| version 1.6.4.1, 2003/09/16 20:50:43 |
version 1.6.4.2, 2004/03/04 18:18:15 |
|
|
| |
|
| #include "includes.h" |
#include "includes.h" |
| |
|
| #ifdef DNS |
|
| #include <openssl/bn.h> |
#include <openssl/bn.h> |
| #ifdef LWRES |
#ifdef LWRES |
| #include <lwres/netdb.h> |
#include <lwres/netdb.h> |
|
|
| */ |
*/ |
| static int |
static int |
| dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, |
dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, |
| u_char **digest, u_int *digest_len, Key *key) |
u_char **digest, u_int *digest_len, const Key *key) |
| { |
{ |
| int success = 0; |
int success = 0; |
| |
|
|
|
| |
|
| /* |
/* |
| * Verify the given hostname, address and host key using DNS. |
* Verify the given hostname, address and host key using DNS. |
| * Returns 0 if key verifies or -1 if key does NOT verify |
* Returns 0 if lookup succeeds, -1 otherwise |
| */ |
*/ |
| int |
int |
| verify_host_key_dns(const char *hostname, struct sockaddr *address, |
verify_host_key_dns(const char *hostname, struct sockaddr *address, |
| Key *hostkey) |
const Key *hostkey, int *flags) |
| { |
{ |
| int counter; |
int counter; |
| int result; |
int result; |
| struct rrsetinfo *fingerprints = NULL; |
struct rrsetinfo *fingerprints = NULL; |
| int failures = 0; |
|
| |
|
| u_int8_t hostkey_algorithm; |
u_int8_t hostkey_algorithm; |
| u_int8_t hostkey_digest_type; |
u_int8_t hostkey_digest_type; |
|
|
| u_char *dnskey_digest; |
u_char *dnskey_digest; |
| u_int dnskey_digest_len; |
u_int dnskey_digest_len; |
| |
|
| |
*flags = 0; |
| |
|
| debug3("verify_hostkey_dns"); |
debug3("verify_hostkey_dns"); |
| if (hostkey == NULL) |
if (hostkey == NULL) |
|
|
| DNS_RDATATYPE_SSHFP, 0, &fingerprints); |
DNS_RDATATYPE_SSHFP, 0, &fingerprints); |
| if (result) { |
if (result) { |
| verbose("DNS lookup error: %s", dns_result_totext(result)); |
verbose("DNS lookup error: %s", dns_result_totext(result)); |
| return DNS_VERIFY_ERROR; |
return -1; |
| } |
} |
| |
|
| #ifdef DNSSEC |
if (fingerprints->rri_flags & RRSET_VALIDATED) { |
| /* Only accept validated answers */ |
*flags |= DNS_VERIFY_SECURE; |
| if (!fingerprints->rri_flags & RRSET_VALIDATED) { |
debug("found %d secure fingerprints in DNS", |
| error("Ignored unvalidated fingerprint from DNS."); |
fingerprints->rri_nrdatas); |
| freerrset(fingerprints); |
} else { |
| return DNS_VERIFY_ERROR; |
debug("found %d insecure fingerprints in DNS", |
| |
fingerprints->rri_nrdatas); |
| } |
} |
| #endif |
|
| |
|
| debug("found %d fingerprints in DNS", fingerprints->rri_nrdatas); |
|
| |
|
| /* Initialize host key parameters */ |
/* Initialize host key parameters */ |
| if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, |
if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, |
| &hostkey_digest, &hostkey_digest_len, hostkey)) { |
&hostkey_digest, &hostkey_digest_len, hostkey)) { |
| error("Error calculating host key fingerprint."); |
error("Error calculating host key fingerprint."); |
| freerrset(fingerprints); |
freerrset(fingerprints); |
| return DNS_VERIFY_ERROR; |
return -1; |
| } |
} |
| |
|
| |
if (fingerprints->rri_nrdatas) |
| |
*flags |= DNS_VERIFY_FOUND; |
| |
|
| for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { |
for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { |
| /* |
/* |
| * Extract the key from the answer. Ignore any badly |
* Extract the key from the answer. Ignore any badly |
|
|
| memcmp(hostkey_digest, dnskey_digest, |
memcmp(hostkey_digest, dnskey_digest, |
| hostkey_digest_len) == 0) { |
hostkey_digest_len) == 0) { |
| |
|
| /* Matching algoritm and digest. */ |
*flags |= DNS_VERIFY_MATCH; |
| freerrset(fingerprints); |
|
| debug("matching host key fingerprint found in DNS"); |
|
| return DNS_VERIFY_OK; |
|
| } else { |
|
| /* Correct algorithm but bad digest */ |
|
| debug("verify_hostkey_dns: failed"); |
|
| failures++; |
|
| } |
} |
| } |
} |
| } |
} |
| |
|
| freerrset(fingerprints); |
freerrset(fingerprints); |
| |
|
| if (failures) { |
if (*flags & DNS_VERIFY_FOUND) |
| error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
if (*flags & DNS_VERIFY_MATCH) |
| error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); |
debug("matching host key fingerprint found in DNS"); |
| error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
else |
| error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); |
debug("mismatching host key fingerprint found in DNS"); |
| error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
else |
| error("It is also possible that the %s host key has just been changed.", |
debug("no host key fingerprint found in DNS"); |
| key_type(hostkey)); |
|
| error("Please contact your system administrator."); |
|
| return DNS_VERIFY_FAILED; |
|
| } |
|
| |
|
| debug("fingerprints found in DNS, but none of them matched"); |
return 0; |
| |
|
| return DNS_VERIFY_ERROR; |
|
| } |
} |
| |
|
| |
|
|
|
| * Export the fingerprint of a key as a DNS resource record |
* Export the fingerprint of a key as a DNS resource record |
| */ |
*/ |
| int |
int |
| export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) |
export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic) |
| { |
{ |
| u_int8_t rdata_pubkey_algorithm = 0; |
u_int8_t rdata_pubkey_algorithm = 0; |
| u_int8_t rdata_digest_type = SSHFP_HASH_SHA1; |
u_int8_t rdata_digest_type = SSHFP_HASH_SHA1; |
|
|
| |
|
| return success; |
return success; |
| } |
} |
| |
|
| #endif /* DNS */ |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to dns.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh