svn commit: r466577 - in head/security/openssh-portable: . files

[Craig Leres]

On 04/06/18 18:12, Craig Leres wrote:
> This version breaks sshfp support

I poked at this and the issue is that a block of code that canonicalizes 
the host supplied on the command teleported from main() to 
ssh_session2(). What the VerifyHostKeyDNS yes path now encounters is 
that the non-canonical version of the hostname is used for the SSHFP 
lookup. The base problem is that files/patch-ssh.c has not been updated 
recently and somehow manages to be applied to the wrong part of ssh.c.

Attached is an updated patch.ssh.c

		Craig
-------------- next part --------------
--- ssh.c.orig	2018-04-02 05:38:28 UTC
+++ ssh.c
@@ -1281,6 +1281,23 @@ main(int ac, char **av)
 	ssh_digest_free(md);
 	conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
 
+	/* Find canonic host name. */
+	if (strchr(host, '.') == 0) {
+		struct addrinfo hints;
+		struct addrinfo *ai = NULL;
+		int errgai;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = options.address_family;
+		hints.ai_flags = AI_CANONNAME;
+		hints.ai_socktype = SOCK_STREAM;
+		errgai = getaddrinfo(host, NULL, &hints, &ai);
+		if (errgai == 0) {
+			if (ai->ai_canonname != NULL)
+				host = xstrdup(ai->ai_canonname);
+			freeaddrinfo(ai);
+		}
+	}
+
 	/*
 	 * Expand tokens in arguments. NB. LocalCommand is expanded later,
 	 * after port-forwarding is set up, so it may pick up any local