version 1.3, 2003/05/14 22:56:51 |
version 1.4, 2003/05/14 23:29:22 |
|
|
{ |
{ |
int counter; |
int counter; |
int result; |
int result; |
struct rrsetinfo *keys = NULL; |
struct rrsetinfo *fingerprints = NULL; |
int failures = 0; |
int failures = 0; |
|
|
u_int8_t hostkey_algorithm; |
u_int8_t hostkey_algorithm; |
|
|
fatal("No key to look up!"); |
fatal("No key to look up!"); |
|
|
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, |
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, |
DNS_RDATATYPE_SSHFP, 0, &keys); |
DNS_RDATATYPE_SSHFP, 0, &fingerprints); |
if (result) { |
if (result) { |
verbose("DNS lookup error: %s", dns_result_totext(result)); |
verbose("DNS lookup error: %s", dns_result_totext(result)); |
return DNS_VERIFY_ERROR; |
return DNS_VERIFY_ERROR; |
|
|
|
|
#ifdef DNSSEC |
#ifdef DNSSEC |
/* Only accept validated answers */ |
/* Only accept validated answers */ |
if (!keys->rri_flags & RRSET_VALIDATED) { |
if (!fingerprints->rri_flags & RRSET_VALIDATED) { |
error("Ignored unvalidated fingerprint from DNS."); |
error("Ignored unvalidated fingerprint from DNS."); |
return DNS_VERIFY_ERROR; |
return DNS_VERIFY_ERROR; |
} |
} |
#endif |
#endif |
|
|
debug("found %d fingerprints in DNS", keys->rri_nrdatas); |
debug("found %d fingerprints in DNS", fingerprints->rri_nrdatas); |
|
|
/* Initialize host key parameters */ |
/* Initialize host key parameters */ |
if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, |
if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, |
|
|
return DNS_VERIFY_ERROR; |
return DNS_VERIFY_ERROR; |
} |
} |
|
|
for (counter = 0 ; counter < keys->rri_nrdatas ; counter++) { |
for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { |
/* |
/* |
* Extract the key from the answer. Ignore any badly |
* Extract the key from the answer. Ignore any badly |
* formatted keys. |
* formatted fingerprints. |
*/ |
*/ |
if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type, |
if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type, |
&dnskey_digest, &dnskey_digest_len, |
&dnskey_digest, &dnskey_digest_len, |
keys->rri_rdatas[counter].rdi_data, |
fingerprints->rri_rdatas[counter].rdi_data, |
keys->rri_rdatas[counter].rdi_length)) { |
fingerprints->rri_rdatas[counter].rdi_length)) { |
verbose("Error parsing fingerprint from DNS."); |
verbose("Error parsing fingerprint from DNS."); |
continue; |
continue; |
} |
} |
|
|
hostkey_digest_len) == 0) { |
hostkey_digest_len) == 0) { |
|
|
/* Matching algoritm and digest. */ |
/* Matching algoritm and digest. */ |
freerrset(keys); |
freerrset(fingerprints); |
#ifdef DNSSEC |
#ifdef DNSSEC |
debug("matching host key fingerprint found in DNS"); |
debug("matching host key fingerprint found in DNS"); |
return DNS_VERIFY_OK; |
return DNS_VERIFY_OK; |
|
|
} |
} |
} |
} |
|
|
freerrset(keys); |
freerrset(fingerprints); |
|
|
if (failures) { |
if (failures) { |
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |