diff options
| author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
| commit | c52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch) | |
| tree | 793395934013923b7b2426382c0676edcd4be3d4 /sshconnect.c | |
| parent | eeff4de96f5d7365750dc56912c2c62b5c28db6b (diff) | |
| parent | 72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff) | |
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 75 |
1 files changed, 65 insertions, 10 deletions
diff --git a/sshconnect.c b/sshconnect.c index 17fbe39b0..356ec79f0 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.271 2016/01/14 22:56:56 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -59,12 +59,12 @@ | |||
| 59 | #include "readconf.h" | 59 | #include "readconf.h" |
| 60 | #include "atomicio.h" | 60 | #include "atomicio.h" |
| 61 | #include "dns.h" | 61 | #include "dns.h" |
| 62 | #include "roaming.h" | ||
| 63 | #include "monitor_fdpass.h" | 62 | #include "monitor_fdpass.h" |
| 64 | #include "ssh2.h" | 63 | #include "ssh2.h" |
| 65 | #include "version.h" | 64 | #include "version.h" |
| 66 | #include "authfile.h" | 65 | #include "authfile.h" |
| 67 | #include "ssherr.h" | 66 | #include "ssherr.h" |
| 67 | #include "authfd.h" | ||
| 68 | 68 | ||
| 69 | char *client_version_string = NULL; | 69 | char *client_version_string = NULL; |
| 70 | char *server_version_string = NULL; | 70 | char *server_version_string = NULL; |
| @@ -167,6 +167,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port, | |||
| 167 | 167 | ||
| 168 | if ((sock = mm_receive_fd(sp[1])) == -1) | 168 | if ((sock = mm_receive_fd(sp[1])) == -1) |
| 169 | fatal("proxy dialer did not pass back a connection"); | 169 | fatal("proxy dialer did not pass back a connection"); |
| 170 | close(sp[1]); | ||
| 170 | 171 | ||
| 171 | while (waitpid(pid, NULL, 0) == -1) | 172 | while (waitpid(pid, NULL, 0) == -1) |
| 172 | if (errno != EINTR) | 173 | if (errno != EINTR) |
| @@ -432,7 +433,9 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, | |||
| 432 | char ntop[NI_MAXHOST], strport[NI_MAXSERV]; | 433 | char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
| 433 | struct addrinfo *ai; | 434 | struct addrinfo *ai; |
| 434 | 435 | ||
| 435 | debug2("ssh_connect: needpriv %d", needpriv); | 436 | debug2("%s: needpriv %d", __func__, needpriv); |
| 437 | memset(ntop, 0, sizeof(ntop)); | ||
| 438 | memset(strport, 0, sizeof(strport)); | ||
| 436 | 439 | ||
| 437 | for (attempt = 0; attempt < connection_attempts; attempt++) { | 440 | for (attempt = 0; attempt < connection_attempts; attempt++) { |
| 438 | if (attempt > 0) { | 441 | if (attempt > 0) { |
| @@ -451,7 +454,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, | |||
| 451 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen, | 454 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen, |
| 452 | ntop, sizeof(ntop), strport, sizeof(strport), | 455 | ntop, sizeof(ntop), strport, sizeof(strport), |
| 453 | NI_NUMERICHOST|NI_NUMERICSERV) != 0) { | 456 | NI_NUMERICHOST|NI_NUMERICSERV) != 0) { |
| 454 | error("ssh_connect: getnameinfo failed"); | 457 | error("%s: getnameinfo failed", __func__); |
| 455 | continue; | 458 | continue; |
| 456 | } | 459 | } |
| 457 | debug("Connecting to %.200s [%.100s] port %s.", | 460 | debug("Connecting to %.200s [%.100s] port %s.", |
| @@ -529,7 +532,7 @@ send_client_banner(int connection_out, int minor1) | |||
| 529 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", | 532 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", |
| 530 | PROTOCOL_MAJOR_1, minor1, SSH_VERSION); | 533 | PROTOCOL_MAJOR_1, minor1, SSH_VERSION); |
| 531 | } | 534 | } |
| 532 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 535 | if (atomicio(vwrite, connection_out, client_version_string, |
| 533 | strlen(client_version_string)) != strlen(client_version_string)) | 536 | strlen(client_version_string)) != strlen(client_version_string)) |
| 534 | fatal("write: %.100s", strerror(errno)); | 537 | fatal("write: %.100s", strerror(errno)); |
| 535 | chop(client_version_string); | 538 | chop(client_version_string); |
| @@ -589,7 +592,7 @@ ssh_exchange_identification(int timeout_ms) | |||
| 589 | } | 592 | } |
| 590 | } | 593 | } |
| 591 | 594 | ||
| 592 | len = roaming_atomicio(read, connection_in, &buf[i], 1); | 595 | len = atomicio(read, connection_in, &buf[i], 1); |
| 593 | 596 | ||
| 594 | if (len != 1 && errno == EPIPE) | 597 | if (len != 1 && errno == EPIPE) |
| 595 | fatal("ssh_exchange_identification: " | 598 | fatal("ssh_exchange_identification: " |
| @@ -925,7 +928,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 925 | options.fingerprint_hash, SSH_FP_RANDOMART); | 928 | options.fingerprint_hash, SSH_FP_RANDOMART); |
| 926 | if (fp == NULL || ra == NULL) | 929 | if (fp == NULL || ra == NULL) |
| 927 | fatal("%s: sshkey_fingerprint fail", __func__); | 930 | fatal("%s: sshkey_fingerprint fail", __func__); |
| 928 | logit("Host key fingerprint is %s\n%s\n", fp, ra); | 931 | logit("Host key fingerprint is %s\n%s", fp, ra); |
| 929 | free(ra); | 932 | free(ra); |
| 930 | free(fp); | 933 | free(fp); |
| 931 | } | 934 | } |
| @@ -1236,8 +1239,9 @@ fail: | |||
| 1236 | int | 1239 | int |
| 1237 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 1240 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
| 1238 | { | 1241 | { |
| 1242 | u_int i; | ||
| 1239 | int r = -1, flags = 0; | 1243 | int r = -1, flags = 0; |
| 1240 | char *fp = NULL; | 1244 | char valid[64], *fp = NULL, *cafp = NULL; |
| 1241 | struct sshkey *plain = NULL; | 1245 | struct sshkey *plain = NULL; |
| 1242 | 1246 | ||
| 1243 | if ((fp = sshkey_fingerprint(host_key, | 1247 | if ((fp = sshkey_fingerprint(host_key, |
| @@ -1247,8 +1251,31 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1247 | goto out; | 1251 | goto out; |
| 1248 | } | 1252 | } |
| 1249 | 1253 | ||
| 1250 | debug("Server host key: %s %s", | 1254 | if (sshkey_is_cert(host_key)) { |
| 1251 | compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); | 1255 | if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, |
| 1256 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { | ||
| 1257 | error("%s: fingerprint CA key: %s", | ||
| 1258 | __func__, ssh_err(r)); | ||
| 1259 | r = -1; | ||
| 1260 | goto out; | ||
| 1261 | } | ||
| 1262 | sshkey_format_cert_validity(host_key->cert, | ||
| 1263 | valid, sizeof(valid)); | ||
| 1264 | debug("Server host certificate: %s %s, serial %llu " | ||
| 1265 | "ID \"%s\" CA %s %s valid %s", | ||
| 1266 | sshkey_ssh_name(host_key), fp, | ||
| 1267 | (unsigned long long)host_key->cert->serial, | ||
| 1268 | host_key->cert->key_id, | ||
| 1269 | sshkey_ssh_name(host_key->cert->signature_key), cafp, | ||
| 1270 | valid); | ||
| 1271 | for (i = 0; i < host_key->cert->nprincipals; i++) { | ||
| 1272 | debug2("Server host certificate hostname: %s", | ||
| 1273 | host_key->cert->principals[i]); | ||
| 1274 | } | ||
| 1275 | } else { | ||
| 1276 | debug("Server host key: %s %s", compat20 ? | ||
| 1277 | sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); | ||
| 1278 | } | ||
| 1252 | 1279 | ||
| 1253 | if (sshkey_equal(previous_host_key, host_key)) { | 1280 | if (sshkey_equal(previous_host_key, host_key)) { |
| 1254 | debug2("%s: server host key %s %s matches cached key", | 1281 | debug2("%s: server host key %s %s matches cached key", |
| @@ -1313,6 +1340,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1313 | out: | 1340 | out: |
| 1314 | sshkey_free(plain); | 1341 | sshkey_free(plain); |
| 1315 | free(fp); | 1342 | free(fp); |
| 1343 | free(cafp); | ||
| 1316 | if (r == 0 && host_key != NULL) { | 1344 | if (r == 0 && host_key != NULL) { |
| 1317 | key_free(previous_host_key); | 1345 | key_free(previous_host_key); |
| 1318 | previous_host_key = key_from_private(host_key); | 1346 | previous_host_key = key_from_private(host_key); |
| @@ -1487,3 +1515,30 @@ ssh_local_cmd(const char *args) | |||
| 1487 | 1515 | ||
| 1488 | return (WEXITSTATUS(status)); | 1516 | return (WEXITSTATUS(status)); |
| 1489 | } | 1517 | } |
| 1518 | |||
| 1519 | void | ||
| 1520 | maybe_add_key_to_agent(char *authfile, Key *private, char *comment, | ||
| 1521 | char *passphrase) | ||
| 1522 | { | ||
| 1523 | int auth_sock = -1, r; | ||
| 1524 | |||
| 1525 | if (options.add_keys_to_agent == 0) | ||
| 1526 | return; | ||
| 1527 | |||
| 1528 | if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { | ||
| 1529 | debug3("no authentication agent, not adding key"); | ||
| 1530 | return; | ||
| 1531 | } | ||
| 1532 | |||
| 1533 | if (options.add_keys_to_agent == 2 && | ||
| 1534 | !ask_permission("Add key %s (%s) to agent?", authfile, comment)) { | ||
| 1535 | debug3("user denied adding this key"); | ||
| 1536 | return; | ||
| 1537 | } | ||
| 1538 | |||
| 1539 | if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0, | ||
| 1540 | (options.add_keys_to_agent == 3))) == 0) | ||
| 1541 | debug("identity added to agent: %s", authfile); | ||
| 1542 | else | ||
| 1543 | debug("could not add identity to agent: %s (%d)", authfile, r); | ||
| 1544 | } | ||