prevent a server from skipping SSHFP lookup (#1081338)

CVE-2014-2653
This commit is contained in:
Petr Lautrbach 2014-05-14 18:04:10 +02:00
parent 9a031d2641
commit d271e02296
2 changed files with 84 additions and 0 deletions

View File

@ -0,0 +1,80 @@
diff --git a/ChangeLog b/ChangeLog
index 29d70ec..a0fb67e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+20140420
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
+ [sshconnect.c]
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+ certificate keys to plain keys and attempt SSHFP resolution.
+
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+ dialog by offering only certificate keys.
+
+ Reported by mcv21 AT cam.ac.uk
+
20131010
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
[dh.c dh.h]
diff --git a/sshconnect.c b/sshconnect.c
index ddc167e..4d8c718 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1136,30 +1136,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
int flags = 0;
char *fp;
+ Key *plain = NULL;
fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
debug("Server host key: %s %s%s", key_type(host_key),
key_fingerprint_prefix(), fp);
free(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
+ if (options.verify_host_key_dns) {
+ /*
+ * XXX certs are not yet supported for DNS, so downgrade
+ * them and try the plain key.
+ */
+ plain = key_from_private(host_key);
+ if (key_is_cert(plain))
+ key_drop_cert(plain);
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+ if (flags & DNS_VERIFY_FOUND) {
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ key_free(plain);
+ return 0;
+ }
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
+ key_free(plain);
}
return check_host_key(host, hostaddr, options.port, host_key, RDRW,

View File

@ -190,6 +190,9 @@ Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
Patch906: openssh-6.4p1-fromto-remote.patch
# Try CLOCK_BOOTTIME with fallback (#1091992)
Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
# dialog by offering only certificate keys. (#1081338)
Patch908: openssh-6.4p1-CVE-2014-2653.patch
License: BSD
@ -416,6 +419,7 @@ popd
%patch905 -p1 -b .legacy-ssh-copy-id
%patch906 -p1 -b .fromto-remote
%patch907 -p1 -b .CLOCK_BOOTTIME
%patch908 -p1 -b .CVE-2014-2653
%if 0
# Nothing here yet