Attachment #3046 for bug #2501




		free(dnskey_digest);
	}

	if (*flags & DNS_VERIFY_FOUND) {
	freerrset(fingerprints);

	if (*flags & DNS_VERIFY_FOUND)
		if (*flags & DNS_VERIFY_MATCH)
			debug("matching host key fingerprint found in DNS");
		else if (counter == fingerprints->rri_nrdatas)
			*flags |= DNS_VERIFY_MISSING;
		else
			debug("mismatching host key fingerprint found in DNS");
	} else
		debug("no host key fingerprint found in DNS");

	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
	freerrset(fingerprints);

	return 0;
}


Lines 49-54 enum sshfp_hashes { Link Here

(-)a/dns.h (+1 lines)
49	#define DNS_VERIFY_FOUND 0x00000001	49	#define DNS_VERIFY_FOUND 0x00000001
50	#define DNS_VERIFY_MATCH 0x00000002	50	#define DNS_VERIFY_MATCH 0x00000002
51	#define DNS_VERIFY_SECURE 0x00000004	51	#define DNS_VERIFY_SECURE 0x00000004
		52	#define DNS_VERIFY_MISSING 0x00000008
52		53
53	int verify_host_key_dns(const char , struct sockaddr ,	54	int verify_host_key_dns(const char , struct sockaddr ,
54	struct sshkey , int );	55	struct sshkey , int );

Lines 71-76 extern uid_t original_effective_uid; Link Here

(-)a/sshconnect.c (-5 / +42 lines)
71		71
72	static int show_other_keys(struct hostkeys , struct sshkey );	72	static int show_other_keys(struct hostkeys , struct sshkey );
73	static void warn_changed_key(struct sshkey *);	73	static void warn_changed_key(struct sshkey *);
		74	static void warn_missing_key(struct sshkey *);
74		75
75	/* Expand a proxy command */	76	/* Expand a proxy command */
76	static char *	77	static char *
Lines 836-841 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
836	free(ra);	837	free(ra);
837	free(fp);	838	free(fp);
838	}	839	}
		840	if (options.verify_host_key_dns &&
		841	options.strict_host_key_checking &&
		842	!matching_host_key_dns) {
		843	snprintf(msg, sizeof(msg),
		844	"Are you sure you want to continue connecting "
		845	"(yes/no)? ");
		846	if (!confirm(msg))
		847	goto fail;
		848	msg[0] = '\0';
		849	}
839	hostkey_trusted = 1;	850	hostkey_trusted = 1;
840	break;	851	break;
841	case HOST_NEW:	852	case HOST_NEW:
Lines 1231-1240 verify_host_key(char host, struct sockaddr hostaddr, struct sshkey *host_key) Link Here
1231	if (flags & DNS_VERIFY_MATCH) {	1242	if (flags & DNS_VERIFY_MATCH) {
1232	matching_host_key_dns = 1;	1243	matching_host_key_dns = 1;
1233	} else {	1244	} else {
1234	warn_changed_key(plain);	1245	if (flags & DNS_VERIFY_MISSING) {
1235	error("Update the SSHFP RR in DNS "	1246	warn_missing_key(plain);
1236	"with the new host key to get rid "	1247	error("Add this host key to "
1237	"of this message.");	1248	"the SSHFP RR in DNS to get rid "
		1249	"of this message.");
		1250	} else {
		1251	warn_changed_key(plain);
		1252	error("Update the SSHFP RR in DNS "
		1253	"with the new host key to get rid "
		1254	"of this message.");
		1255	}
1238	}	1256	}
1239	}	1257	}
1240	}	1258	}
Lines 1366-1377 warn_changed_key(struct sshkey *host_key) Link Here
1366	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");	1384	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
1367	error("It is also possible that a host key has just been changed.");	1385	error("It is also possible that a host key has just been changed.");
1368	error("The fingerprint for the %s key sent by the remote host is\n%s.",	1386	error("The fingerprint for the %s key sent by the remote host is\n%s.",
1369	key_type(host_key), fp);	1387	sshkey_type(host_key), fp);
1370	error("Please contact your system administrator.");	1388	error("Please contact your system administrator.");
1371		1389
1372	free(fp);	1390	free(fp);
1373	}	1391	}
1374		1392
		1393	static void
		1394	warn_missing_key(struct sshkey *host_key)
		1395	{
		1396	char *fp;
		1397
		1398	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
		1399	SSH_FP_DEFAULT);
		1400	if (fp == NULL)
		1401	fatal("%s: sshkey_fingerprint fail", __func__);
		1402
		1403	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1404	error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @");
		1405	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
		1406	error("The fingerprint for the %s key sent by the remote host is\n%s.",
		1407	sshkey_type(host_key), fp);
		1408	error("Please contact your system administrator.");
		1409
		1410	free(fp);
		1411	}
1375	/*	1412	/*
1376	* Execute a local command	1413	* Execute a local command
1377	*/	1414	*/

Return to bug 2501

Lines 291-307 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here

(-)a/dns.c (-5 / +7 lines)
291	free(dnskey_digest);	291	free(dnskey_digest);
292	}	292	}
293		293
294	free(hostkey_digest); /* from sshkey_fingerprint_raw() */	294	if (*flags & DNS_VERIFY_FOUND) {
295	freerrset(fingerprints);
296
297	if (*flags & DNS_VERIFY_FOUND)
298	if (*flags & DNS_VERIFY_MATCH)	295	if (*flags & DNS_VERIFY_MATCH)
299	debug("matching host key fingerprint found in DNS");	296	debug("matching host key fingerprint found in DNS");
		297	else if (counter == fingerprints->rri_nrdatas)
		298	*flags \|= DNS_VERIFY_MISSING;
300	else	299	else
301	debug("mismatching host key fingerprint found in DNS");	300	debug("mismatching host key fingerprint found in DNS");
302	else	301	} else
303	debug("no host key fingerprint found in DNS");	302	debug("no host key fingerprint found in DNS");
304		303
		304	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
		305	freerrset(fingerprints);
		306
305	return 0;	307	return 0;
306	}	308	}
307		309