Blame SOURCES/openssh-6.6p1-CVE-2014-2653.patch

017ff1
diff --git a/ChangeLog b/ChangeLog
017ff1
index 38de846..1603a07 100644
017ff1
--- a/ChangeLog
017ff1
+++ b/ChangeLog
017ff1
@@ -1,3 +1,14 @@
017ff1
+20140420
017ff1
+   - djm@cvs.openbsd.org 2014/04/01 03:34:10
017ff1
+     [sshconnect.c]
017ff1
+     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
017ff1
+     certificate keys to plain keys and attempt SSHFP resolution.
017ff1
+     
017ff1
+     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
017ff1
+     dialog by offering only certificate keys.
017ff1
+     
017ff1
+     Reported by mcv21 AT cam.ac.uk
017ff1
+
017ff1
 20140313
017ff1
  - (djm) Release OpenSSH 6.6
017ff1
 
017ff1
diff --git a/sshconnect.c b/sshconnect.c
017ff1
index 394cca8..e636f33 100644
017ff1
--- a/sshconnect.c
017ff1
+++ b/sshconnect.c
017ff1
@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
017ff1
 {
017ff1
 	int flags = 0;
017ff1
 	char *fp;
017ff1
+	Key *plain = NULL;
017ff1
 
017ff1
 	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
017ff1
 	debug("Server host key: %s %s%s", key_type(host_key),
017ff1
 	    key_fingerprint_prefix(), fp);
017ff1
 	free(fp);
017ff1
 
017ff1
-	/* XXX certs are not yet supported for DNS */
017ff1
-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
017ff1
-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
017ff1
-		if (flags & DNS_VERIFY_FOUND) {
017ff1
-
017ff1
-			if (options.verify_host_key_dns == 1 &&
017ff1
-			    flags & DNS_VERIFY_MATCH &&
017ff1
-			    flags & DNS_VERIFY_SECURE)
017ff1
-				return 0;
017ff1
-
017ff1
-			if (flags & DNS_VERIFY_MATCH) {
017ff1
-				matching_host_key_dns = 1;
017ff1
-			} else {
017ff1
-				warn_changed_key(host_key);
017ff1
-				error("Update the SSHFP RR in DNS with the new "
017ff1
-				    "host key to get rid of this message.");
017ff1
+	if (options.verify_host_key_dns) {
017ff1
+		/*
017ff1
+		 * XXX certs are not yet supported for DNS, so downgrade
017ff1
+		 * them and try the plain key.
017ff1
+		 */
017ff1
+		plain = key_from_private(host_key);
017ff1
+		if (key_is_cert(plain))
017ff1
+			key_drop_cert(plain);
017ff1
+		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
017ff1
+			if (flags & DNS_VERIFY_FOUND) {
017ff1
+				if (options.verify_host_key_dns == 1 &&
017ff1
+				    flags & DNS_VERIFY_MATCH &&
017ff1
+				    flags & DNS_VERIFY_SECURE) {
017ff1
+					key_free(plain);
017ff1
+					return 0;
017ff1
+				}
017ff1
+				if (flags & DNS_VERIFY_MATCH) {
017ff1
+					matching_host_key_dns = 1;
017ff1
+				} else {
017ff1
+					warn_changed_key(plain);
017ff1
+					error("Update the SSHFP RR in DNS "
017ff1
+					    "with the new host key to get rid "
017ff1
+					    "of this message.");
017ff1
+				}
017ff1
 			}
017ff1
 		}
017ff1
+		key_free(plain);
017ff1
 	}
017ff1
 
017ff1
 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,