-/* $OpenBSD: dns.c,v 1.9 2003/11/21 11:57:03 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.25 2008/06/12 00:03:49 dtucker Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-
#include "includes.h"
-#include <openssl/bn.h>
-#ifdef LWRES
-#include <lwres/netdb.h>
-#include <dns/result.h>
-#else /* LWRES */
+#include <sys/types.h>
+#include <sys/socket.h>
+
#include <netdb.h>
-#endif /* LWRES */
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
#include "xmalloc.h"
#include "key.h"
#include "dns.h"
#include "log.h"
-#include "uuencode.h"
-
-extern char *__progname;
-RCSID("$OpenBSD: dns.c,v 1.9 2003/11/21 11:57:03 djm Exp $");
-#ifndef LWRES
static const char *errset_text[] = {
"success", /* 0 ERRSET_SUCCESS */
"out of memory", /* 1 ERRSET_NOMEMORY */
};
static const char *
-dns_result_totext(unsigned int error)
+dns_result_totext(unsigned int res)
{
- switch (error) {
+ switch (res) {
case ERRSET_SUCCESS:
return errset_text[ERRSET_SUCCESS];
case ERRSET_NOMEMORY:
return "unknown error";
}
}
-#endif /* LWRES */
-
/*
* Read SSHFP parameters from key buffer.
*algorithm = SSHFP_KEY_DSA;
break;
default:
- *algorithm = SSHFP_KEY_RESERVED;
+ *algorithm = SSHFP_KEY_RESERVED; /* 0 */
}
if (*algorithm) {
*digest_type = SSHFP_HASH_SHA1;
*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
+ if (*digest == NULL)
+ fatal("dns_read_key: null from key_fingerprint_raw()");
success = 1;
} else {
*digest_type = SSHFP_HASH_RESERVED;
*digest = (u_char *) xmalloc(*digest_len);
memcpy(*digest, rdata + 2, *digest_len);
} else {
- *digest = NULL;
+ *digest = (u_char *)xstrdup("");
}
success = 1;
return success;
}
+/*
+ * Check if hostname is numerical.
+ * Returns -1 if hostname is numeric, 0 otherwise
+ */
+static int
+is_numeric_hostname(const char *hostname)
+{
+ struct addrinfo hints, *ai;
+
+ /*
+ * We shouldn't ever get a null host but if we do then log an error
+ * and return -1 which stops DNS key fingerprint processing.
+ */
+ if (hostname == NULL) {
+ error("is_numeric_hostname called with NULL hostname");
+ return -1;
+ }
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_NUMERICHOST;
+
+ if (getaddrinfo(hostname, NULL, &hints, &ai) == 0) {
+ freeaddrinfo(ai);
+ return -1;
+ }
+
+ return 0;
+}
/*
* Verify the given hostname, address and host key using DNS.
verify_host_key_dns(const char *hostname, struct sockaddr *address,
const Key *hostkey, int *flags)
{
- int counter;
+ u_int counter;
int result;
struct rrsetinfo *fingerprints = NULL;
*flags = 0;
- debug3("verify_hostkey_dns");
+ debug3("verify_host_key_dns");
if (hostkey == NULL)
fatal("No key to look up!");
+ if (is_numeric_hostname(hostname)) {
+ debug("skipped DNS lookup for numerical hostname");
+ return -1;
+ }
+
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
DNS_RDATATYPE_SSHFP, 0, &fingerprints);
if (result) {
if (fingerprints->rri_nrdatas)
*flags |= DNS_VERIFY_FOUND;
- for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) {
+ for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
/*
* Extract the key from the answer. Ignore any badly
* formatted fingerprints.
*flags |= DNS_VERIFY_MATCH;
}
}
+ xfree(dnskey_digest);
}
+ xfree(hostkey_digest); /* from key_fingerprint_raw() */
freerrset(fingerprints);
if (*flags & DNS_VERIFY_FOUND)
return 0;
}
-
/*
* Export the fingerprint of a key as a DNS resource record
*/
u_char *rdata_digest;
u_int rdata_digest_len;
- int i;
+ u_int i;
int success = 0;
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
- &rdata_digest, &rdata_digest_len, key)) {
+ &rdata_digest, &rdata_digest_len, key)) {
if (generic)
fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
for (i = 0; i < rdata_digest_len; i++)
fprintf(f, "%02x", rdata_digest[i]);
fprintf(f, "\n");
+ xfree(rdata_digest); /* from key_fingerprint_raw() */
success = 1;
} else {
- error("dns_export_rr: unsupported algorithm");
+ error("export_dns_rr: unsupported algorithm");
}
return success;
andersk / openssh.git / blobdiff