|
Lines 208-213
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 208 |
u_char *dnskey_digest; |
208 |
u_char *dnskey_digest; |
| 209 |
u_int dnskey_digest_len; |
209 |
u_int dnskey_digest_len; |
| 210 |
|
210 |
|
|
|
211 |
u_int found_cnt[256]; |
| 212 |
u_int match_cnt[256]; |
| 213 |
memset(&found_cnt, 0, sizeof(found_cnt)); |
| 214 |
memset(&match_cnt, 0, sizeof(match_cnt)); |
| 215 |
|
| 211 |
*flags = 0; |
216 |
*flags = 0; |
| 212 |
|
217 |
|
| 213 |
debug3("verify_host_key_dns"); |
218 |
debug3("verify_host_key_dns"); |
|
Lines 259-264
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 259 |
continue; |
264 |
continue; |
| 260 |
} |
265 |
} |
| 261 |
|
266 |
|
|
|
267 |
found_cnt[dnskey_digest_type]++; |
| 268 |
|
| 262 |
if (hostkey_digest_type != dnskey_digest_type) { |
269 |
if (hostkey_digest_type != dnskey_digest_type) { |
| 263 |
hostkey_digest_type = dnskey_digest_type; |
270 |
hostkey_digest_type = dnskey_digest_type; |
| 264 |
xfree(hostkey_digest); |
271 |
xfree(hostkey_digest); |
|
Lines 279-285
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 279 |
if (hostkey_digest_len == dnskey_digest_len && |
286 |
if (hostkey_digest_len == dnskey_digest_len && |
| 280 |
timingsafe_bcmp(hostkey_digest, dnskey_digest, |
287 |
timingsafe_bcmp(hostkey_digest, dnskey_digest, |
| 281 |
hostkey_digest_len) == 0) |
288 |
hostkey_digest_len) == 0) |
| 282 |
*flags |= DNS_VERIFY_MATCH; |
289 |
match_cnt[dnskey_digest_type]++; |
| 283 |
} |
290 |
} |
| 284 |
xfree(dnskey_digest); |
291 |
xfree(dnskey_digest); |
| 285 |
} |
292 |
} |
|
Lines 287-298
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 287 |
xfree(hostkey_digest); /* from key_fingerprint_raw() */ |
294 |
xfree(hostkey_digest); /* from key_fingerprint_raw() */ |
| 288 |
freerrset(fingerprints); |
295 |
freerrset(fingerprints); |
| 289 |
|
296 |
|
| 290 |
if (*flags & DNS_VERIFY_FOUND) |
297 |
if (*flags & DNS_VERIFY_FOUND) { |
| 291 |
if (*flags & DNS_VERIFY_MATCH) |
298 |
debug("found %d SHA1 fingerprints and %d SHA256 fingerprints", |
| 292 |
debug("matching host key fingerprint found in DNS"); |
299 |
found_cnt[SSHFP_HASH_SHA1], found_cnt[SSHFP_HASH_SHA256]); |
|
|
300 |
debug("matched %d SHA1 fingerprints and %d SHA256 fingerprints", |
| 301 |
match_cnt[SSHFP_HASH_SHA1], match_cnt[SSHFP_HASH_SHA256]); |
| 302 |
if (found_cnt[SSHFP_HASH_SHA256] > 0) |
| 303 |
if (match_cnt[SSHFP_HASH_SHA256] > 0) { |
| 304 |
debug("matching SHA256 host key fingerprint found in DNS"); |
| 305 |
*flags |= DNS_VERIFY_MATCH; |
| 306 |
} else |
| 307 |
debug("no matching SHA256 host key fingerprint found in DNS"); |
| 293 |
else |
308 |
else |
| 294 |
debug("mismatching host key fingerprint found in DNS"); |
309 |
if (match_cnt[SSHFP_HASH_SHA1] > 0 && hostkey_algorithm < SSHFP_KEY_ECDSA ) { |
| 295 |
else |
310 |
debug("matching SHA1 host key fingerprint found in DNS"); |
|
|
311 |
*flags |= DNS_VERIFY_MATCH; |
| 312 |
} else |
| 313 |
debug("no matching SHA1 host key fingerprint found in DNS"); |
| 314 |
} else |
| 296 |
debug("no host key fingerprint found in DNS"); |
315 |
debug("no host key fingerprint found in DNS"); |
| 297 |
|
316 |
|
| 298 |
return 0; |
317 |
return 0; |
| 299 |
- |
|
|