From 37876e913a069036501086a247ed2ea430cea206 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 10:19:46 +1000 Subject: - jakob@cvs.openbsd.org 2003/05/14 18:16:20 [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] add experimental support for verifying hos keys using DNS as described in draft-ietf-secsh-dns-xx.txt. more information in README.dns. ok markus@ and henning@ --- dns.c | 293 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 dns.c (limited to 'dns.c') diff --git a/dns.c b/dns.c new file mode 100644 index 000000000..9b7a0e7a0 --- /dev/null +++ b/dns.c @@ -0,0 +1,293 @@ +/* $OpenBSD: dns.c,v 1.4 2003/05/14 23:29:22 jakob Exp $ */ + +/* + * Copyright (c) 2003 Wesley Griffin. All rights reserved. + * Copyright (c) 2003 Jakob Schlyter. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + +#include "includes.h" + +#ifdef DNS +#include +#ifdef LWRES +#include +#include +#else /* LWRES */ +#include +#endif /* LWRES */ + +#include "xmalloc.h" +#include "key.h" +#include "dns.h" +#include "log.h" +#include "uuencode.h" + +extern char *__progname; +RCSID("$OpenBSD: dns.c,v 1.4 2003/05/14 23:29:22 jakob Exp $"); + +#ifndef LWRES +static const char *errset_text[] = { + "success", /* 0 ERRSET_SUCCESS */ + "out of memory", /* 1 ERRSET_NOMEMORY */ + "general failure", /* 2 ERRSET_FAIL */ + "invalid parameter", /* 3 ERRSET_INVAL */ + "name does not exist", /* 4 ERRSET_NONAME */ + "data does not exist", /* 5 ERRSET_NODATA */ +}; + +static const char * +dns_result_totext(unsigned int error) +{ + switch (error) { + case ERRSET_SUCCESS: + return errset_text[ERRSET_SUCCESS]; + case ERRSET_NOMEMORY: + return errset_text[ERRSET_NOMEMORY]; + case ERRSET_FAIL: + return errset_text[ERRSET_FAIL]; + case ERRSET_INVAL: + return errset_text[ERRSET_INVAL]; + case ERRSET_NONAME: + return errset_text[ERRSET_NONAME]; + case ERRSET_NODATA: + return errset_text[ERRSET_NODATA]; + default: + return "unknown error"; + } +} +#endif /* LWRES */ + + +/* + * Read SSHFP parameters from key buffer. + */ +static int +dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, + u_char **digest, u_int *digest_len, Key *key) +{ + int success = 0; + + switch (key->type) { + case KEY_RSA: + *algorithm = SSHFP_KEY_RSA; + break; + case KEY_DSA: + *algorithm = SSHFP_KEY_DSA; + break; + default: + *algorithm = SSHFP_KEY_RESERVED; + } + + if (*algorithm) { + *digest_type = SSHFP_HASH_SHA1; + *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); + success = 1; + } else { + *digest_type = SSHFP_HASH_RESERVED; + *digest = NULL; + *digest_len = 0; + success = 0; + } + + return success; +} + +/* + * Read SSHFP parameters from rdata buffer. + */ +static int +dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, + u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len) +{ + int success = 0; + + *algorithm = SSHFP_KEY_RESERVED; + *digest_type = SSHFP_HASH_RESERVED; + + if (rdata_len >= 2) { + *algorithm = rdata[0]; + *digest_type = rdata[1]; + *digest_len = rdata_len - 2; + + if (*digest_len > 0) { + *digest = (u_char *) xmalloc(*digest_len); + memcpy(*digest, rdata + 2, *digest_len); + } else { + *digest = NULL; + } + + success = 1; + } + + return success; +} + + +/* + * Verify the given hostname, address and host key using DNS. + * Returns 0 if key verifies or -1 if key does NOT verify + */ +int +verify_host_key_dns(const char *hostname, struct sockaddr *address, + Key *hostkey) +{ + int counter; + int result; + struct rrsetinfo *fingerprints = NULL; + int failures = 0; + + u_int8_t hostkey_algorithm; + u_int8_t hostkey_digest_type; + u_char *hostkey_digest; + u_int hostkey_digest_len; + + u_int8_t dnskey_algorithm; + u_int8_t dnskey_digest_type; + u_char *dnskey_digest; + u_int dnskey_digest_len; + + + debug3("verify_hostkey_dns"); + if (hostkey == NULL) + fatal("No key to look up!"); + + result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, + DNS_RDATATYPE_SSHFP, 0, &fingerprints); + if (result) { + verbose("DNS lookup error: %s", dns_result_totext(result)); + return DNS_VERIFY_ERROR; + } + +#ifdef DNSSEC + /* Only accept validated answers */ + if (!fingerprints->rri_flags & RRSET_VALIDATED) { + error("Ignored unvalidated fingerprint from DNS."); + return DNS_VERIFY_ERROR; + } +#endif + + debug("found %d fingerprints in DNS", fingerprints->rri_nrdatas); + + /* Initialize host key parameters */ + if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, + &hostkey_digest, &hostkey_digest_len, hostkey)) { + error("Error calculating host key fingerprint."); + return DNS_VERIFY_ERROR; + } + + for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { + /* + * Extract the key from the answer. Ignore any badly + * formatted fingerprints. + */ + if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type, + &dnskey_digest, &dnskey_digest_len, + fingerprints->rri_rdatas[counter].rdi_data, + fingerprints->rri_rdatas[counter].rdi_length)) { + verbose("Error parsing fingerprint from DNS."); + continue; + } + + /* Check if the current key is the same as the given key */ + if (hostkey_algorithm == dnskey_algorithm && + hostkey_digest_type == dnskey_digest_type) { + + if (hostkey_digest_len == dnskey_digest_len && + memcmp(hostkey_digest, dnskey_digest, + hostkey_digest_len) == 0) { + + /* Matching algoritm and digest. */ + freerrset(fingerprints); +#ifdef DNSSEC + debug("matching host key fingerprint found in DNS"); + return DNS_VERIFY_OK; +#else + logit("Matching host key fingerprint found in DNS."); + return DNS_VERIFY_ERROR; +#endif + } else { + /* Correct algorithm but bad digest */ + debug("verify_hostkey_dns: failed"); + failures++; + } + } + } + + freerrset(fingerprints); + + if (failures) { + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); + error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); + error("It is also possible that the %s host key has just been changed.", + key_type(hostkey)); + error("Please contact your system administrator."); + return DNS_VERIFY_FAILED; + } + + debug("fingerprints found in DNS, but none of them matched"); + + return DNS_VERIFY_ERROR; +} + + +/* + * Export the fingerprint of a key as a DNS resource record + */ +int +export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) +{ + u_int8_t rdata_pubkey_algorithm = 0; + u_int8_t rdata_digest_type = SSHFP_HASH_SHA1; + u_char *rdata_digest; + u_int rdata_digest_len; + + int i; + int success = 0; + + if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, + &rdata_digest, &rdata_digest_len, key)) { + + if (generic) + fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, + DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len, + rdata_pubkey_algorithm, rdata_digest_type); + else + fprintf(f, "%s IN SSHFP %d %d ", hostname, + rdata_pubkey_algorithm, rdata_digest_type); + + for (i = 0; i < rdata_digest_len; i++) + fprintf(f, "%02x", rdata_digest[i]); + fprintf(f, "\n"); + success = 1; + } else { + error("dns_export_rr: unsupported algorithm"); + } + + return success; +} + +#endif /* DNS */ -- cgit v1.2.3 From b0622653baa8e4136e116945fdd1c393ab0eaba3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 13:27:28 +1000 Subject: - jakob@cvs.openbsd.org 2003/05/15 02:27:15 [dns.c] add missing freerrset --- ChangeLog | 5 ++++- dns.c | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'dns.c') diff --git a/ChangeLog b/ChangeLog index 32de30915..5243876e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ - jakob@cvs.openbsd.org 2003/05/15 01:48:10 [readconf.c readconf.h servconf.c servconf.h] always parse kerberos options. ok djm@ markus@ + - jakob@cvs.openbsd.org 2003/05/15 02:27:15 + [dns.c] + add missing freerrset - (djm) Always parse UsePAM - (djm) Configure glue for DNS support (code doesn't work in portable yet) - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support) @@ -1499,4 +1502,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2709 2003/05/15 03:23:36 djm Exp $ +$Id: ChangeLog,v 1.2710 2003/05/15 03:27:28 djm Exp $ diff --git a/dns.c b/dns.c index 9b7a0e7a0..14ca13a48 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.4 2003/05/14 23:29:22 jakob Exp $ */ +/* $OpenBSD: dns.c,v 1.5 2003/05/15 02:27:15 jakob Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -44,7 +44,7 @@ #include "uuencode.h" extern char *__progname; -RCSID("$OpenBSD: dns.c,v 1.4 2003/05/14 23:29:22 jakob Exp $"); +RCSID("$OpenBSD: dns.c,v 1.5 2003/05/15 02:27:15 jakob Exp $"); #ifndef LWRES static const char *errset_text[] = { @@ -183,6 +183,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, /* Only accept validated answers */ if (!fingerprints->rri_flags & RRSET_VALIDATED) { error("Ignored unvalidated fingerprint from DNS."); + freerrset(fingerprints); return DNS_VERIFY_ERROR; } #endif @@ -193,6 +194,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, &hostkey_digest, &hostkey_digest_len, hostkey)) { error("Error calculating host key fingerprint."); + freerrset(fingerprints); return DNS_VERIFY_ERROR; } -- cgit v1.2.3 From 0e1b937f1362866765c09c11d3f4066f108ff910 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 11 Jun 2003 22:05:45 +1000 Subject: - jakob@cvs.openbsd.org 2003/06/11 10:18:47 [dns.c] sync with check_host_key() change --- ChangeLog | 5 ++++- dns.c | 9 ++------- 2 files changed, 6 insertions(+), 8 deletions(-) (limited to 'dns.c') diff --git a/ChangeLog b/ChangeLog index c8b182e45..fab1da44b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,9 @@ - jakob@cvs.openbsd.org 2003/06/11 10:16:16 [sshconnect.c] clean up check_host_key() and improve SSHFP feedback. ok markus@ + - jakob@cvs.openbsd.org 2003/06/11 10:18:47 + [dns.c] + sync with check_host_key() change 20030609 @@ -499,4 +502,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2795 2003/06/11 12:05:25 djm Exp $ +$Id: ChangeLog,v 1.2796 2003/06/11 12:05:45 djm Exp $ diff --git a/dns.c b/dns.c index 14ca13a48..90ab5601a 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.5 2003/05/15 02:27:15 jakob Exp $ */ +/* $OpenBSD: dns.c,v 1.6 2003/06/11 10:18:47 jakob Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -44,7 +44,7 @@ #include "uuencode.h" extern char *__progname; -RCSID("$OpenBSD: dns.c,v 1.5 2003/05/15 02:27:15 jakob Exp $"); +RCSID("$OpenBSD: dns.c,v 1.6 2003/06/11 10:18:47 jakob Exp $"); #ifndef LWRES static const char *errset_text[] = { @@ -221,13 +221,8 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, /* Matching algoritm and digest. */ freerrset(fingerprints); -#ifdef DNSSEC debug("matching host key fingerprint found in DNS"); return DNS_VERIFY_OK; -#else - logit("Matching host key fingerprint found in DNS."); - return DNS_VERIFY_ERROR; -#endif } else { /* Correct algorithm but bad digest */ debug("verify_hostkey_dns: failed"); -- cgit v1.2.3