diff options
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/sshconnect.c b/sshconnect.c index bf8c23d73..5972e2ba9 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.153 2003/11/12 16:39:58 jakob Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | 19 | ||
@@ -38,7 +38,7 @@ RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $"); | |||
38 | char *client_version_string = NULL; | 38 | char *client_version_string = NULL; |
39 | char *server_version_string = NULL; | 39 | char *server_version_string = NULL; |
40 | 40 | ||
41 | int verified_host_key_dns = 0; | 41 | int matching_host_key_dns = 0; |
42 | 42 | ||
43 | /* import */ | 43 | /* import */ |
44 | extern Options options; | 44 | extern Options options; |
@@ -728,7 +728,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
728 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | 728 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
729 | msg2[0] = '\0'; | 729 | msg2[0] = '\0'; |
730 | if (options.verify_host_key_dns) { | 730 | if (options.verify_host_key_dns) { |
731 | if (verified_host_key_dns) | 731 | if (matching_host_key_dns) |
732 | snprintf(msg2, sizeof(msg2), | 732 | snprintf(msg2, sizeof(msg2), |
733 | "Matching host key fingerprint" | 733 | "Matching host key fingerprint" |
734 | " found in DNS.\n"); | 734 | " found in DNS.\n"); |
@@ -892,23 +892,25 @@ int | |||
892 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 892 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
893 | { | 893 | { |
894 | struct stat st; | 894 | struct stat st; |
895 | int flags = 0; | ||
895 | 896 | ||
896 | if (options.verify_host_key_dns) { | 897 | if (options.verify_host_key_dns && |
897 | switch(verify_host_key_dns(host, hostaddr, host_key)) { | 898 | verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { |
898 | case DNS_VERIFY_OK: | 899 | |
899 | #ifdef DNSSEC | 900 | if (flags & DNS_VERIFY_FOUND) { |
900 | return 0; | 901 | |
901 | #else | 902 | if (options.verify_host_key_dns == 1 && |
902 | verified_host_key_dns = 1; | 903 | flags & DNS_VERIFY_MATCH && |
903 | break; | 904 | flags & DNS_VERIFY_SECURE) |
904 | #endif | 905 | return 0; |
905 | case DNS_VERIFY_FAILED: | 906 | |
906 | return -1; | 907 | if (flags & DNS_VERIFY_MATCH) { |
907 | case DNS_VERIFY_ERROR: | 908 | matching_host_key_dns = 1; |
908 | break; | 909 | } else { |
909 | default: | 910 | warn_changed_key(host_key); |
910 | debug3("bad return value from verify_host_key_dns"); | 911 | error("Update the SSHFP RR in DNS with the new " |
911 | break; | 912 | "host key to get rid of this message."); |
913 | } | ||
912 | } | 914 | } |
913 | } | 915 | } |
914 | 916 | ||