diff options
| -rw-r--r-- | sshconnect.c | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/sshconnect.c b/sshconnect.c index 19d393f7b..1507934d8 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.266 2015/11/15 22:26:49 jcs Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.267 2015/11/19 01:09:38 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -1237,8 +1237,9 @@ fail: | |||
| 1237 | int | 1237 | int |
| 1238 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 1238 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
| 1239 | { | 1239 | { |
| 1240 | u_int i; | ||
| 1240 | int r = -1, flags = 0; | 1241 | int r = -1, flags = 0; |
| 1241 | char *fp = NULL; | 1242 | char valid[64], *fp = NULL, *cafp = NULL; |
| 1242 | struct sshkey *plain = NULL; | 1243 | struct sshkey *plain = NULL; |
| 1243 | 1244 | ||
| 1244 | if ((fp = sshkey_fingerprint(host_key, | 1245 | if ((fp = sshkey_fingerprint(host_key, |
| @@ -1248,8 +1249,30 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1248 | goto out; | 1249 | goto out; |
| 1249 | } | 1250 | } |
| 1250 | 1251 | ||
| 1251 | debug("Server host key: %s %s", | 1252 | if (sshkey_is_cert(host_key)) { |
| 1252 | compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); | 1253 | if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, |
| 1254 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { | ||
| 1255 | error("%s: fingerprint CA key: %s", | ||
| 1256 | __func__, ssh_err(r)); | ||
| 1257 | r = -1; | ||
| 1258 | goto out; | ||
| 1259 | } | ||
| 1260 | sshkey_format_cert_validity(host_key->cert, | ||
| 1261 | valid, sizeof(valid)); | ||
| 1262 | debug("Server host certificate: %s %s, serial %llu " | ||
| 1263 | "ID \"%s\" CA %s %s valid %s", | ||
| 1264 | sshkey_ssh_name(host_key), fp, | ||
| 1265 | host_key->cert->serial, host_key->cert->key_id, | ||
| 1266 | sshkey_ssh_name(host_key->cert->signature_key), cafp, | ||
| 1267 | valid); | ||
| 1268 | for (i = 0; i < host_key->cert->nprincipals; i++) { | ||
| 1269 | debug2("Server host certificate hostname: %s", | ||
| 1270 | host_key->cert->principals[i]); | ||
| 1271 | } | ||
| 1272 | } else { | ||
| 1273 | debug("Server host key: %s %s", compat20 ? | ||
| 1274 | sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); | ||
| 1275 | } | ||
| 1253 | 1276 | ||
| 1254 | if (sshkey_equal(previous_host_key, host_key)) { | 1277 | if (sshkey_equal(previous_host_key, host_key)) { |
| 1255 | debug2("%s: server host key %s %s matches cached key", | 1278 | debug2("%s: server host key %s %s matches cached key", |
| @@ -1314,6 +1337,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1314 | out: | 1337 | out: |
| 1315 | sshkey_free(plain); | 1338 | sshkey_free(plain); |
| 1316 | free(fp); | 1339 | free(fp); |
| 1340 | free(cafp); | ||
| 1317 | if (r == 0 && host_key != NULL) { | 1341 | if (r == 0 && host_key != NULL) { |
| 1318 | key_free(previous_host_key); | 1342 | key_free(previous_host_key); |
| 1319 | previous_host_key = key_from_private(host_key); | 1343 | previous_host_key = key_from_private(host_key); |