1 files changed, 83 insertions, 0 deletions
diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr
new file mode 100644
index 000000000..b453081c5
--- /dev/null
+++ b/debian/patches/sshfp_with_server_cert_upstr
@@ -0,0 +1,83 @@
+From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <mcv21@cam.ac.uk>
+Date: Wed, 26 Mar 2014 15:32:23 +0000
+Subject: Attempt SSHFP lookup even if server presents a certificate
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+This patch is by Damien Miller (of openssh upstream). It's simpler
+than the patch by Mark Wooding which I applied yesterday; a copy is
+taken of the proffered key/cert, the key extracted from the cert (if
+necessary), and then the DNS consulted.
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Bug-Debian: http://bugs.debian.org/742513
+Patch-Name: sshfp_with_server_cert_upstr
+---
+ sshconnect.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+diff --git a/sshconnect.c b/sshconnect.c
+index 87c3770..324f5e0 100644
+--- a/sshconnect.c
+++ b/sshconnect.c
+@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+        int flags = 0;
+        char *fp;
+       Key *plain = NULL;
+ 
+        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+        debug("Server host key: %s %s", key_type(host_key), fp);
+        free(fp);
+ 
+-       /* XXX certs are not yet supported for DNS */
+-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-               if (flags & DNS_VERIFY_FOUND) {
+-
+-                       if (options.verify_host_key_dns == 1 &&
+-                           flags & DNS_VERIFY_MATCH &&
+-                           flags & DNS_VERIFY_SECURE)
+-                               return 0;
+-
+-                       if (flags & DNS_VERIFY_MATCH) {
+-                               matching_host_key_dns = 1;
+-                       } else {
+-                               warn_changed_key(host_key);
+-                               error("Update the SSHFP RR in DNS with the new "
+-                                   "host key to get rid of this message.");
+       if (options.verify_host_key_dns) {
+               /*
+                * XXX certs are not yet supported for DNS, so downgrade
+                * them and try the plain key.
+                */
+               plain = key_from_private(host_key);
+               if (key_is_cert(plain))
+                       key_drop_cert(plain);
+               if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+                       if (flags & DNS_VERIFY_FOUND) {
+                               if (options.verify_host_key_dns == 1 &&
+                                   flags & DNS_VERIFY_MATCH &&
+                                   flags & DNS_VERIFY_SECURE) {
+                                       key_free(plain);
+                                       return 0;
+                               }
+                               if (flags & DNS_VERIFY_MATCH) {
+                                       matching_host_key_dns = 1;
+                               } else {
+                                       warn_changed_key(plain);
+                                       error("Update the SSHFP RR in DNS "
+                                           "with the new host key to get rid "
+                                           "of this message.");
+                               }
+                        }
+                }
+               key_free(plain);
+        }
+ 
+        return check_host_key(host, hostaddr, options.port, host_key, RDRW,

diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr new file mode 100644 index 000000000..b453081c5 --- /dev/null +++ b/debian/patches/sshfp_with_server_cert_upstr
@@ -0,0 +1,83 @@
	1	From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
	2	From: Matthew Vernon <mcv21@cam.ac.uk>
	3	Date: Wed, 26 Mar 2014 15:32:23 +0000
	4	Subject: Attempt SSHFP lookup even if server presents a certificate
	5
	6	If an ssh server presents a certificate to the client, then the client
	7	does not check the DNS for SSHFP records. This means that a malicious
	8	server can essentially disable DNS-host-key-checking, which means the
	9	client will fall back to asking the user (who will just say "yes" to
	10	the fingerprint, sadly).
	11
	12	This patch is by Damien Miller (of openssh upstream). It's simpler
	13	than the patch by Mark Wooding which I applied yesterday; a copy is
	14	taken of the proffered key/cert, the key extracted from the cert (if
	15	necessary), and then the DNS consulted.
	16
	17	Signed-off-by: Matthew Vernon <matthew@debian.org>
	18	Bug-Debian: http://bugs.debian.org/742513
	19	Patch-Name: sshfp_with_server_cert_upstr
	20	---
	21	sshconnect.c \| 42 ++++++++++++++++++++++++++----------------
	22	1 file changed, 26 insertions(+), 16 deletions(-)
	23
	24	diff --git a/sshconnect.c b/sshconnect.c
	25	index 87c3770..324f5e0 100644
	26	--- a/sshconnect.c
	27	+++ b/sshconnect.c
	28	@@ -1224,29 +1224,39 @@ verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
	29	{
	30	int flags = 0;
	31	char *fp;
	32	+ Key *plain = NULL;
	33
	34	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
	35	debug("Server host key: %s %s", key_type(host_key), fp);
	36	free(fp);
	37
	38	- /* XXX certs are not yet supported for DNS */
	39	- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
	40	- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
	41	- if (flags & DNS_VERIFY_FOUND) {
	42	-
	43	- if (options.verify_host_key_dns == 1 &&
	44	- flags & DNS_VERIFY_MATCH &&
	45	- flags & DNS_VERIFY_SECURE)
	46	- return 0;
	47	-
	48	- if (flags & DNS_VERIFY_MATCH) {
	49	- matching_host_key_dns = 1;
	50	- } else {
	51	- warn_changed_key(host_key);
	52	- error("Update the SSHFP RR in DNS with the new "
	53	- "host key to get rid of this message.");
	54	+ if (options.verify_host_key_dns) {
	55	+ /*
	56	+ * XXX certs are not yet supported for DNS, so downgrade
	57	+ * them and try the plain key.
	58	+ */
	59	+ plain = key_from_private(host_key);
	60	+ if (key_is_cert(plain))
	61	+ key_drop_cert(plain);
	62	+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
	63	+ if (flags & DNS_VERIFY_FOUND) {
	64	+ if (options.verify_host_key_dns == 1 &&
	65	+ flags & DNS_VERIFY_MATCH &&
	66	+ flags & DNS_VERIFY_SECURE) {
	67	+ key_free(plain);
	68	+ return 0;
	69	+ }
	70	+ if (flags & DNS_VERIFY_MATCH) {
	71	+ matching_host_key_dns = 1;
	72	+ } else {
	73	+ warn_changed_key(plain);
	74	+ error("Update the SSHFP RR in DNS "
	75	+ "with the new host key to get rid "
	76	+ "of this message.");
	77	+ }
	78	}
	79	}
	80	+ key_free(plain);
	81	}
	82
	83	return check_host_key(host, hostaddr, options.port, host_key, RDRW,