Attachment #2404 for bug #2041




int
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
	Key *raw_key = host_key;
	int flags = 0;
	char *fp;


	debug("Server host key: %s %s", key_type(host_key), fp);
	free(fp);

	/* certs are not yet supported for DNS - check instead for key FP */
	if (options.verify_host_key_dns && key_is_cert(host_key)) {
		raw_key = key_from_private(host_key);
		if (key_drop_cert(raw_key) != 0)
			fatal("Couldn't drop certificate");
	}
	if (options.verify_host_key_dns &&
	    verify_host_key_dns(host, hostaddr, raw_key, &flags) == 0) {
		if (flags & DNS_VERIFY_FOUND) {

			if (options.verify_host_key_dns == 1 &&
			    flags & DNS_VERIFY_MATCH &&
			    flags & DNS_VERIFY_SECURE)
				return 0;

			if (flags & DNS_VERIFY_MATCH) {
				matching_host_key_dns = 1;
			} else {
				warn_changed_key(raw_key);
				error("Update the SSHFP RR in DNS with the new "
				    "host key to get rid of this message.");
			}

			if (raw_key != host_key)
				key_free(raw_key);

			if (options.verify_host_key_dns == 1 &&
			    flags & DNS_VERIFY_MATCH &&
			    flags & DNS_VERIFY_SECURE)
				return 0;
		}
	}

- 

Return to bug 2041

Lines 1133-1138 fail: Link Here

(-)a/sshconnect.c (-10 / +18 lines)
1133	int	1133	int
1134	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)	1134	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1135	{	1135	{
		1136	Key *raw_key = host_key;
1136	int flags = 0;	1137	int flags = 0;
1137	char *fp;	1138	char *fp;
1138		1139
Lines 1140-1162 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1140	debug("Server host key: %s %s", key_type(host_key), fp);	1141	debug("Server host key: %s %s", key_type(host_key), fp);
1141	free(fp);	1142	free(fp);
1142		1143
1143	/* XXX certs are not yet supported for DNS */	1144	/* certs are not yet supported for DNS - check instead for key FP */
1144	if (!key_is_cert(host_key) && options.verify_host_key_dns &&	1145	if (options.verify_host_key_dns && key_is_cert(host_key)) {
1145	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {	1146	raw_key = key_from_private(host_key);
		1147	if (key_drop_cert(raw_key) != 0)
		1148	fatal("Couldn't drop certificate");
		1149	}
		1150	if (options.verify_host_key_dns &&
		1151	verify_host_key_dns(host, hostaddr, raw_key, &flags) == 0) {
1146	if (flags & DNS_VERIFY_FOUND) {	1152	if (flags & DNS_VERIFY_FOUND) {
1147		1153
1148	if (options.verify_host_key_dns == 1 &&
1149	flags & DNS_VERIFY_MATCH &&
1150	flags & DNS_VERIFY_SECURE)
1151	return 0;
1152
1153	if (flags & DNS_VERIFY_MATCH) {	1154	if (flags & DNS_VERIFY_MATCH) {
1154	matching_host_key_dns = 1;	1155	matching_host_key_dns = 1;
1155	} else {	1156	} else {
1156	warn_changed_key(host_key);	1157	warn_changed_key(raw_key);
1157	error("Update the SSHFP RR in DNS with the new "	1158	error("Update the SSHFP RR in DNS with the new "
1158	"host key to get rid of this message.");	1159	"host key to get rid of this message.");
1159	}	1160	}
		1161
		1162	if (raw_key != host_key)
		1163	key_free(raw_key);
		1164
		1165	if (options.verify_host_key_dns == 1 &&
		1166	flags & DNS_VERIFY_MATCH &&
		1167	flags & DNS_VERIFY_SECURE)
		1168	return 0;
1160	}	1169	}
1161	}	1170	}
1162		1171
1163	-