Attachment #2185 for bug #2041




int
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
	Key *raw_key = host_key;
	int flags = 0;
	char *fp;


	debug("Server host key: %s %s", key_type(host_key), fp);
	xfree(fp);

	/* certs are not yet supported for DNS - check instead for key FP */
	if (options.verify_host_key_dns && key_is_cert(host_key)) {
		raw_key = key_from_private(host_key);
		if (key_drop_cert(raw_key) != 0)
			fatal("Couldn't drop certificate");
	}
	if (options.verify_host_key_dns &&
	    verify_host_key_dns(host, hostaddr, raw_key, &flags) == 0) {
		if (flags & DNS_VERIFY_FOUND) {

			if (options.verify_host_key_dns == 1 &&
			    flags & DNS_VERIFY_MATCH &&
			    flags & DNS_VERIFY_SECURE)
				return 0;

			if (flags & DNS_VERIFY_MATCH) {
				matching_host_key_dns = 1;
			} else {
				warn_changed_key(raw_key);
				error("Update the SSHFP RR in DNS with the new "
				    "host key to get rid of this message.");
			}

			if (raw_key != host_key)
				key_free(raw_key);

			if (options.verify_host_key_dns == 1 &&
			    flags & DNS_VERIFY_MATCH &&
			    flags & DNS_VERIFY_SECURE)
				return 0;
		}
	}

- 

Return to bug 2041

Lines 1108-1113 fail: Link Here

(-)a/sshconnect.c (-10 / +18 lines)
1108	int	1108	int
1109	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)	1109	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1110	{	1110	{
		1111	Key *raw_key = host_key;
1111	int flags = 0;	1112	int flags = 0;
1112	char *fp;	1113	char *fp;
1113		1114
Lines 1115-1137 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1115	debug("Server host key: %s %s", key_type(host_key), fp);	1116	debug("Server host key: %s %s", key_type(host_key), fp);
1116	xfree(fp);	1117	xfree(fp);
1117		1118
1118	/* XXX certs are not yet supported for DNS */	1119	/* certs are not yet supported for DNS - check instead for key FP */
1119	if (!key_is_cert(host_key) && options.verify_host_key_dns &&	1120	if (options.verify_host_key_dns && key_is_cert(host_key)) {
1120	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {	1121	raw_key = key_from_private(host_key);
		1122	if (key_drop_cert(raw_key) != 0)
		1123	fatal("Couldn't drop certificate");
		1124	}
		1125	if (options.verify_host_key_dns &&
		1126	verify_host_key_dns(host, hostaddr, raw_key, &flags) == 0) {
1121	if (flags & DNS_VERIFY_FOUND) {	1127	if (flags & DNS_VERIFY_FOUND) {
1122		1128
1123	if (options.verify_host_key_dns == 1 &&
1124	flags & DNS_VERIFY_MATCH &&
1125	flags & DNS_VERIFY_SECURE)
1126	return 0;
1127
1128	if (flags & DNS_VERIFY_MATCH) {	1129	if (flags & DNS_VERIFY_MATCH) {
1129	matching_host_key_dns = 1;	1130	matching_host_key_dns = 1;
1130	} else {	1131	} else {
1131	warn_changed_key(host_key);	1132	warn_changed_key(raw_key);
1132	error("Update the SSHFP RR in DNS with the new "	1133	error("Update the SSHFP RR in DNS with the new "
1133	"host key to get rid of this message.");	1134	"host key to get rid of this message.");
1134	}	1135	}
		1136
		1137	if (raw_key != host_key)
		1138	key_free(raw_key);
		1139
		1140	if (options.verify_host_key_dns == 1 &&
		1141	flags & DNS_VERIFY_MATCH &&
		1142	flags & DNS_VERIFY_SECURE)
		1143	return 0;
1135	}	1144	}
1136	}	1145	}
1137		1146
1138	-