|
1 # |
|
2 # This is to fix the CVE-2014-2653 security bug. The bug fix code came from |
|
3 # OpenSSH. When we upgrade OpenSSH to version 6.7 or later, we will remove |
|
4 # this patch file. |
|
5 # |
|
6 --- orig/sshconnect.c Mon Jun 16 10:31:17 2014 |
|
7 +++ new/sshconnect.c Mon Jun 16 10:44:16 2014 |
|
8 @@ -1216,29 +1216,39 @@ |
|
9 { |
|
10 int flags = 0; |
|
11 char *fp; |
|
12 + Key *plain = NULL; |
|
13 |
|
14 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
|
15 debug("Server host key: %s %s", key_type(host_key), fp); |
|
16 free(fp); |
|
17 |
|
18 - /* XXX certs are not yet supported for DNS */ |
|
19 - if (!key_is_cert(host_key) && options.verify_host_key_dns && |
|
20 - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { |
|
21 - if (flags & DNS_VERIFY_FOUND) { |
|
22 - |
|
23 - if (options.verify_host_key_dns == 1 && |
|
24 - flags & DNS_VERIFY_MATCH && |
|
25 - flags & DNS_VERIFY_SECURE) |
|
26 - return 0; |
|
27 - |
|
28 - if (flags & DNS_VERIFY_MATCH) { |
|
29 - matching_host_key_dns = 1; |
|
30 - } else { |
|
31 - warn_changed_key(host_key); |
|
32 - error("Update the SSHFP RR in DNS with the new " |
|
33 - "host key to get rid of this message."); |
|
34 + if (options.verify_host_key_dns) { |
|
35 + /* |
|
36 + * XXX certs are not yet supported for DNS, so downgrade |
|
37 + * them and try the plain key. |
|
38 + */ |
|
39 + plain = key_from_private(host_key); |
|
40 + if (key_is_cert(plain)) |
|
41 + key_drop_cert(plain); |
|
42 + if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { |
|
43 + if (flags & DNS_VERIFY_FOUND) { |
|
44 + if (options.verify_host_key_dns == 1 && |
|
45 + flags & DNS_VERIFY_MATCH && |
|
46 + flags & DNS_VERIFY_SECURE) { |
|
47 + key_free(plain); |
|
48 + return 0; |
|
49 + } |
|
50 + if (flags & DNS_VERIFY_MATCH) { |
|
51 + matching_host_key_dns = 1; |
|
52 + } else { |
|
53 + warn_changed_key(plain); |
|
54 + error("Update the SSHFP RR in DNS " |
|
55 + "with the new host key to get rid " |
|
56 + "of this message."); |
|
57 + } |
|
58 } |
|
59 } |
|
60 + key_free(plain); |
|
61 } |
|
62 |
|
63 return check_host_key(host, hostaddr, options.port, host_key, RDRW, |