diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 12:13:50 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 12:13:50 +0100 |
commit | 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (patch) | |
tree | a2cff6fec1e6c4b4153a170a3e172cfe6bfdec46 /sshconnect.c | |
parent | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff) | |
parent | 28453d58058a4d60c3ebe7d7f0c31a510cbf6158 (diff) |
Import openssh_6.7p1.orig.tar.gz
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 69 |
1 files changed, 49 insertions, 20 deletions
diff --git a/sshconnect.c b/sshconnect.c index 573d7a8e8..ac09eae67 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -54,9 +54,9 @@ | |||
54 | #include "sshconnect.h" | 54 | #include "sshconnect.h" |
55 | #include "hostfile.h" | 55 | #include "hostfile.h" |
56 | #include "log.h" | 56 | #include "log.h" |
57 | #include "misc.h" | ||
57 | #include "readconf.h" | 58 | #include "readconf.h" |
58 | #include "atomicio.h" | 59 | #include "atomicio.h" |
59 | #include "misc.h" | ||
60 | #include "dns.h" | 60 | #include "dns.h" |
61 | #include "roaming.h" | 61 | #include "roaming.h" |
62 | #include "monitor_fdpass.h" | 62 | #include "monitor_fdpass.h" |
@@ -65,6 +65,7 @@ | |||
65 | 65 | ||
66 | char *client_version_string = NULL; | 66 | char *client_version_string = NULL; |
67 | char *server_version_string = NULL; | 67 | char *server_version_string = NULL; |
68 | Key *previous_host_key = NULL; | ||
68 | 69 | ||
69 | static int matching_host_key_dns = 0; | 70 | static int matching_host_key_dns = 0; |
70 | 71 | ||
@@ -709,7 +710,7 @@ check_host_cert(const char *host, const Key *host_key) | |||
709 | error("%s", reason); | 710 | error("%s", reason); |
710 | return 0; | 711 | return 0; |
711 | } | 712 | } |
712 | if (buffer_len(&host_key->cert->critical) != 0) { | 713 | if (buffer_len(host_key->cert->critical) != 0) { |
713 | error("Certificate for %s contains unsupported " | 714 | error("Certificate for %s contains unsupported " |
714 | "critical options(s)", host); | 715 | "critical options(s)", host); |
715 | return 0; | 716 | return 0; |
@@ -1217,36 +1218,60 @@ fail: | |||
1217 | int | 1218 | int |
1218 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 1219 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
1219 | { | 1220 | { |
1220 | int flags = 0; | 1221 | int r = -1, flags = 0; |
1221 | char *fp; | 1222 | char *fp; |
1223 | Key *plain = NULL; | ||
1222 | 1224 | ||
1223 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | 1225 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
1224 | debug("Server host key: %s %s", key_type(host_key), fp); | 1226 | debug("Server host key: %s %s", key_type(host_key), fp); |
1225 | free(fp); | 1227 | free(fp); |
1226 | 1228 | ||
1227 | /* XXX certs are not yet supported for DNS */ | 1229 | if (key_equal(previous_host_key, host_key)) { |
1228 | if (!key_is_cert(host_key) && options.verify_host_key_dns && | 1230 | debug("%s: server host key matches cached key", __func__); |
1229 | verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | 1231 | return 0; |
1230 | if (flags & DNS_VERIFY_FOUND) { | 1232 | } |
1231 | |||
1232 | if (options.verify_host_key_dns == 1 && | ||
1233 | flags & DNS_VERIFY_MATCH && | ||
1234 | flags & DNS_VERIFY_SECURE) | ||
1235 | return 0; | ||
1236 | 1233 | ||
1237 | if (flags & DNS_VERIFY_MATCH) { | 1234 | if (options.verify_host_key_dns) { |
1238 | matching_host_key_dns = 1; | 1235 | /* |
1239 | } else { | 1236 | * XXX certs are not yet supported for DNS, so downgrade |
1240 | warn_changed_key(host_key); | 1237 | * them and try the plain key. |
1241 | error("Update the SSHFP RR in DNS with the new " | 1238 | */ |
1242 | "host key to get rid of this message."); | 1239 | plain = key_from_private(host_key); |
1240 | if (key_is_cert(plain)) | ||
1241 | key_drop_cert(plain); | ||
1242 | if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { | ||
1243 | if (flags & DNS_VERIFY_FOUND) { | ||
1244 | if (options.verify_host_key_dns == 1 && | ||
1245 | flags & DNS_VERIFY_MATCH && | ||
1246 | flags & DNS_VERIFY_SECURE) { | ||
1247 | key_free(plain); | ||
1248 | r = 0; | ||
1249 | goto done; | ||
1250 | } | ||
1251 | if (flags & DNS_VERIFY_MATCH) { | ||
1252 | matching_host_key_dns = 1; | ||
1253 | } else { | ||
1254 | warn_changed_key(plain); | ||
1255 | error("Update the SSHFP RR in DNS " | ||
1256 | "with the new host key to get rid " | ||
1257 | "of this message."); | ||
1258 | } | ||
1243 | } | 1259 | } |
1244 | } | 1260 | } |
1261 | key_free(plain); | ||
1245 | } | 1262 | } |
1246 | 1263 | ||
1247 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | 1264 | r = check_host_key(host, hostaddr, options.port, host_key, RDRW, |
1248 | options.user_hostfiles, options.num_user_hostfiles, | 1265 | options.user_hostfiles, options.num_user_hostfiles, |
1249 | options.system_hostfiles, options.num_system_hostfiles); | 1266 | options.system_hostfiles, options.num_system_hostfiles); |
1267 | |||
1268 | done: | ||
1269 | if (r == 0 && host_key != NULL) { | ||
1270 | key_free(previous_host_key); | ||
1271 | previous_host_key = key_from_private(host_key); | ||
1272 | } | ||
1273 | |||
1274 | return r; | ||
1250 | } | 1275 | } |
1251 | 1276 | ||
1252 | /* | 1277 | /* |
@@ -1282,8 +1307,12 @@ ssh_login(Sensitive *sensitive, const char *orighost, | |||
1282 | ssh_kex2(host, hostaddr, port); | 1307 | ssh_kex2(host, hostaddr, port); |
1283 | ssh_userauth2(local_user, server_user, host, sensitive); | 1308 | ssh_userauth2(local_user, server_user, host, sensitive); |
1284 | } else { | 1309 | } else { |
1310 | #ifdef WITH_SSH1 | ||
1285 | ssh_kex(host, hostaddr); | 1311 | ssh_kex(host, hostaddr); |
1286 | ssh_userauth1(local_user, server_user, host, sensitive); | 1312 | ssh_userauth1(local_user, server_user, host, sensitive); |
1313 | #else | ||
1314 | fatal("ssh1 is not unsupported"); | ||
1315 | #endif | ||
1287 | } | 1316 | } |
1288 | free(local_user); | 1317 | free(local_user); |
1289 | } | 1318 | } |