DNS_VERIFY_MATCH && | ||
1249 | flags & DNS_VERIFY_SECURE) { | ||
1250 | rc = 0; | ||
1251 | } else if (flags & DNS_VERIFY_MATCH) { | ||
1252 | matching_host_key_dns = 1; | ||
1253 | } else { | ||
1254 | warn_changed_key(host_key); | ||
1255 | error("Update the SSHFP RR in DNS with the new " | ||
1256 | "host key to get rid of this message."); | ||
1257 | } | ||
1258 | } | ||
1259 | |||
1260 | done: | ||
1261 | if (raw_key) | ||
1262 | key_free(raw_key); | ||
1263 | return rc; | ||
1264 | } | ||
1265 | |||
1221 | /* returns 0 if key verifies or -1 if key does NOT verify */ | 1266 | /* returns 0 if key verifies or -1 if key does NOT verify */ |
1222 | int | 1267 | int |
1223 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 1268 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
1224 | { | 1269 | { |
1225 | int flags = 0; | ||
1226 | char *fp; | 1270 | char *fp; |
1227 | 1271 | ||
1228 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | 1272 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
1229 | debug("Server host key: %s %s", key_type(host_key), fp); | 1273 | debug("Server host key: %s %s", key_type(host_key), fp); |
1230 | free(fp); | 1274 | free(fp); |
1231 | 1275 | ||
1232 | /* XXX certs are not yet supported for DNS */ | 1276 | if (check_host_key_sshfp(host, hostaddr, host_key) == 0) |
1233 | if (!key_is_cert(host_key) && options.verify_host_key_dns && | 1277 | return 0; |
1234 | verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | ||
1235 | if (flags & DNS_VERIFY_FOUND) { | ||
1236 | |||
1237 | if (options.verify_host_key_dns == 1 && | ||
1238 | flags & DNS_VERIFY_MATCH && | ||
1239 | flags & DNS_VERIFY_SECURE) | ||
1240 | return 0; | ||
1241 | |||
1242 | if (flags & DNS_VERIFY_MATCH) { | ||
1243 | matching_host_key_dns = 1; | ||
1244 | } else { | ||
1245 | warn_changed_key(host_key); | ||
1246 | error("Update the SSHFP RR in DNS with the new " | ||
1247 | "host key to get rid of this message."); | ||
1248 | } | ||
1249 | } | ||
1250 | } | ||
1251 | 1278 | ||
1252 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | 1279 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, |
1253 | options.user_hostfiles, options.num_user_hostfiles, | 1280 | options.user_hostfiles, options.num_user_hostfiles, |