- djm@cvs.openbsd.org 2014/04/01 03:34:10

[sshconnect.c] When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. Reported by mcv21 AT cam.ac.uk
2024-12-29 13:42:07 +00:00 · 2014-04-20 13:23:43 +10:00 · 2014-04-20 13:23:43 +10:00 · 7d6a9fb660
commit 7d6a9fb660
parent fcd62c0b66
2 changed files with 36 additions and 17 deletions
--- a/9
+++ b/9
@ -73,6 +73,15 @@
     [ssh-keysign.c]
     include fingerprint of key not found
     use arc4random_buf() instead of loop+arc4random()
+   - djm@cvs.openbsd.org 2014/04/01 03:34:10
+     [sshconnect.c]
+     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+     certificate keys to plain keys and attempt SSHFP resolution.
+     
+     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+     dialog by offering only certificate keys.
+     
+     Reported by mcv21 AT cam.ac.uk

 20140401
 - (djm) On platforms that support it, use prctl() to prevent sftp-server
--- a/sshconnect.c
+++ b/sshconnect.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.247 2014/04/01 03:34:10 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1219,29 +1219,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
 	int flags = 0;
 	char *fp;
+	Key *plain = NULL;

 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 	debug("Server host key: %s %s", key_type(host_key), fp);
 	free(fp);

-	/* XXX certs are not yet supported for DNS */
-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-		if (flags & DNS_VERIFY_FOUND) {
-
-			if (options.verify_host_key_dns == 1 &&
-			    flags & DNS_VERIFY_MATCH &&
-			    flags & DNS_VERIFY_SECURE)
-				return 0;
-
-			if (flags & DNS_VERIFY_MATCH) {
-				matching_host_key_dns = 1;
-			} else {
-				warn_changed_key(host_key);
-				error("Update the SSHFP RR in DNS with the new "
-				    "host key to get rid of this message.");
+	if (options.verify_host_key_dns) {
+		/*
+		 * XXX certs are not yet supported for DNS, so downgrade
+		 * them and try the plain key.
+		 */
+		plain = key_from_private(host_key);
+		if (key_is_cert(plain))
+			key_drop_cert(plain);
+		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+			if (flags & DNS_VERIFY_FOUND) {
+				if (options.verify_host_key_dns == 1 &&
+				    flags & DNS_VERIFY_MATCH &&
+				    flags & DNS_VERIFY_SECURE) {
+					key_free(plain);
+					return 0;
+				}
+				if (flags & DNS_VERIFY_MATCH) {
+					matching_host_key_dns = 1;
+				} else {
+					warn_changed_key(plain);
+					error("Update the SSHFP RR in DNS "
+					    "with the new host key to get rid "
+					    "of this message.");
+				}
 			}
 		}
+		key_free(plain);
 	}

 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,