2 files changed, 23 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 7db817c09..03c6b95e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,7 +6,10 @@
     makes it easier to verify that chacha_encrypt_bytes() is only called once
     per chacha_ivsetup() call.
     ok djm@
+   - djm@cvs.openbsd.org 2014/07/03 22:23:46
+     [sshconnect.c]
+     when rekeying, skip file/DNS lookup if it is the same as the key sent
+     during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
 20140703
 - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
diff --git a/sshconnect.c b/sshconnect.c
index 590dfe0f7..799c8d00c 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.249 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.250 2014/07/03 22:23:46 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -65,6 +65,7 @@
 char *client_version_string = NULL;
 char *server_version_string = NULL;
+Key *previous_host_key = NULL;
 static int matching_host_key_dns = 0;
@@ -1217,7 +1218,7 @@ fail:
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
-        int flags = 0;
+        int r = -1, flags = 0;
        char *fp;
        Key *plain = NULL;
@@ -1225,6 +1226,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
        debug("Server host key: %s %s", key_type(host_key), fp);
        free(fp);
+        if (key_equal(previous_host_key, host_key)) {
+                debug("%s: server host key matches cached key", __func__);
+                return 0;
+        }
        if (options.verify_host_key_dns) {
                /*
                 * XXX certs are not yet supported for DNS, so downgrade
@@ -1239,7 +1245,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
                                    flags & DNS_VERIFY_MATCH &&
                                    flags & DNS_VERIFY_SECURE) {
                                        key_free(plain);
-                                        return 0;
+                                        r = 0;
+                                        goto done;
                                }
                                if (flags & DNS_VERIFY_MATCH) {
                                        matching_host_key_dns = 1;
@@ -1254,9 +1261,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
                key_free(plain);
        }
-        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
+        r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
            options.user_hostfiles, options.num_user_hostfiles,
            options.system_hostfiles, options.num_system_hostfiles);
+done:
+        if (r == 0 && host_key != NULL) {
+                key_free(previous_host_key);
+                previous_host_key = key_from_private(host_key);
+        }
+        return r;
 }
 /*

diff --git a/ChangeLog b/ChangeLog index 7db817c09..03c6b95e3 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -6,7 +6,10 @@
6	makes it easier to verify that chacha_encrypt_bytes() is only called once	6	makes it easier to verify that chacha_encrypt_bytes() is only called once
7	per chacha_ivsetup() call.	7	per chacha_ivsetup() call.
8	ok djm@	8	ok djm@
9		9	- djm@cvs.openbsd.org 2014/07/03 22:23:46
		10	[sshconnect.c]
		11	when rekeying, skip file/DNS lookup if it is the same as the key sent
		12	during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
10		13
11	20140703	14	20140703
12	- (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto	15	- (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto


diff --git a/sshconnect.c b/sshconnect.c index 590dfe0f7..799c8d00c 100644 --- a/sshconnect.c +++ b/sshconnect.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshconnect.c,v 1.249 2014/06/24 01:13:21 djm Exp $ */	1	/* $OpenBSD: sshconnect.c,v 1.250 2014/07/03 22:23:46 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -65,6 +65,7 @@
65		65
66	char *client_version_string = NULL;	66	char *client_version_string = NULL;
67	char *server_version_string = NULL;	67	char *server_version_string = NULL;
		68	Key *previous_host_key = NULL;
68		69
69	static int matching_host_key_dns = 0;	70	static int matching_host_key_dns = 0;
70		71
@@ -1217,7 +1218,7 @@ fail:
1217	int	1218	int
1218	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)	1219	verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1219	{	1220	{
1220	int flags = 0;	1221	int r = -1, flags = 0;
1221	char *fp;	1222	char *fp;
1222	Key *plain = NULL;	1223	Key *plain = NULL;
1223		1224
@@ -1225,6 +1226,11 @@ verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1225	debug("Server host key: %s %s", key_type(host_key), fp);	1226	debug("Server host key: %s %s", key_type(host_key), fp);
1226	free(fp);	1227	free(fp);
1227		1228
		1229	if (key_equal(previous_host_key, host_key)) {
		1230	debug("%s: server host key matches cached key", __func__);
		1231	return 0;
		1232	}
		1233
1228	if (options.verify_host_key_dns) {	1234	if (options.verify_host_key_dns) {
1229	/*	1235	/*
1230	* XXX certs are not yet supported for DNS, so downgrade	1236	* XXX certs are not yet supported for DNS, so downgrade
@@ -1239,7 +1245,8 @@ verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1239	flags & DNS_VERIFY_MATCH &&	1245	flags & DNS_VERIFY_MATCH &&
1240	flags & DNS_VERIFY_SECURE) {	1246	flags & DNS_VERIFY_SECURE) {
1241	key_free(plain);	1247	key_free(plain);
1242	return 0;	1248	r = 0;
		1249	goto done;
1243	}	1250	}
1244	if (flags & DNS_VERIFY_MATCH) {	1251	if (flags & DNS_VERIFY_MATCH) {
1245	matching_host_key_dns = 1;	1252	matching_host_key_dns = 1;
@@ -1254,9 +1261,17 @@ verify_host_key(char host, struct sockaddr hostaddr, Key *host_key)
1254	key_free(plain);	1261	key_free(plain);
1255	}	1262	}
1256		1263
1257	return check_host_key(host, hostaddr, options.port, host_key, RDRW,	1264	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
1258	options.user_hostfiles, options.num_user_hostfiles,	1265	options.user_hostfiles, options.num_user_hostfiles,
1259	options.system_hostfiles, options.num_system_hostfiles);	1266	options.system_hostfiles, options.num_system_hostfiles);
		1267
		1268	done:
		1269	if (r == 0 && host_key != NULL) {
		1270	key_free(previous_host_key);
		1271	previous_host_key = key_from_private(host_key);
		1272	}
		1273
		1274	return r;
1260	}	1275	}
1261		1276
1262	/*	1277	/*