Bugzilla – Attachment 2403 Details for
Bug 2040
Downgrade attack vulnerability when checking SSHFP records
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Handle future digest types correctly
0002-Support-for-future-SSHFP-digest-algorithms.patch (text/plain), 2.19 KB, created by
Ondrej Caletka
on 2014-01-28 23:08:25 AEDT
(
hide
)
Description:
Handle future digest types correctly
Filename:
MIME Type:
Creator:
Ondrej Caletka
Created:
2014-01-28 23:08:25 AEDT
Size:
2.19 KB
patch
obsolete
>From caafe296bdf4093d224adf3413dd17f59d2b45dc Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Ond=C5=99ej=20Caletka?= <ondrej@caletka.cz> >Date: Tue, 28 Jan 2014 12:30:51 +0100 >Subject: [PATCH 2/5] Support for future SSHFP digest algorithms. > >When a SSHFP record is found in DNS, which has digest type other than >SHA1 or SHA256, whole SSHFP matching is aborted. This patch fixes it. >--- > dns.c | 21 +++++++-------------- > 1 file changed, 7 insertions(+), 14 deletions(-) > >diff --git a/dns.c b/dns.c >index 0c2e9b2..817dfa9 100644 >--- a/dns.c >+++ b/dns.c >@@ -200,7 +200,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > > u_int8_t hostkey_algorithm; > u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED; >- u_char *hostkey_digest; >+ u_char *hostkey_digest = NULL; > u_int hostkey_digest_len; > > u_int8_t dnskey_algorithm; >@@ -240,14 +240,6 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > fingerprints->rri_nrdatas); > } > >- /* Initialize default host key parameters */ >- if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, >- &hostkey_digest, &hostkey_digest_len, hostkey)) { >- error("Error calculating host key fingerprint."); >- freerrset(fingerprints); >- return -1; >- } >- > if (fingerprints->rri_nrdatas) > *flags |= DNS_VERIFY_FOUND; > >@@ -266,15 +258,15 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > > if (hostkey_digest_type != dnskey_digest_type) { > hostkey_digest_type = dnskey_digest_type; >- free(hostkey_digest); >+ if (hostkey_digest) >+ free(hostkey_digest); > > /* Initialize host key parameters */ > if (!dns_read_key(&hostkey_algorithm, > &hostkey_digest_type, &hostkey_digest, > &hostkey_digest_len, hostkey)) { >- error("Error calculating key fingerprint."); >- freerrset(fingerprints); >- return -1; >+ debug("Error calculating key fingerprint."); >+ continue; > } > } > >@@ -292,7 +284,8 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > free(dnskey_digest); > } > >- free(hostkey_digest); /* from key_fingerprint_raw() */ >+ if (hostkey_digest) >+ free(hostkey_digest); /* from key_fingerprint_raw() */ > freerrset(fingerprints); > > if (*flags & DNS_VERIFY_FOUND) { >-- >1.8.3.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2403">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2040
:
2183
|
2184
|
2188
|
2211
|
2402
| 2403