Attachment #2341 for bug #2154





char *client_version_string = NULL;
char *server_version_string = NULL;
Key *previous_host_key = NULL;

static int matching_host_key_dns = 0;


verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
	int flags = 0;
	int result;
	char *fp;

	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
	debug("Server host key: %s %s", key_type(host_key), fp);
	free(fp);

	if (key_equal(previous_host_key, host_key)) {
		debug("Server host key matches cached key");
		return 0;
	}

	/* XXX certs are not yet supported for DNS */
	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {


			if (options.verify_host_key_dns == 1 &&
			    flags & DNS_VERIFY_MATCH &&
			    flags & DNS_VERIFY_SECURE) {
				result = 0;
				goto done;
			}

			if (flags & DNS_VERIFY_MATCH) {
				matching_host_key_dns = 1;

		}
	}

	result = check_host_key(host, hostaddr, options.port, host_key, RDRW,
	    options.user_hostfiles, options.num_user_hostfiles,
	    options.system_hostfiles, options.num_system_hostfiles);

done:
	if (result == 0 && previous_host_key == NULL)
		previous_host_key = key_from_private(host_key);

	return result;
}

/*

Return to bug 2154

Lines 65-70 Link Here

(-)sshconnect.c (-3 / +18 lines)
65		65
66	char *client_version_string = NULL;	66	char *client_version_string = NULL;
67	char *server_version_string = NULL;	67	char *server_version_string = NULL;
		68	Key *previous_host_key = NULL;
68		69
69	static int matching_host_key_dns = 0;	70	static int matching_host_key_dns = 0;
70		71
Lines 1222-1233 Link Here
1222	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)	1223	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1223	{	1224	{
1224	int flags = 0;	1225	int flags = 0;
		1226	int result;
1225	char *fp;	1227	char *fp;
1226		1228
1227	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	1229	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
1228	debug("Server host key: %s %s", key_type(host_key), fp);	1230	debug("Server host key: %s %s", key_type(host_key), fp);
1229	free(fp);	1231	free(fp);
1230		1232
		1233	if (key_equal(previous_host_key, host_key)) {
		1234	debug("Server host key matches cached key");
		1235	return 0;
		1236	}
		1237
1231	/* XXX certs are not yet supported for DNS */	1238	/* XXX certs are not yet supported for DNS */
1232	if (!key_is_cert(host_key) && options.verify_host_key_dns &&	1239	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
1233	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {	1240	verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
Lines 1235-1242 Link Here
1235		1242
1236	if (options.verify_host_key_dns == 1 &&	1243	if (options.verify_host_key_dns == 1 &&
1237	flags & DNS_VERIFY_MATCH &&	1244	flags & DNS_VERIFY_MATCH &&
1238	flags & DNS_VERIFY_SECURE)	1245	flags & DNS_VERIFY_SECURE) {
1239	return 0;	1246	result = 0;
		1247	goto done;
		1248	}
1240		1249
1241	if (flags & DNS_VERIFY_MATCH) {	1250	if (flags & DNS_VERIFY_MATCH) {
1242	matching_host_key_dns = 1;	1251	matching_host_key_dns = 1;
Lines 1248-1256 Link Here
1248	}	1257	}
1249	}	1258	}
1250		1259
1251	return check_host_key(host, hostaddr, options.port, host_key, RDRW,	1260	result = check_host_key(host, hostaddr, options.port, host_key, RDRW,
1252	options.user_hostfiles, options.num_user_hostfiles,	1261	options.user_hostfiles, options.num_user_hostfiles,
1253	options.system_hostfiles, options.num_system_hostfiles);	1262	options.system_hostfiles, options.num_system_hostfiles);
		1263
		1264	done:
		1265	if (result == 0 && previous_host_key == NULL)
		1266	previous_host_key = key_from_private(host_key);
		1267
		1268	return result;
1254	}	1269	}
1255		1270
1256	/*	1271	/*