Attachment #3539 for bug #3322

View | Details | Raw Unified | Return to bug 3322
Collapse All | Expand All





/*
 * Read SSHFP parameters from key buffer.
 * Caller must free digest which is allocated by sshkey_fingerprint_raw().
 */
static int
dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,

	switch (key->type) {
	case KEY_RSA:
		*algorithm = SSHFP_KEY_RSA;
		if (!*digest_type)
			*digest_type = SSHFP_HASH_SHA1;
		break;
	case KEY_DSA:
		*algorithm = SSHFP_KEY_DSA;
		if (!*digest_type)
			*digest_type = SSHFP_HASH_SHA1;
		break;
	case KEY_ECDSA:
		*algorithm = SSHFP_KEY_ECDSA;
		if (!*digest_type)
			*digest_type = SSHFP_HASH_SHA256;
		break;
	case KEY_ED25519:
		*algorithm = SSHFP_KEY_ED25519;
		if (!*digest_type)
			*digest_type = SSHFP_HASH_SHA256;
		break;
	case KEY_XMSS:
		*algorithm = SSHFP_KEY_XMSS;
		if (!*digest_type)
			*digest_type = SSHFP_HASH_SHA256;
		break;
	default:
		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
	}

	switch (*digest_type) {

	} else {
		*digest = NULL;
		*digest_len = 0;
		success = 0;
	}

	return success;

	struct rrsetinfo *fingerprints = NULL;

	u_int8_t hostkey_algorithm;
	u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
	u_char *hostkey_digest;
	size_t hostkey_digest_len;


		    fingerprints->rri_nrdatas);
	}

	/* Initialize default host key parameters */
	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
	    &hostkey_digest, &hostkey_digest_len, hostkey)) {
		error("Error calculating host key fingerprint.");
		freerrset(fingerprints);
		return -1;
	}

	if (fingerprints->rri_nrdatas)
		*flags |= DNS_VERIFY_FOUND;


			verbose("Error parsing fingerprint from DNS.");
			continue;
		}
		debug3_f("checking SSHFP type %d fptype %d", dnskey_algorithm,
		    dnskey_digest_type);

		/* Calculate host key fingerprint. */
		if (!dns_read_key(&hostkey_algorithm, &dnskey_digest_type,
		    &hostkey_digest, &hostkey_digest_len, hostkey)) {
			error("Error calculating key fingerprint.");
			freerrset(fingerprints);
			return -1;
				error("Error calculating key fingerprint.");
				freerrset(fingerprints);
				return -1;
			}
		}

		/* Check if the current key is the same as the given key */
		if (hostkey_algorithm == dnskey_algorithm &&
		    hostkey_digest_len == dnskey_digest_len) {
		       if (timingsafe_bcmp(hostkey_digest, dnskey_digest,
			    hostkey_digest_len) == 0) {
				debug_f("matched SSHFP type %d fptype %d",
				    dnskey_algorithm, dnskey_digest_type);
				*flags |= DNS_VERIFY_MATCH;
				
			} else {
				debug_f("failed SSHFP type %d fptype %d",
				    dnskey_algorithm, dnskey_digest_type);
				*flags |= DNS_VERIFY_FAILED;
			}
		}
		free(dnskey_digest);
		free(hostkey_digest); /* from sshkey_fingerprint_raw() */
	}

	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
	freerrset(fingerprints);

	/* If any fingerprint failed to validate, return failure. */
	if (*flags & DNS_VERIFY_FAILED)
		*flags &= ~DNS_VERIFY_MATCH;

	if (*flags & DNS_VERIFY_FOUND)
		if (*flags & DNS_VERIFY_MATCH)
			debug("matching host key fingerprint found in DNS");

Lines 50-55 enum sshfp_hashes { Link Here

(-)a/dns.h (+1 lines)
50	#define DNS_VERIFY_FOUND 0x00000001	50	#define DNS_VERIFY_FOUND 0x00000001
51	#define DNS_VERIFY_MATCH 0x00000002	51	#define DNS_VERIFY_MATCH 0x00000002
52	#define DNS_VERIFY_SECURE 0x00000004	52	#define DNS_VERIFY_SECURE 0x00000004
		53	#define DNS_VERIFY_FAILED 0x00000008
53		54
54	int verify_host_key_dns(const char , struct sockaddr ,	55	int verify_host_key_dns(const char , struct sockaddr ,
55	struct sshkey , int );	56	struct sshkey , int );

Return to bug 3322

Lines 75-80 dns_result_totext(unsigned int res) Link Here

(-)a/dns.c (-39 / +26 lines)
75		75
76	/*	76	/*
77	* Read SSHFP parameters from key buffer.	77	* Read SSHFP parameters from key buffer.
		78	* Caller must free digest which is allocated by sshkey_fingerprint_raw().
78	*/	79	*/
79	static int	80	static int
80	dns_read_key(u_int8_t algorithm, u_int8_t digest_type,	81	dns_read_key(u_int8_t algorithm, u_int8_t digest_type,
Lines 86-117 dns_read_key(u_int8_t algorithm, u_int8_t digest_type, Link Here
86	switch (key->type) {	87	switch (key->type) {
87	case KEY_RSA:	88	case KEY_RSA:
88	*algorithm = SSHFP_KEY_RSA;	89	*algorithm = SSHFP_KEY_RSA;
89	if (!*digest_type)
90	*digest_type = SSHFP_HASH_SHA1;
91	break;	90	break;
92	case KEY_DSA:	91	case KEY_DSA:
93	*algorithm = SSHFP_KEY_DSA;	92	*algorithm = SSHFP_KEY_DSA;
94	if (!*digest_type)
95	*digest_type = SSHFP_HASH_SHA1;
96	break;	93	break;
97	case KEY_ECDSA:	94	case KEY_ECDSA:
98	*algorithm = SSHFP_KEY_ECDSA;	95	*algorithm = SSHFP_KEY_ECDSA;
99	if (!*digest_type)
100	*digest_type = SSHFP_HASH_SHA256;
101	break;	96	break;
102	case KEY_ED25519:	97	case KEY_ED25519:
103	*algorithm = SSHFP_KEY_ED25519;	98	*algorithm = SSHFP_KEY_ED25519;
104	if (!*digest_type)
105	*digest_type = SSHFP_HASH_SHA256;
106	break;	99	break;
107	case KEY_XMSS:	100	case KEY_XMSS:
108	*algorithm = SSHFP_KEY_XMSS;	101	*algorithm = SSHFP_KEY_XMSS;
109	if (!*digest_type)
110	*digest_type = SSHFP_HASH_SHA256;
111	break;	102	break;
112	default:	103	default:
113	algorithm = SSHFP_KEY_RESERVED; / 0 */	104	algorithm = SSHFP_KEY_RESERVED; / 0 */
114	digest_type = SSHFP_HASH_RESERVED; / 0 */
115	}	105	}
116		106
117	switch (*digest_type) {	107	switch (*digest_type) {
Lines 133-139 dns_read_key(u_int8_t algorithm, u_int8_t digest_type, Link Here
133	} else {	123	} else {
134	*digest = NULL;	124	*digest = NULL;
135	*digest_len = 0;	125	*digest_len = 0;
136	success = 0;
137	}	126	}
138		127
139	return success;	128	return success;
Lines 212-218 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
212	struct rrsetinfo *fingerprints = NULL;	201	struct rrsetinfo *fingerprints = NULL;
213		202
214	u_int8_t hostkey_algorithm;	203	u_int8_t hostkey_algorithm;
215	u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
216	u_char *hostkey_digest;	204	u_char *hostkey_digest;
217	size_t hostkey_digest_len;	205	size_t hostkey_digest_len;
218		206
Lines 248-261 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
248	fingerprints->rri_nrdatas);	236	fingerprints->rri_nrdatas);
249	}	237	}
250		238
251	/* Initialize default host key parameters */
252	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
253	&hostkey_digest, &hostkey_digest_len, hostkey)) {
254	error("Error calculating host key fingerprint.");
255	freerrset(fingerprints);
256	return -1;
257	}
258
259	if (fingerprints->rri_nrdatas)	239	if (fingerprints->rri_nrdatas)
260	*flags \|= DNS_VERIFY_FOUND;	240	*flags \|= DNS_VERIFY_FOUND;
261		241
Lines 271-305 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here
271	verbose("Error parsing fingerprint from DNS.");	251	verbose("Error parsing fingerprint from DNS.");
272	continue;	252	continue;
273	}	253	}
274		254	debug3_f("checking SSHFP type %d fptype %d", dnskey_algorithm,
275	if (hostkey_digest_type != dnskey_digest_type) {	255	dnskey_digest_type);
276	hostkey_digest_type = dnskey_digest_type;	256
277	free(hostkey_digest);	257	/* Calculate host key fingerprint. */
278		258	if (!dns_read_key(&hostkey_algorithm, &dnskey_digest_type,
279	/* Initialize host key parameters */	259	&hostkey_digest, &hostkey_digest_len, hostkey)) {
280	if (!dns_read_key(&hostkey_algorithm,	260	error("Error calculating key fingerprint.");
281	&hostkey_digest_type, &hostkey_digest,	261	freerrset(fingerprints);
282	&hostkey_digest_len, hostkey)) {	262	return -1;
283	error("Error calculating key fingerprint.");
284	freerrset(fingerprints);
285	return -1;
286	}
287	}	263	}
288		264
289	/* Check if the current key is the same as the given key */	265	/* Check if the current key is the same as the given key */
290	if (hostkey_algorithm == dnskey_algorithm &&	266	if (hostkey_algorithm == dnskey_algorithm &&
291	hostkey_digest_type == dnskey_digest_type) {	267	hostkey_digest_len == dnskey_digest_len) {
292	if (hostkey_digest_len == dnskey_digest_len &&	268	if (timingsafe_bcmp(hostkey_digest, dnskey_digest,
293	timingsafe_bcmp(hostkey_digest, dnskey_digest,	269	hostkey_digest_len) == 0) {
294	hostkey_digest_len) == 0)	270	debug_f("matched SSHFP type %d fptype %d",
		271	dnskey_algorithm, dnskey_digest_type);
295	*flags \|= DNS_VERIFY_MATCH;	272	*flags \|= DNS_VERIFY_MATCH;
		273
		274	} else {
		275	debug_f("failed SSHFP type %d fptype %d",
		276	dnskey_algorithm, dnskey_digest_type);
		277	*flags \|= DNS_VERIFY_FAILED;
		278	}
296	}	279	}
297	free(dnskey_digest);	280	free(dnskey_digest);
		281	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
298	}	282	}
299		283
300	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
301	freerrset(fingerprints);	284	freerrset(fingerprints);
302		285
		286	/* If any fingerprint failed to validate, return failure. */
		287	if (*flags & DNS_VERIFY_FAILED)
		288	*flags &= ~DNS_VERIFY_MATCH;
		289
303	if (*flags & DNS_VERIFY_FOUND)	290	if (*flags & DNS_VERIFY_FOUND)
304	if (*flags & DNS_VERIFY_MATCH)	291	if (*flags & DNS_VERIFY_MATCH)
305	debug("matching host key fingerprint found in DNS");	292	debug("matching host key fingerprint found in DNS");