[Ttssh2-commit] [4559] SSHFP 検証の結果を Security Warning ダイアログに表示するようにした。メッセージは暫定。

svnno****@sourc***** svnno****@sourc*****
2011年 8月 1日 (月) 16:21:58 JST


Revision: 4559
          http://sourceforge.jp/projects/ttssh2/svn/view?view=rev&revision=4559
Author:   doda
Date:     2011-08-01 16:21:58 +0900 (Mon, 01 Aug 2011)

Log Message:
-----------
SSHFP 検証の結果を Security Warning ダイアログに表示するようにした。メッセージは暫定。

Modified Paths:
--------------
    trunk/ttssh2/ttxssh/hosts.c
    trunk/ttssh2/ttxssh/resource.h
    trunk/ttssh2/ttxssh/ttxssh.h
    trunk/ttssh2/ttxssh/ttxssh.rc


-------------- next part --------------
Modified: trunk/ttssh2/ttxssh/hosts.c
===================================================================
--- trunk/ttssh2/ttxssh/hosts.c	2011-07-31 15:20:40 UTC (rev 4558)
+++ trunk/ttssh2/ttxssh/hosts.c	2011-08-01 07:21:58 UTC (rev 4559)
@@ -53,6 +53,23 @@
 
 #include <windns.h>
 
+#define DNS_TYPE_SSHFP	44
+typedef struct {
+	BYTE Algorithm;
+	BYTE DigestType;
+	BYTE Digest[1];
+} DNS_SSHFP_DATA, *PDNS_SSHFP_DATA;
+enum verifydns_result {
+	DNS_VERIFY_NONE,
+	DNS_VERIFY_NOTFOUND,
+	DNS_VERIFY_MATCH,
+	DNS_VERIFY_MISMATCH,
+	DNS_VERIFY_DIFFERENTTYPE,
+	DNS_VERIFY_AUTH_MATCH,
+	DNS_VERIFY_AUTH_MISMATCH,
+	DNS_VERIFY_AUTH_DIFFERENTTYPE
+};
+
 static HFONT DlgHostsAddFont;
 static HFONT DlgHostsReplaceFont;
 
@@ -1309,6 +1326,43 @@
 		UTIL_get_lang_msg("BTN_DISCONNECT", pvar, uimsg);
 		SetDlgItemText(dlg, IDCANCEL, pvar->ts->UIMsg);
 
+		switch (pvar->dns_key_check) {
+		case DNS_VERIFY_NOTFOUND:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_NOTFOUND", pvar, "SSHFP RR not found.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_MATCH:
+		case DNS_VERIFY_AUTH_MATCH:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_MATCH", pvar, "SSHFP RR found and match.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_MISMATCH:
+		case DNS_VERIFY_AUTH_MISMATCH:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_MISMATCH", pvar, "SSHFP RR found but not match.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_DIFFERENTTYPE:
+		case DNS_VERIFY_AUTH_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_DIFFTYPE", pvar, "SSHFP RR found but different type.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		}
+
+		switch (pvar->dns_key_check) {
+		case DNS_VERIFY_MATCH:
+		case DNS_VERIFY_MISMATCH:
+		case DNS_VERIFY_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_DNSSEC_NG", pvar, "SSHFP RR is *not* authenticated by DNSSEC.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPDNSSEC, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_AUTH_MATCH:
+		case DNS_VERIFY_AUTH_MISMATCH:
+		case DNS_VERIFY_AUTH_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_DNSSEC_OK", pvar, "SSHFP RR is authenticated by DNSSEC.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPDNSSEC, pvar->ts->UIMsg);
+			break;
+		}
+
 		init_hosts_dlg(pvar, dlg);
 
 		font = (HFONT)SendMessage(dlg, WM_GETFONT, 0, 0);
@@ -1416,6 +1470,43 @@
 		UTIL_get_lang_msg("BTN_DISCONNECT", pvar, uimsg);
 		SetDlgItemText(dlg, IDCANCEL, pvar->ts->UIMsg);
 
+		switch (pvar->dns_key_check) {
+		case DNS_VERIFY_NOTFOUND:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_NOTFOUND", pvar, "SSHFP RR not found.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_MATCH:
+		case DNS_VERIFY_AUTH_MATCH:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_MATCH", pvar, "SSHFP RR found and match.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_MISMATCH:
+		case DNS_VERIFY_AUTH_MISMATCH:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_MISMATCH", pvar, "SSHFP RR found but not match.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_DIFFERENTTYPE:
+		case DNS_VERIFY_AUTH_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_DIFFTYPE", pvar, "SSHFP RR found but different type.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		}
+
+		switch (pvar->dns_key_check) {
+		case DNS_VERIFY_MATCH:
+		case DNS_VERIFY_MISMATCH:
+		case DNS_VERIFY_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_DNSSEC_NG", pvar, "SSHFP RR is *not* authenticated by DNSSEC.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPDNSSEC, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_AUTH_MATCH:
+		case DNS_VERIFY_AUTH_MISMATCH:
+		case DNS_VERIFY_AUTH_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_DNSSEC_OK", pvar, "SSHFP RR is authenticated by DNSSEC.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPDNSSEC, pvar->ts->UIMsg);
+			break;
+		}
+
 		init_hosts_dlg(pvar, dlg);
 
 		font = (HFONT)SendMessage(dlg, WM_GETFONT, 0, 0);
@@ -1521,6 +1612,43 @@
 		UTIL_get_lang_msg("BTN_DISCONNECT", pvar, uimsg);
 		SetDlgItemText(dlg, IDCANCEL, pvar->ts->UIMsg);
 
+		switch (pvar->dns_key_check) {
+		case DNS_VERIFY_NOTFOUND:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_NOTFOUND", pvar, "SSHFP RR not found.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_MATCH:
+		case DNS_VERIFY_AUTH_MATCH:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_MATCH", pvar, "SSHFP RR found and match.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_MISMATCH:
+		case DNS_VERIFY_AUTH_MISMATCH:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_MISMATCH", pvar, "SSHFP RR found but not match.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_DIFFERENTTYPE:
+		case DNS_VERIFY_AUTH_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_SSHFP_DIFFTYPE", pvar, "SSHFP RR found but different type.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPCHECK, pvar->ts->UIMsg);
+			break;
+		}
+
+		switch (pvar->dns_key_check) {
+		case DNS_VERIFY_MATCH:
+		case DNS_VERIFY_MISMATCH:
+		case DNS_VERIFY_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_DNSSEC_NG", pvar, "SSHFP RR is *not* authenticated by DNSSEC.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPDNSSEC, pvar->ts->UIMsg);
+			break;
+		case DNS_VERIFY_AUTH_MATCH:
+		case DNS_VERIFY_AUTH_MISMATCH:
+		case DNS_VERIFY_AUTH_DIFFERENTTYPE:
+			UTIL_get_lang_msg("DLG_HOSTKEY_DNSSEC_OK", pvar, "SSHFP RR is authenticated by DNSSEC.");
+			SetDlgItemText(dlg, IDC_HOSTSSHFPDNSSEC, pvar->ts->UIMsg);
+			break;
+		}
+
 		init_hosts_dlg(pvar, dlg);
 
 		font = (HFONT)SendMessage(dlg, WM_GETFONT, 0, 0);
@@ -1641,22 +1769,6 @@
 	return 0;
 }
 
-#define DNS_TYPE_SSHFP	44
-typedef struct {
-	BYTE Algorithm;
-	BYTE DigestType;
-	BYTE Digest[1];
-} DNS_SSHFP_DATA, *PDNS_SSHFP_DATA;
-enum verifydns_result {
-	DNS_VERIFY_NONE,
-	DNS_VERIFY_MATCH,
-	DNS_VERIFY_MISMATCH,
-	DNS_VERIFY_DIFFERENTTYPE,
-	DNS_VERIFY_AUTH_MATCH,
-	DNS_VERIFY_AUTH_MISMATCH,
-	DNS_VERIFY_AUTH_DIFFERENTTYPE
-};
-
 int verify_hostkey_dns(char FAR *hostname, Key *key)
 {
 	DNS_STATUS status;
@@ -1664,7 +1776,7 @@
 	PDNS_SSHFP_DATA t;
 	int hostkey_alg, hostkey_dtype, hostkey_dlen;
 	BYTE *hostkey_digest;
-	int found = DNS_VERIFY_NONE;
+	int found = DNS_VERIFY_NOTFOUND;
 
 	switch (key->type) {
 	case KEY_RSA:
@@ -1728,8 +1840,10 @@
 //
 BOOL HOSTS_check_host_key(PTInstVar pvar, char FAR * hostname, unsigned short tcpport, Key *key)
 {
-	int found_different_key = 0, found_different_type_key = 0, dns_sshfp_check = 0;
+	int found_different_key = 0, found_different_type_key = 0;
 
+	pvar->dns_key_check = DNS_VERIFY_NONE;
+
 	// ‚·‚Å‚É known_hosts ƒtƒ@ƒCƒ‹‚©‚çƒzƒXƒgŒöŠJŒ®‚ð“ǂݍž‚ñ‚Å‚¢‚é‚È‚çA‚»‚ê‚Æ”äŠr‚·‚éB
 	if (pvar->hosts_state.prefetched_hostname != NULL
 	 && _stricmp(pvar->hosts_state.prefetched_hostname, hostname) == 0
@@ -1806,7 +1920,7 @@
 	}
 
 	if (pvar->settings.VerifyHostKeyDNS && !is_numeric_hostname(hostname)) {
-		dns_sshfp_check = verify_hostkey_dns(hostname, key);
+		pvar->dns_key_check = verify_hostkey_dns(hostname, key);
 	}
 
 	// known_hostsƒ_ƒCƒAƒƒO‚Í“¯Šú“I‚É•\Ž¦‚³‚¹A‚±‚ÌŽž“_‚É‚¨‚¢‚ㆁ[ƒU‚ÉŠm”F

Modified: trunk/ttssh2/ttxssh/resource.h
===================================================================
--- trunk/ttssh2/ttxssh/resource.h	2011-07-31 15:20:40 UTC (rev 4558)
+++ trunk/ttssh2/ttxssh/resource.h	2011-08-01 07:21:58 UTC (rev 4559)
@@ -178,6 +178,8 @@
 #define IDC_KEYGEN_PROGRESS_LABEL       1107
 #define IDC_PROGBAR                     1108
 #define IDC_PROGTIME                    1109
+#define IDC_HOSTSSHFPCHECK              1110
+#define IDC_HOSTSSHFPDNSSEC             1111
 #define IDC_SSHUSEPASSWORD              1201
 #define IDC_SSHUSERSA                   1202
 #define IDC_SSHFWDREMOTETOLOCAL         1202

Modified: trunk/ttssh2/ttxssh/ttxssh.h
===================================================================
--- trunk/ttssh2/ttxssh/ttxssh.h	2011-07-31 15:20:40 UTC (rev 4558)
+++ trunk/ttssh2/ttxssh/ttxssh.h	2011-08-01 07:21:58 UTC (rev 4559)
@@ -273,6 +273,8 @@
 	BOOL nocheck_known_hosts;
 
 	EC_KEY *ecdh_client_key;
+
+	int dns_key_check;
 } TInstVar;
 
 #define LOG_LEVEL_FATAL      5

Modified: trunk/ttssh2/ttxssh/ttxssh.rc
===================================================================
--- trunk/ttssh2/ttxssh/ttxssh.rc	2011-07-31 15:20:40 UTC (rev 4558)
+++ trunk/ttssh2/ttxssh/ttxssh.rc	2011-08-01 07:21:58 UTC (rev 4559)
@@ -184,36 +184,40 @@
     PUSHBUTTON      "Cancel",IDCANCEL,118,252,50,14
 END
 
-IDD_SSHUNKNOWNHOST DIALOGEX 0, 0, 215, 242
+IDD_SSHUNKNOWNHOST DIALOGEX 0, 0, 215, 266
 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "SECURITY WARNING"
 FONT 8, "Tahoma", 0, 0, 0x0
 BEGIN
     LTEXT           "There is no entry for the server ""#####################################"" in your list of known hosts. The machine you have contacted may be a hostile machine pretending to be the server.",IDC_HOSTWARNING,15,7,184,41
     LTEXT           "If you choose to add this machine to the known hosts list and continue, then you will not receive this warning again.",IDC_HOSTWARNING2,15,48,184,26
-    LTEXT           "The server's host key fingerprint is:",IDC_HOSTFINGERPRINT,15,75,176,8
-    EDITTEXT        IDC_FINGER_PRINT,15,86,179,12,ES_AUTOHSCROLL | ES_READONLY
-    EDITTEXT        IDC_FP_RANDOMART,14,105,181,97,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | WS_VSCROLL
+    LTEXT           "",IDC_HOSTSSHFPCHECK,15,72,184,16
+    LTEXT           "",IDC_HOSTSSHFPDNSSEC,15,88,184,8
+    LTEXT           "The server's host key fingerprint is:",IDC_HOSTFINGERPRINT,15,99,176,8
+    EDITTEXT        IDC_FINGER_PRINT,15,110,179,12,ES_AUTOHSCROLL | ES_READONLY
+    EDITTEXT        IDC_FP_RANDOMART,14,129,181,97,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | WS_VSCROLL
     CONTROL         "&Add this machine and its key to the known hosts list",IDC_ADDTOKNOWNHOSTS,
-                    "Button",BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP,19,207,181,13
-    DEFPUSHBUTTON   "&Continue",IDC_CONTINUE,50,222,50,14,WS_GROUP
-    PUSHBUTTON      "&Disconnect",IDCANCEL,115,222,50,14,WS_GROUP
+                    "Button",BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP,19,231,181,13
+    DEFPUSHBUTTON   "&Continue",IDC_CONTINUE,50,246,50,14,WS_GROUP
+    PUSHBUTTON      "&Disconnect",IDCANCEL,115,246,50,14,WS_GROUP
 END
 
-IDD_SSHDIFFERENTKEY DIALOGEX 0, 0, 215, 242
+IDD_SSHDIFFERENTKEY DIALOGEX 0, 0, 215, 266
 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "SECURITY WARNING"
 FONT 8, "Tahoma", 0, 0, 0x0
 BEGIN
     LTEXT           "Your known hosts list has an entry for the server ""####################################"", but the machine you have contacted has presented a DIFFERENT KEY to the one in your known hosts list. A hostile machine may be pretending to be the server.",IDC_HOSTWARNING,15,7,184,43
     LTEXT           "If you choose to add this new key to the known hosts list and continue, then you will not receive this warning again.",IDC_HOSTWARNING2,15,48,184,24
-    LTEXT           "The server's host key fingerprint is:",IDC_HOSTFINGERPRINT,15,75,176,8
-    EDITTEXT        IDC_FINGER_PRINT,15,86,179,12,ES_AUTOHSCROLL | ES_READONLY
-    EDITTEXT        IDC_FP_RANDOMART,14,105,181,97,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | WS_VSCROLL
+    LTEXT           "",IDC_HOSTSSHFPCHECK,15,72,184,16
+    LTEXT           "",IDC_HOSTSSHFPDNSSEC,15,88,184,8
+    LTEXT           "The server's host key fingerprint is:",IDC_HOSTFINGERPRINT,15,99,176,8
+    EDITTEXT        IDC_FINGER_PRINT,15,110,179,12,ES_AUTOHSCROLL | ES_READONLY
+    EDITTEXT        IDC_FP_RANDOMART,14,129,181,97,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | WS_VSCROLL
     CONTROL         "&Replace the exist key with this new key",IDC_ADDTOKNOWNHOSTS,
-                    "Button",BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP,34,207,153,13
-    PUSHBUTTON      "&Continue",IDC_CONTINUE,50,222,50,14,WS_GROUP
-    DEFPUSHBUTTON   "&Disconnect",IDCANCEL,115,222,50,14,WS_GROUP
+                    "Button",BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP,34,231,153,13
+    PUSHBUTTON      "&Continue",IDC_CONTINUE,50,246,50,14,WS_GROUP
+    DEFPUSHBUTTON   "&Disconnect",IDCANCEL,115,246,50,14,WS_GROUP
 END
 
 IDD_SSHAUTHSETUP DIALOGEX 0, 0, 309, 228
@@ -383,20 +387,22 @@
     EDITTEXT        IDC_CONFIRM_PASSWD,67,56,99,14,ES_PASSWORD | ES_AUTOHSCROLL
 END
 
-IDD_SSHDIFFERENTTYPEKEY DIALOGEX 0, 0, 215, 242
+IDD_SSHDIFFERENTTYPEKEY DIALOGEX 0, 0, 215, 266
 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "SECURITY WARNING"
 FONT 8, "Tahoma", 0, 0, 0x0
 BEGIN
     LTEXT           "Your known hosts list has an entry for the server ""####################################"", but the machine you have contacted has presented a DIFFERENT TYPE KEY to the one in your known hosts list. A hostile machine may be pretending to be the server.",IDC_HOSTWARNING,15,7,184,43
     LTEXT           "If you choose to add this new key to the known hosts list and continue, then you will not receive this warning again.",IDC_HOSTWARNING2,15,48,184,24
-    LTEXT           "The server's host key fingerprint is:",IDC_HOSTFINGERPRINT,15,75,176,8
-    EDITTEXT        IDC_FINGER_PRINT,15,86,179,12,ES_AUTOHSCROLL | ES_READONLY
-    EDITTEXT        IDC_FP_RANDOMART,14,105,181,97,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | WS_VSCROLL
+    LTEXT           "",IDC_HOSTSSHFPCHECK,15,72,184,16
+    LTEXT           "",IDC_HOSTSSHFPDNSSEC,15,88,184,8
+    LTEXT           "The server's host key fingerprint is:",IDC_HOSTFINGERPRINT,15,99,176,8
+    EDITTEXT        IDC_FINGER_PRINT,15,110,179,12,ES_AUTOHSCROLL | ES_READONLY
+    EDITTEXT        IDC_FP_RANDOMART,14,129,181,97,ES_MULTILINE | ES_AUTOHSCROLL | ES_READONLY | WS_VSCROLL
     CONTROL         "&Add this machine and its key to the known hosts list",IDC_ADDTOKNOWNHOSTS,
-                    "Button",BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP,19,207,181,13
-    DEFPUSHBUTTON   "&Continue",IDC_CONTINUE,50,222,50,14,WS_GROUP
-    PUSHBUTTON      "&Disconnect",IDCANCEL,115,222,50,14,WS_GROUP
+                    "Button",BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP,19,231,181,13
+    DEFPUSHBUTTON   "&Continue",IDC_CONTINUE,50,246,50,14,WS_GROUP
+    PUSHBUTTON      "&Disconnect",IDCANCEL,115,246,50,14,WS_GROUP
 END
 
 



Ttssh2-commit メーリングリストの案内