1 files changed, 26 insertions, 16 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 87c3770c0..324f5e0a3 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
        int flags = 0;
        char *fp;
+        Key *plain = NULL;
        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
        debug("Server host key: %s %s", key_type(host_key), fp);
        free(fp);
-        /* XXX certs are not yet supported for DNS */
+        if (options.verify_host_key_dns) {
-        if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+                /*
-            verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+                 * XXX certs are not yet supported for DNS, so downgrade
-                if (flags & DNS_VERIFY_FOUND) {
+                 * them and try the plain key.
+                 */
-                        if (options.verify_host_key_dns == 1 &&
+                plain = key_from_private(host_key);
-                            flags & DNS_VERIFY_MATCH &&
+                if (key_is_cert(plain))
-                            flags & DNS_VERIFY_SECURE)
+                        key_drop_cert(plain);
-                                return 0;
+                if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+                        if (flags & DNS_VERIFY_FOUND) {
-                        if (flags & DNS_VERIFY_MATCH) {
+                                if (options.verify_host_key_dns == 1 &&
-                                matching_host_key_dns = 1;
+                                    flags & DNS_VERIFY_MATCH &&
-                        } else {
+                                    flags & DNS_VERIFY_SECURE) {
-                                warn_changed_key(host_key);
+                                        key_free(plain);
-                                error("Update the SSHFP RR in DNS with the new "
+                                        return 0;
-                                    "host key to get rid of this message.");
+                                }
+                                if (flags & DNS_VERIFY_MATCH) {
+                                        matching_host_key_dns = 1;
+                                } else {
+                                        warn_changed_key(plain);
+                                        error("Update the SSHFP RR in DNS "
+                                            "with the new host key to get rid "
+                                            "of this message.");
+                                }
                        }
                }
+                key_free(plain);
        }
        return check_host_key(host, hostaddr, options.port, host_key, RDRW,

diff --git a/sshconnect.c b/sshconnect.c index 87c3770c0..324f5e0a3 100644 --- a/sshconnect.c +++ b/sshconnect.c
@@ -1224,29 +1224,39 @@ verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1224	{	1224	{
1225	int flags = 0;	1225	int flags = 0;
1226	char *fp;	1226	char *fp;
		1227	Key *plain = NULL;
1227		1228
1228	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	1229	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
1229	debug("Server host key: %s %s", key_type(host_key), fp);	1230	debug("Server host key: %s %s", key_type(host_key), fp);
1230	free(fp);	1231	free(fp);
1231		1232
1232	/* XXX certs are not yet supported for DNS */	1233	if (options.verify_host_key_dns) {
1233	if (!key_is_cert(host_key) && options.verify_host_key_dns &&	1234	/*
1234	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {	1235	* XXX certs are not yet supported for DNS, so downgrade
1235	if (flags & DNS_VERIFY_FOUND) {	1236	* them and try the plain key.
1236		1237	*/
1237	if (options.verify_host_key_dns == 1 &&	1238	plain = key_from_private(host_key);
1238	flags & DNS_VERIFY_MATCH &&	1239	if (key_is_cert(plain))
1239	flags & DNS_VERIFY_SECURE)	1240	key_drop_cert(plain);
1240	return 0;	1241	if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
1241		1242	if (flags & DNS_VERIFY_FOUND) {
1242	if (flags & DNS_VERIFY_MATCH) {	1243	if (options.verify_host_key_dns == 1 &&
1243	matching_host_key_dns = 1;	1244	flags & DNS_VERIFY_MATCH &&
1244	} else {	1245	flags & DNS_VERIFY_SECURE) {
1245	warn_changed_key(host_key);	1246	key_free(plain);
1246	error("Update the SSHFP RR in DNS with the new "	1247	return 0;
1247	"host key to get rid of this message.");	1248	}
		1249	if (flags & DNS_VERIFY_MATCH) {
		1250	matching_host_key_dns = 1;
		1251	} else {
		1252	warn_changed_key(plain);
		1253	error("Update the SSHFP RR in DNS "
		1254	"with the new host key to get rid "
		1255	"of this message.");
		1256	}
1248	}	1257	}
1249	}	1258	}
		1259	key_free(plain);
1250	}	1260	}
1251		1261
1252	return check_host_key(host, hostaddr, options.port, host_key, RDRW,	1262	return check_host_key(host, hostaddr, options.port, host_key, RDRW,