Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openssh/patches/021-CVE-2014-2653.patch
branchs11-update
changeset 3946 b1e0e68de63b
equal deleted inserted replaced
3942:dd80f8602a0d 3946:b1e0e68de63b 
       
     1 #
 
       
     2 # This is to fix the CVE-2014-2653 security bug.  The bug fix code came from
 
       
     3 # OpenSSH. When we upgrade OpenSSH to version 6.7 or later, we will remove
 
       
     4 # this patch file.
 
       
     5 #
 
       
     6 --- orig/sshconnect.c	Mon Jun 16 10:31:17 2014
 
       
     7 +++ new/sshconnect.c	Mon Jun 16 10:44:16 2014
 
       
     8 @@ -1216,29 +1216,39 @@
 
       
     9  {
 
       
    10  	int flags = 0;
 
       
    11  	char *fp;
 
       
    12 +        Key *plain = NULL;
 
       
    13  
       
    14  	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 
       
    15  	debug("Server host key: %s %s", key_type(host_key), fp);
 
       
    16  	free(fp);
 
       
    17  
       
    18 -	/* XXX certs are not yet supported for DNS */
 
       
    19 -	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
 
       
    20 -	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
 
       
    21 -		if (flags & DNS_VERIFY_FOUND) {
 
       
    22 -
 
       
    23 -			if (options.verify_host_key_dns == 1 &&
 
       
    24 -			    flags & DNS_VERIFY_MATCH &&
 
       
    25 -			    flags & DNS_VERIFY_SECURE)
 
       
    26 -				return 0;
 
       
    27 -
 
       
    28 -			if (flags & DNS_VERIFY_MATCH) {
 
       
    29 -				matching_host_key_dns = 1;
 
       
    30 -			} else {
 
       
    31 -				warn_changed_key(host_key);
 
       
    32 -				error("Update the SSHFP RR in DNS with the new "
 
       
    33 -				    "host key to get rid of this message.");
 
       
    34 +	if (options.verify_host_key_dns) {
 
       
    35 +		/*
 
       
    36 +		 * XXX certs are not yet supported for DNS, so downgrade
 
       
    37 +		 * them and try the plain key.
 
       
    38 +		 */
 
       
    39 +		plain = key_from_private(host_key);
 
       
    40 +		if (key_is_cert(plain))
 
       
    41 +			key_drop_cert(plain);
 
       
    42 +		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
 
       
    43 +			if (flags & DNS_VERIFY_FOUND) {
 
       
    44 +				if (options.verify_host_key_dns == 1 &&
 
       
    45 +				    flags & DNS_VERIFY_MATCH &&
 
       
    46 +				    flags & DNS_VERIFY_SECURE) {
 
       
    47 +					key_free(plain);
 
       
    48 +					return 0;
 
       
    49 +				}
 
       
    50 +				if (flags & DNS_VERIFY_MATCH) {
 
       
    51 +					matching_host_key_dns = 1;
 
       
    52 +				} else {
 
       
    53 +					warn_changed_key(plain);
 
       
    54 +					error("Update the SSHFP RR in DNS "
 
       
    55 +					    "with the new host key to get rid "
 
       
    56 +					    "of this message.");
 
       
    57 +				}
 
       
    58  			}
 
       
    59  		}
 
       
    60 +		key_free(plain);
 
       
    61  	}
 
       
    62  
       
    63  	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
upstream/oracle/userland-gate