Attachment #2753 for bug #2501




		free(dnskey_digest);
	}

	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
	freerrset(fingerprints);

	if (*flags & DNS_VERIFY_FOUND)
		if (*flags & DNS_VERIFY_MATCH)
			debug("matching host key fingerprint found in DNS");
		else if (counter == fingerprints->rri_nrdatas)
			*flags |= DNS_VERIFY_MISSING;
		else
			debug("mismatching host key fingerprint found in DNS");
	else
		debug("no host key fingerprint found in DNS");

	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
	freerrset(fingerprints);

	return 0;
}


Lines 49-54 enum sshfp_hashes { Link Here

(-)a/dns.h (+1 lines)
49	#define DNS_VERIFY_FOUND 0x00000001	49	#define DNS_VERIFY_FOUND 0x00000001
50	#define DNS_VERIFY_MATCH 0x00000002	50	#define DNS_VERIFY_MATCH 0x00000002
51	#define DNS_VERIFY_SECURE 0x00000004	51	#define DNS_VERIFY_SECURE 0x00000004
		52	#define DNS_VERIFY_MISSING 0x00000008
52		53
53	int verify_host_key_dns(const char , struct sockaddr ,	54	int verify_host_key_dns(const char , struct sockaddr ,
54	struct sshkey , int );	55	struct sshkey , int );

Lines 83-88 extern uid_t original_effective_uid; Link Here

(-)a/sshconnect.c (-6 / +31 lines)
83		83
84	static int show_other_keys(struct hostkeys , Key );	84	static int show_other_keys(struct hostkeys , Key );
85	static void warn_changed_key(Key *);	85	static void warn_changed_key(Key *);
		86	static void warn_missing_key(Key *);
86		87
87	/* Expand a proxy command */	88	/* Expand a proxy command */
88	static char *	89	static char *
Lines 1299-1308 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1299	if (flags & DNS_VERIFY_MATCH) {	1300	if (flags & DNS_VERIFY_MATCH) {
1300	matching_host_key_dns = 1;	1301	matching_host_key_dns = 1;
1301	} else {	1302	} else {
1302	warn_changed_key(plain);	1303	if (flags & DNS_VERIFY_MISSING) {
1303	error("Update the SSHFP RR in DNS "	1304	warn_missing_key(plain);
1304	"with the new host key to get rid "	1305	error("Add this host key to "
1305	"of this message.");	1306	"the SSHFP RR in DNS to get rid "
		1307	"of this message.");
		1308	} else {
		1309	warn_changed_key(plain);
		1310	error("Update the SSHFP RR in DNS "
		1311	"with the new host key to get rid "
		1312	"of this message.");
		1313	}
1306	}	1314	}
1307	}	1315	}
1308	}	1316	}
Lines 1449-1454 warn_changed_key(Key *host_key) Link Here
1449	free(fp);	1457	free(fp);
1450	}	1458	}
1451		1459
		1460	static void
		1461	warn_missing_key(Key *host_key)
		1462	{
		1463	char *fp;
		1464
		1465	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
		1466	SSH_FP_DEFAULT);
		1467	if (fp == NULL)
		1468	fatal("%s: sshkey_fingerprint fail", __func__);
		1469
		1470	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1471	error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @");
		1472	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1473	error("The fingerprint for the %s key sent by the remote host is\n%s.",
		1474	key_type(host_key), fp);
		1475	error("Please contact your system administrator.");
		1476
		1477	free(fp);
		1478	}
1452	/*	1479	/*
1453	* Execute a local command	1480	* Execute a local command
1454	*/	1481	*/
1455	-
1456	missing.	1482	missing.
1457	--
1458	sshconnect.c \| 10 ++++++++++	1483	sshconnect.c \| 10 ++++++++++
1459	1 file changed, 10 insertions(+)	1484	1 file changed, 10 insertions(+)




			free(ra);
			free(fp);
		}
		if (options.verify_host_key_dns &&
		    options.strict_host_key_checking &&
		    !matching_host_key_dns) {
			snprintf(msg, sizeof(msg),
			    "Are you sure you want to continue connecting "
			    "(yes/no)? ");
			if (!confirm(msg))
				goto fail;
			msg[0] = '\0';
		}
		hostkey_trusted = 1;
		break;
	case HOST_NEW:
- 

Return to bug 2501

Lines 931-936 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here

(-)a/sshconnect.c (-1 / +10 lines)
931	free(ra);	931	free(ra);
932	free(fp);	932	free(fp);
933	}	933	}
		934	if (options.verify_host_key_dns &&
		935	options.strict_host_key_checking &&
		936	!matching_host_key_dns) {
		937	snprintf(msg, sizeof(msg),
		938	"Are you sure you want to continue connecting "
		939	"(yes/no)? ");
		940	if (!confirm(msg))
		941	goto fail;
		942	msg[0] = '\0';
		943	}
934	hostkey_trusted = 1;	944	hostkey_trusted = 1;
935	break;	945	break;
936	case HOST_NEW:	946	case HOST_NEW:
937	-

Lines 294-310 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here

(-)a/dns.c (-3 / +5 lines)
294	free(dnskey_digest);	294	free(dnskey_digest);
295	}	295	}
296		296
297	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
298	freerrset(fingerprints);
299
300	if (*flags & DNS_VERIFY_FOUND)	297	if (*flags & DNS_VERIFY_FOUND)
301	if (*flags & DNS_VERIFY_MATCH)	298	if (*flags & DNS_VERIFY_MATCH)
302	debug("matching host key fingerprint found in DNS");	299	debug("matching host key fingerprint found in DNS");
		300	else if (counter == fingerprints->rri_nrdatas)
		301	*flags \|= DNS_VERIFY_MISSING;
303	else	302	else
304	debug("mismatching host key fingerprint found in DNS");	303	debug("mismatching host key fingerprint found in DNS");
305	else	304	else
306	debug("no host key fingerprint found in DNS");	305	debug("no host key fingerprint found in DNS");
307		306
		307	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
		308	freerrset(fingerprints);
		309
308	return 0;	310	return 0;
309	}	311	}
310		312