summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sshconnect.c32
1 files changed, 28 insertions, 4 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 19d393f7b..1507934d8 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.266 2015/11/15 22:26:49 jcs Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.267 2015/11/19 01:09:38 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1237,8 +1237,9 @@ fail:
1237int 1237int
1238verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) 1238verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1239{ 1239{
1240 u_int i;
1240 int r = -1, flags = 0; 1241 int r = -1, flags = 0;
1241 char *fp = NULL; 1242 char valid[64], *fp = NULL, *cafp = NULL;
1242 struct sshkey *plain = NULL; 1243 struct sshkey *plain = NULL;
1243 1244
1244 if ((fp = sshkey_fingerprint(host_key, 1245 if ((fp = sshkey_fingerprint(host_key,
@@ -1248,8 +1249,30 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1248 goto out; 1249 goto out;
1249 } 1250 }
1250 1251
1251 debug("Server host key: %s %s", 1252 if (sshkey_is_cert(host_key)) {
1252 compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); 1253 if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
1254 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
1255 error("%s: fingerprint CA key: %s",
1256 __func__, ssh_err(r));
1257 r = -1;
1258 goto out;
1259 }
1260 sshkey_format_cert_validity(host_key->cert,
1261 valid, sizeof(valid));
1262 debug("Server host certificate: %s %s, serial %llu "
1263 "ID \"%s\" CA %s %s valid %s",
1264 sshkey_ssh_name(host_key), fp,
1265 host_key->cert->serial, host_key->cert->key_id,
1266 sshkey_ssh_name(host_key->cert->signature_key), cafp,
1267 valid);
1268 for (i = 0; i < host_key->cert->nprincipals; i++) {
1269 debug2("Server host certificate hostname: %s",
1270 host_key->cert->principals[i]);
1271 }
1272 } else {
1273 debug("Server host key: %s %s", compat20 ?
1274 sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
1275 }
1253 1276
1254 if (sshkey_equal(previous_host_key, host_key)) { 1277 if (sshkey_equal(previous_host_key, host_key)) {
1255 debug2("%s: server host key %s %s matches cached key", 1278 debug2("%s: server host key %s %s matches cached key",
@@ -1314,6 +1337,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1314out: 1337out:
1315 sshkey_free(plain); 1338 sshkey_free(plain);
1316 free(fp); 1339 free(fp);
1340 free(cafp);
1317 if (r == 0 && host_key != NULL) { 1341 if (r == 0 && host_key != NULL) {
1318 key_free(previous_host_key); 1342 key_free(previous_host_key);
1319 previous_host_key = key_from_private(host_key); 1343 previous_host_key = key_from_private(host_key);