upstream commit

identify the case where SSHFP records are missing but other DNS RR types are present and display a more useful error message for this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@ Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
author: djm@openbsd.org <djm@openbsd.org> 2017-09-01 05:53:56 +0000
committer: Damien Miller <djm@mindrot.org> 2017-09-04 09:38:57 +1000
commit: b828605d51f57851316d7ba402b4ae06cf37c55d (patch)
tree: cec2c9c32c860e87c7a643aea1abd6c587dcd5de /dns.c
parent: 8042bad97e2789a50e8f742c3bcd665ebf0add32 (diff)
download: openssh-git-b828605d51f57851316d7ba402b4ae06cf37c55d.tar.gz
1 files changed, 8 insertions, 6 deletions
diff --git a/dns.c b/dns.c
index e813afea..9152e864 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 		free(dnskey_digest);
 	}
 
-	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
-	freerrset(fingerprints);
-
-	if (*flags & DNS_VERIFY_FOUND)
+	if (*flags & DNS_VERIFY_FOUND) {
 		if (*flags & DNS_VERIFY_MATCH)
 			debug("matching host key fingerprint found in DNS");
+		else if (counter == fingerprints->rri_nrdatas)
+			*flags |= DNS_VERIFY_MISSING;
 		else
 			debug("mismatching host key fingerprint found in DNS");
-	else
+	} else
 		debug("no host key fingerprint found in DNS");
 
+	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
+	freerrset(fingerprints);
+
 	return 0;
 }
author	djm@openbsd.org <djm@openbsd.org>	2017-09-01 05:53:56 +0000
committer	Damien Miller <djm@mindrot.org>	2017-09-04 09:38:57 +1000
commit	b828605d51f57851316d7ba402b4ae06cf37c55d (patch)
tree	cec2c9c32c860e87c7a643aea1abd6c587dcd5de /dns.c
parent	8042bad97e2789a50e8f742c3bcd665ebf0add32 (diff)
download	openssh-git-b828605d51f57851316d7ba402b4ae06cf37c55d.tar.gz