1 files changed, 21 insertions, 19 deletions
diff --git a/sshconnect.c b/sshconnect.c
index bf8c23d73..5972e2ba9 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.153 2003/11/12 16:39:58 jakob Exp $");
 #include <openssl/bn.h>
@@ -38,7 +38,7 @@ RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $");
 char *client_version_string = NULL;
 char *server_version_string = NULL;
-int verified_host_key_dns = 0;
+int matching_host_key_dns = 0;
 /* import */
 extern Options options;
@@ -728,7 +728,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
                        msg2[0] = '\0';
                        if (options.verify_host_key_dns) {
-                                if (verified_host_key_dns)
+                                if (matching_host_key_dns)
                                        snprintf(msg2, sizeof(msg2),
                                            "Matching host key fingerprint"
                                            " found in DNS.\n");
@@ -892,23 +892,25 @@ int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
        struct stat st;
+        int flags = 0;
-        if (options.verify_host_key_dns) {
+        if (options.verify_host_key_dns &&
-                switch(verify_host_key_dns(host, hostaddr, host_key)) {
+            verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-                case DNS_VERIFY_OK:
-#ifdef DNSSEC
+                if (flags & DNS_VERIFY_FOUND) {
-                        return 0;
-#else
+                        if (options.verify_host_key_dns == 1 &&
-                        verified_host_key_dns = 1;
+                            flags & DNS_VERIFY_MATCH &&
-                        break;
+                            flags & DNS_VERIFY_SECURE)
-#endif
+                                return 0;
-                case DNS_VERIFY_FAILED:
-                        return -1;
+                        if (flags & DNS_VERIFY_MATCH) {
-                case DNS_VERIFY_ERROR:
+                                matching_host_key_dns = 1;
-                        break;
+                        } else {
-                default:
+                                warn_changed_key(host_key);
-                        debug3("bad return value from verify_host_key_dns");
+                                error("Update the SSHFP RR in DNS with the new "
-                        break;
+                                    "host key to get rid of this message.");
+                        }
                }
        }

diff --git a/sshconnect.c b/sshconnect.c index bf8c23d73..5972e2ba9 100644 --- a/sshconnect.c +++ b/sshconnect.c
@@ -13,7 +13,7 @@
13	*/	13	*/
14		14
15	#include "includes.h"	15	#include "includes.h"
16	RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $");	16	RCSID("$OpenBSD: sshconnect.c,v 1.153 2003/11/12 16:39:58 jakob Exp $");
17		17
18	#include <openssl/bn.h>	18	#include <openssl/bn.h>
19		19
@@ -38,7 +38,7 @@ RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $");
38	char *client_version_string = NULL;	38	char *client_version_string = NULL;
39	char *server_version_string = NULL;	39	char *server_version_string = NULL;
40		40
41	int verified_host_key_dns = 0;	41	int matching_host_key_dns = 0;
42		42
43	/* import */	43	/* import */
44	extern Options options;	44	extern Options options;
@@ -728,7 +728,7 @@ check_host_key(char host, struct sockaddr hostaddr, Key *host_key,
728	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	728	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
729	msg2[0] = '\0';	729	msg2[0] = '\0';
730	if (options.verify_host_key_dns) {	730	if (options.verify_host_key_dns) {
731	if (verified_host_key_dns)	731	if (matching_host_key_dns)
732	snprintf(msg2, sizeof(msg2),	732	snprintf(msg2, sizeof(msg2),
733	"Matching host key fingerprint"	733	"Matching host key fingerprint"
734	" found in DNS.\n");	734	" found in DNS.\n");
@@ -892,23 +892,25 @@ int
892	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)	892	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
893	{	893	{
894	struct stat st;	894	struct stat st;
		895	int flags = 0;
895		896
896	if (options.verify_host_key_dns) {	897	if (options.verify_host_key_dns &&
897	switch(verify_host_key_dns(host, hostaddr, host_key)) {	898	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
898	case DNS_VERIFY_OK:	899
899	#ifdef DNSSEC	900	if (flags & DNS_VERIFY_FOUND) {
900	return 0;	901
901	#else	902	if (options.verify_host_key_dns == 1 &&
902	verified_host_key_dns = 1;	903	flags & DNS_VERIFY_MATCH &&
903	break;	904	flags & DNS_VERIFY_SECURE)
904	#endif	905	return 0;
905	case DNS_VERIFY_FAILED:	906
906	return -1;	907	if (flags & DNS_VERIFY_MATCH) {
907	case DNS_VERIFY_ERROR:	908	matching_host_key_dns = 1;
908	break;	909	} else {
909	default:	910	warn_changed_key(host_key);
910	debug3("bad return value from verify_host_key_dns");	911	error("Update the SSHFP RR in DNS with the new "
911	break;	912	"host key to get rid of this message.");
		913	}
912	}	914	}
913	}	915	}
914		916