version 1.12, 2005/06/17 02:44:32 |
version 1.12.2.2, 2006/10/06 03:19:32 |
|
|
/* $OpenBSD$ */ |
/* $OpenBSD$ */ |
|
|
/* |
/* |
* Copyright (c) 2003 Wesley Griffin. All rights reserved. |
* Copyright (c) 2003 Wesley Griffin. All rights reserved. |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
*/ |
*/ |
|
|
|
#include <sys/types.h> |
|
#include <sys/socket.h> |
|
|
#include "includes.h" |
|
|
|
#include <openssl/bn.h> |
|
#ifdef LWRES |
|
#include <lwres/netdb.h> |
|
#include <dns/result.h> |
|
#else /* LWRES */ |
|
#include <netdb.h> |
#include <netdb.h> |
#endif /* LWRES */ |
#include <stdio.h> |
|
#include <string.h> |
|
|
#include "xmalloc.h" |
#include "xmalloc.h" |
#include "key.h" |
#include "key.h" |
#include "dns.h" |
#include "dns.h" |
#include "log.h" |
#include "log.h" |
#include "uuencode.h" |
|
|
|
extern char *__progname; |
|
RCSID("$OpenBSD$"); |
|
|
|
#ifndef LWRES |
|
static const char *errset_text[] = { |
static const char *errset_text[] = { |
"success", /* 0 ERRSET_SUCCESS */ |
"success", /* 0 ERRSET_SUCCESS */ |
"out of memory", /* 1 ERRSET_NOMEMORY */ |
"out of memory", /* 1 ERRSET_NOMEMORY */ |
|
|
return "unknown error"; |
return "unknown error"; |
} |
} |
} |
} |
#endif /* LWRES */ |
|
|
|
|
|
/* |
/* |
* Read SSHFP parameters from key buffer. |
* Read SSHFP parameters from key buffer. |
*/ |
*/ |
|
|
*algorithm = SSHFP_KEY_DSA; |
*algorithm = SSHFP_KEY_DSA; |
break; |
break; |
default: |
default: |
*algorithm = SSHFP_KEY_RESERVED; |
*algorithm = SSHFP_KEY_RESERVED; /* 0 */ |
} |
} |
|
|
if (*algorithm) { |
if (*algorithm) { |
*digest_type = SSHFP_HASH_SHA1; |
*digest_type = SSHFP_HASH_SHA1; |
*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); |
*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); |
|
if (*digest == NULL) |
|
fatal("dns_read_key: null from key_fingerprint_raw()"); |
success = 1; |
success = 1; |
} else { |
} else { |
*digest_type = SSHFP_HASH_RESERVED; |
*digest_type = SSHFP_HASH_RESERVED; |
|
|
*digest = (u_char *) xmalloc(*digest_len); |
*digest = (u_char *) xmalloc(*digest_len); |
memcpy(*digest, rdata + 2, *digest_len); |
memcpy(*digest, rdata + 2, *digest_len); |
} else { |
} else { |
*digest = NULL; |
*digest = (u_char *)xstrdup(""); |
} |
} |
|
|
success = 1; |
success = 1; |
|
|
|
|
*flags = 0; |
*flags = 0; |
|
|
debug3("verify_hostkey_dns"); |
debug3("verify_host_key_dns"); |
if (hostkey == NULL) |
if (hostkey == NULL) |
fatal("No key to look up!"); |
fatal("No key to look up!"); |
|
|
|
|
if (fingerprints->rri_nrdatas) |
if (fingerprints->rri_nrdatas) |
*flags |= DNS_VERIFY_FOUND; |
*flags |= DNS_VERIFY_FOUND; |
|
|
for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { |
for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) { |
/* |
/* |
* Extract the key from the answer. Ignore any badly |
* Extract the key from the answer. Ignore any badly |
* formatted fingerprints. |
* formatted fingerprints. |
|
|
*flags |= DNS_VERIFY_MATCH; |
*flags |= DNS_VERIFY_MATCH; |
} |
} |
} |
} |
|
xfree(dnskey_digest); |
} |
} |
|
|
|
xfree(hostkey_digest); /* from key_fingerprint_raw() */ |
freerrset(fingerprints); |
freerrset(fingerprints); |
|
|
if (*flags & DNS_VERIFY_FOUND) |
if (*flags & DNS_VERIFY_FOUND) |
|
|
return 0; |
return 0; |
} |
} |
|
|
|
|
/* |
/* |
* Export the fingerprint of a key as a DNS resource record |
* Export the fingerprint of a key as a DNS resource record |
*/ |
*/ |
|
|
int success = 0; |
int success = 0; |
|
|
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, |
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, |
&rdata_digest, &rdata_digest_len, key)) { |
&rdata_digest, &rdata_digest_len, key)) { |
|
|
if (generic) |
if (generic) |
fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, |
fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, |
|
|
for (i = 0; i < rdata_digest_len; i++) |
for (i = 0; i < rdata_digest_len; i++) |
fprintf(f, "%02x", rdata_digest[i]); |
fprintf(f, "%02x", rdata_digest[i]); |
fprintf(f, "\n"); |
fprintf(f, "\n"); |
|
xfree(rdata_digest); /* from key_fingerprint_raw() */ |
success = 1; |
success = 1; |
} else { |
} else { |
error("dns_export_rr: unsupported algorithm"); |
error("export_dns_rr: unsupported algorithm"); |
} |
} |
|
|
return success; |
return success; |