Bug#742513: Untested patch

Mon, 24 Mar 2014 11:48:26 -0700 

I've just thrown together a patch.  It compiles but is otherwise
entirely untested!  I'm interested in comments like `No, that's the
wrong fix: you should do mumble instead.'

diff --git a/sshconnect.c b/sshconnect.c
index 87c3770..dfe44e4 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1218,36 +1218,62 @@ fail:
        return -1;
 }
 
+static int
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
+{
+       int rc = -1;
+       int flags = 0;
+       Key *raw_key = NULL;
+
+       if (!options.verify_host_key_dns)
+               goto done;
+
+       /* XXX certs are not yet supported for DNS; try looking the raw key
+        * up in the DNS anyway.
+        */
+       if (key_is_cert(host_key)) {
+               raw_key = key_from_private(host_key);
+               if (key_drop_cert(raw_key))
+                       fatal("Couldn't drop certificate");
+               host_key = raw_key;
+       }
+
+       if (verify_host_key_dns(host, hostaddr, host_key, &flags))
+               goto done;
+
+       if (flags & DNS_VERIFY_FOUND) {
+
+               if (options.verify_host_key_dns == 1 &&
+                   flags & DNS_VERIFY_MATCH &&
+                   flags & DNS_VERIFY_SECURE) {
+                       rc = 0;
+               } else if (flags & DNS_VERIFY_MATCH) {
+                       matching_host_key_dns = 1;
+               } else {
+                       warn_changed_key(host_key);
+                       error("Update the SSHFP RR in DNS with the new "
+                             "host key to get rid of this message.");
+               }
+       }
+
+done:
+       if (raw_key)
+               key_free(raw_key);
+       return rc;
+}
+
 /* returns 0 if key verifies or -1 if key does NOT verify */
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
-       int flags = 0;
        char *fp;
 
        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
        debug("Server host key: %s %s", key_type(host_key), fp);
        free(fp);
 
-       /* XXX certs are not yet supported for DNS */
-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-               if (flags & DNS_VERIFY_FOUND) {
-
-                       if (options.verify_host_key_dns == 1 &&
-                           flags & DNS_VERIFY_MATCH &&
-                           flags & DNS_VERIFY_SECURE)
-                               return 0;
-
-                       if (flags & DNS_VERIFY_MATCH) {
-                               matching_host_key_dns = 1;
-                       } else {
-                               warn_changed_key(host_key);
-                               error("Update the SSHFP RR in DNS with the new "
-                                   "host key to get rid of this message.");
-                       }
-               }
-       }
+       if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
+               return 0;
 
        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
            options.user_hostfiles, options.num_user_hostfiles,

-- [mdw]


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to