summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--sshconnect.c23
2 files changed, 23 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 7db817c09..03c6b95e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,7 +6,10 @@
6 makes it easier to verify that chacha_encrypt_bytes() is only called once 6 makes it easier to verify that chacha_encrypt_bytes() is only called once
7 per chacha_ivsetup() call. 7 per chacha_ivsetup() call.
8 ok djm@ 8 ok djm@
9 9 - djm@cvs.openbsd.org 2014/07/03 22:23:46
10 [sshconnect.c]
11 when rekeying, skip file/DNS lookup if it is the same as the key sent
12 during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
10 13
1120140703 1420140703
12 - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto 15 - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
diff --git a/sshconnect.c b/sshconnect.c
index 590dfe0f7..799c8d00c 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.249 2014/06/24 01:13:21 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.250 2014/07/03 22:23:46 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -65,6 +65,7 @@
65 65
66char *client_version_string = NULL; 66char *client_version_string = NULL;
67char *server_version_string = NULL; 67char *server_version_string = NULL;
68Key *previous_host_key = NULL;
68 69
69static int matching_host_key_dns = 0; 70static int matching_host_key_dns = 0;
70 71
@@ -1217,7 +1218,7 @@ fail:
1217int 1218int
1218verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) 1219verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1219{ 1220{
1220 int flags = 0; 1221 int r = -1, flags = 0;
1221 char *fp; 1222 char *fp;
1222 Key *plain = NULL; 1223 Key *plain = NULL;
1223 1224
@@ -1225,6 +1226,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1225 debug("Server host key: %s %s", key_type(host_key), fp); 1226 debug("Server host key: %s %s", key_type(host_key), fp);
1226 free(fp); 1227 free(fp);
1227 1228
1229 if (key_equal(previous_host_key, host_key)) {
1230 debug("%s: server host key matches cached key", __func__);
1231 return 0;
1232 }
1233
1228 if (options.verify_host_key_dns) { 1234 if (options.verify_host_key_dns) {
1229 /* 1235 /*
1230 * XXX certs are not yet supported for DNS, so downgrade 1236 * XXX certs are not yet supported for DNS, so downgrade
@@ -1239,7 +1245,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1239 flags & DNS_VERIFY_MATCH && 1245 flags & DNS_VERIFY_MATCH &&
1240 flags & DNS_VERIFY_SECURE) { 1246 flags & DNS_VERIFY_SECURE) {
1241 key_free(plain); 1247 key_free(plain);
1242 return 0; 1248 r = 0;
1249 goto done;
1243 } 1250 }
1244 if (flags & DNS_VERIFY_MATCH) { 1251 if (flags & DNS_VERIFY_MATCH) {
1245 matching_host_key_dns = 1; 1252 matching_host_key_dns = 1;
@@ -1254,9 +1261,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1254 key_free(plain); 1261 key_free(plain);
1255 } 1262 }
1256 1263
1257 return check_host_key(host, hostaddr, options.port, host_key, RDRW, 1264 r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
1258 options.user_hostfiles, options.num_user_hostfiles, 1265 options.user_hostfiles, options.num_user_hostfiles,
1259 options.system_hostfiles, options.num_system_hostfiles); 1266 options.system_hostfiles, options.num_system_hostfiles);
1267
1268done:
1269 if (r == 0 && host_key != NULL) {
1270 key_free(previous_host_key);
1271 previous_host_key = key_from_private(host_key);
1272 }
1273
1274 return r;
1260} 1275}
1261 1276
1262/* 1277/*