upstream/oracle/userland-gate: components/openssh/patches/021-CVE-2014-2653.patch@41b777a03942 (annotated)

2215 b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	1	#
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	2	# This is to fix the CVE-2014-2653 security bug. The bug fix code came from
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	3	# OpenSSH. When we upgrade OpenSSH to version 6.7 or later, we will remove
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	4	# this patch file.
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	5	#
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	6	--- orig/sshconnect.c Mon Jun 16 10:31:17 2014
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	7	+++ new/sshconnect.c Mon Jun 16 10:44:16 2014
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	8	@@ -1216,29 +1216,39 @@
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	9	{
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	10	int flags = 0;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	11	char *fp;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	12	+ Key *plain = NULL;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	13
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	14	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	15	debug("Server host key: %s %s", key_type(host_key), fp);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	16	free(fp);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	17
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	18	- /* XXX certs are not yet supported for DNS */
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	19	- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	20	- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	21	- if (flags & DNS_VERIFY_FOUND) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	22	-
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	23	- if (options.verify_host_key_dns == 1 &&
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	24	- flags & DNS_VERIFY_MATCH &&
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	25	- flags & DNS_VERIFY_SECURE)
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	26	- return 0;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	27	-
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	28	- if (flags & DNS_VERIFY_MATCH) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	29	- matching_host_key_dns = 1;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	30	- } else {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	31	- warn_changed_key(host_key);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	32	- error("Update the SSHFP RR in DNS with the new "
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	33	- "host key to get rid of this message.");
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	34	+ if (options.verify_host_key_dns) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	35	+ /*
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	36	+ * XXX certs are not yet supported for DNS, so downgrade
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	37	+ * them and try the plain key.
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	38	+ */
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	39	+ plain = key_from_private(host_key);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	40	+ if (key_is_cert(plain))
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	41	+ key_drop_cert(plain);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	42	+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	43	+ if (flags & DNS_VERIFY_FOUND) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	44	+ if (options.verify_host_key_dns == 1 &&
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	45	+ flags & DNS_VERIFY_MATCH &&
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	46	+ flags & DNS_VERIFY_SECURE) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	47	+ key_free(plain);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	48	+ return 0;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	49	+ }
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	50	+ if (flags & DNS_VERIFY_MATCH) {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	51	+ matching_host_key_dns = 1;
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	52	+ } else {
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	53	+ warn_changed_key(plain);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	54	+ error("Update the SSHFP RR in DNS "
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	55	+ "with the new host key to get rid "
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	56	+ "of this message.");
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	57	+ }
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	58	}
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	59	}
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	60	+ key_free(plain);
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	61	}
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	62
b580479fe1e7 18491957 problem in UTILITY/OPENSSH Huie-Ying Lee <huieying.lee@oracle.com> parents: diff changeset	63	return check_host_key(host, hostaddr, options.port, host_key, RDRW,

author	Tomas Kuthan <tomas.kuthan@oracle.com>
	Fri, 16 Jan 2015 13:13:26 -0800
changeset 3642	41b777a03942
parent 2215	b580479fe1e7
permissions	-rw-r--r--