diff options
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 72 |
1 files changed, 35 insertions, 37 deletions
diff --git a/sshconnect.c b/sshconnect.c index 910548fac..d64c0e2c0 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -8,15 +8,19 @@ | |||
8 | */ | 8 | */ |
9 | 9 | ||
10 | #include "includes.h" | 10 | #include "includes.h" |
11 | RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); | 11 | RCSID("$OpenBSD: sshconnect.c,v 1.58 2000/03/23 22:15:33 markus Exp $"); |
12 | 12 | ||
13 | #ifdef HAVE_OPENSSL | 13 | #ifdef HAVE_OPENSSL |
14 | #include <openssl/bn.h> | 14 | #include <openssl/rsa.h> |
15 | #include <openssl/dsa.h> | ||
15 | #include <openssl/md5.h> | 16 | #include <openssl/md5.h> |
17 | #include <openssl/bn.h> | ||
16 | #endif | 18 | #endif |
17 | #ifdef HAVE_SSL | 19 | #ifdef HAVE_SSL |
18 | #include <ssl/bn.h> | 20 | #include <ssl/rsa.h> |
21 | #include <ssl/dsa.h> | ||
19 | #include <ssl/md5.h> | 22 | #include <ssl/md5.h> |
23 | #include <ssl/bn.h> | ||
20 | #endif | 24 | #endif |
21 | 25 | ||
22 | #include "xmalloc.h" | 26 | #include "xmalloc.h" |
@@ -29,7 +33,8 @@ RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); | |||
29 | #include "uidswap.h" | 33 | #include "uidswap.h" |
30 | #include "compat.h" | 34 | #include "compat.h" |
31 | #include "readconf.h" | 35 | #include "readconf.h" |
32 | #include "fingerprint.h" | 36 | #include "key.h" |
37 | #include "hostfile.h" | ||
33 | 38 | ||
34 | /* Session id for the current session. */ | 39 | /* Session id for the current session. */ |
35 | unsigned char session_id[16]; | 40 | unsigned char session_id[16]; |
@@ -1073,9 +1078,9 @@ read_yes_or_no(const char *prompt, int defval) | |||
1073 | */ | 1078 | */ |
1074 | 1079 | ||
1075 | void | 1080 | void |
1076 | check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | 1081 | check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
1077 | { | 1082 | { |
1078 | RSA *file_key; | 1083 | Key *file_key; |
1079 | char *ip = NULL; | 1084 | char *ip = NULL; |
1080 | char hostline[1000], *hostp; | 1085 | char hostline[1000], *hostp; |
1081 | HostStatus host_status; | 1086 | HostStatus host_status; |
@@ -1129,47 +1134,34 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
1129 | * Store the host key from the known host file in here so that we can | 1134 | * Store the host key from the known host file in here so that we can |
1130 | * compare it with the key for the IP address. | 1135 | * compare it with the key for the IP address. |
1131 | */ | 1136 | */ |
1132 | file_key = RSA_new(); | 1137 | file_key = key_new(host_key->type); |
1133 | file_key->n = BN_new(); | ||
1134 | file_key->e = BN_new(); | ||
1135 | 1138 | ||
1136 | /* | 1139 | /* |
1137 | * Check if the host key is present in the user\'s list of known | 1140 | * Check if the host key is present in the user\'s list of known |
1138 | * hosts or in the systemwide list. | 1141 | * hosts or in the systemwide list. |
1139 | */ | 1142 | */ |
1140 | host_status = check_host_in_hostfile(options.user_hostfile, host, | 1143 | host_status = check_host_in_hostfile(options.user_hostfile, host, host_key, file_key); |
1141 | host_key->e, host_key->n, | ||
1142 | file_key->e, file_key->n); | ||
1143 | if (host_status == HOST_NEW) | 1144 | if (host_status == HOST_NEW) |
1144 | host_status = check_host_in_hostfile(options.system_hostfile, host, | 1145 | host_status = check_host_in_hostfile(options.system_hostfile, host, host_key, file_key); |
1145 | host_key->e, host_key->n, | ||
1146 | file_key->e, file_key->n); | ||
1147 | /* | 1146 | /* |
1148 | * Also perform check for the ip address, skip the check if we are | 1147 | * Also perform check for the ip address, skip the check if we are |
1149 | * localhost or the hostname was an ip address to begin with | 1148 | * localhost or the hostname was an ip address to begin with |
1150 | */ | 1149 | */ |
1151 | if (options.check_host_ip && !local && strcmp(host, ip)) { | 1150 | if (options.check_host_ip && !local && strcmp(host, ip)) { |
1152 | RSA *ip_key = RSA_new(); | 1151 | Key *ip_key = key_new(host_key->type); |
1153 | ip_key->n = BN_new(); | 1152 | ip_status = check_host_in_hostfile(options.user_hostfile, ip, host_key, ip_key); |
1154 | ip_key->e = BN_new(); | ||
1155 | ip_status = check_host_in_hostfile(options.user_hostfile, ip, | ||
1156 | host_key->e, host_key->n, | ||
1157 | ip_key->e, ip_key->n); | ||
1158 | 1153 | ||
1159 | if (ip_status == HOST_NEW) | 1154 | if (ip_status == HOST_NEW) |
1160 | ip_status = check_host_in_hostfile(options.system_hostfile, ip, | 1155 | ip_status = check_host_in_hostfile(options.system_hostfile, ip, host_key, ip_key); |
1161 | host_key->e, host_key->n, | ||
1162 | ip_key->e, ip_key->n); | ||
1163 | if (host_status == HOST_CHANGED && | 1156 | if (host_status == HOST_CHANGED && |
1164 | (ip_status != HOST_CHANGED || | 1157 | (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key))) |
1165 | (BN_cmp(ip_key->e, file_key->e) || BN_cmp(ip_key->n, file_key->n)))) | ||
1166 | host_ip_differ = 1; | 1158 | host_ip_differ = 1; |
1167 | 1159 | ||
1168 | RSA_free(ip_key); | 1160 | key_free(ip_key); |
1169 | } else | 1161 | } else |
1170 | ip_status = host_status; | 1162 | ip_status = host_status; |
1171 | 1163 | ||
1172 | RSA_free(file_key); | 1164 | key_free(file_key); |
1173 | 1165 | ||
1174 | switch (host_status) { | 1166 | switch (host_status) { |
1175 | case HOST_OK: | 1167 | case HOST_OK: |
@@ -1177,8 +1169,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
1177 | debug("Host '%.200s' is known and matches the host key.", host); | 1169 | debug("Host '%.200s' is known and matches the host key.", host); |
1178 | if (options.check_host_ip) { | 1170 | if (options.check_host_ip) { |
1179 | if (ip_status == HOST_NEW) { | 1171 | if (ip_status == HOST_NEW) { |
1180 | if (!add_host_to_hostfile(options.user_hostfile, ip, | 1172 | if (!add_host_to_hostfile(options.user_hostfile, ip, host_key)) |
1181 | host_key->e, host_key->n)) | ||
1182 | log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", | 1173 | log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", |
1183 | ip, options.user_hostfile); | 1174 | ip, options.user_hostfile); |
1184 | else | 1175 | else |
@@ -1198,12 +1189,12 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
1198 | } else if (options.strict_host_key_checking == 2) { | 1189 | } else if (options.strict_host_key_checking == 2) { |
1199 | /* The default */ | 1190 | /* The default */ |
1200 | char prompt[1024]; | 1191 | char prompt[1024]; |
1201 | char *fp = fingerprint(host_key->e, host_key->n); | 1192 | char *fp = key_fingerprint(host_key); |
1202 | snprintf(prompt, sizeof(prompt), | 1193 | snprintf(prompt, sizeof(prompt), |
1203 | "The authenticity of host '%.200s' can't be established.\n" | 1194 | "The authenticity of host '%.200s' can't be established.\n" |
1204 | "Key fingerprint is %d %s.\n" | 1195 | "Key fingerprint is %s.\n" |
1205 | "Are you sure you want to continue connecting (yes/no)? ", | 1196 | "Are you sure you want to continue connecting (yes/no)? ", |
1206 | host, BN_num_bits(host_key->n), fp); | 1197 | host, fp); |
1207 | if (!read_yes_or_no(prompt, -1)) | 1198 | if (!read_yes_or_no(prompt, -1)) |
1208 | fatal("Aborted by user!\n"); | 1199 | fatal("Aborted by user!\n"); |
1209 | } | 1200 | } |
@@ -1214,8 +1205,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
1214 | hostp = host; | 1205 | hostp = host; |
1215 | 1206 | ||
1216 | /* If not in strict mode, add the key automatically to the local known_hosts file. */ | 1207 | /* If not in strict mode, add the key automatically to the local known_hosts file. */ |
1217 | if (!add_host_to_hostfile(options.user_hostfile, hostp, | 1208 | if (!add_host_to_hostfile(options.user_hostfile, hostp, host_key)) |
1218 | host_key->e, host_key->n)) | ||
1219 | log("Failed to add the host to the list of known hosts (%.500s).", | 1209 | log("Failed to add the host to the list of known hosts (%.500s).", |
1220 | options.user_hostfile); | 1210 | options.user_hostfile); |
1221 | else | 1211 | else |
@@ -1283,6 +1273,14 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
1283 | if (options.check_host_ip) | 1273 | if (options.check_host_ip) |
1284 | xfree(ip); | 1274 | xfree(ip); |
1285 | } | 1275 | } |
1276 | void | ||
1277 | check_rsa_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | ||
1278 | { | ||
1279 | Key k; | ||
1280 | k.type = KEY_RSA; | ||
1281 | k.rsa = host_key; | ||
1282 | check_host_key(host, hostaddr, &k); | ||
1283 | } | ||
1286 | 1284 | ||
1287 | /* | 1285 | /* |
1288 | * SSH1 key exchange | 1286 | * SSH1 key exchange |
@@ -1358,7 +1356,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr) | |||
1358 | 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, | 1356 | 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, |
1359 | SSH_SMSG_PUBLIC_KEY); | 1357 | SSH_SMSG_PUBLIC_KEY); |
1360 | 1358 | ||
1361 | check_host_key(host, hostaddr, host_key); | 1359 | check_rsa_host_key(host, hostaddr, host_key); |
1362 | 1360 | ||
1363 | client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; | 1361 | client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; |
1364 | 1362 | ||
@@ -1617,7 +1615,6 @@ ssh_userauth(int host_key_valid, RSA *own_host_key, | |||
1617 | fatal("Permission denied."); | 1615 | fatal("Permission denied."); |
1618 | /* NOTREACHED */ | 1616 | /* NOTREACHED */ |
1619 | } | 1617 | } |
1620 | |||
1621 | /* | 1618 | /* |
1622 | * Starts a dialog with the server, and authenticates the current user on the | 1619 | * Starts a dialog with the server, and authenticates the current user on the |
1623 | * server. This does not need any extra privileges. The basic connection | 1620 | * server. This does not need any extra privileges. The basic connection |
@@ -1648,6 +1645,7 @@ ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost, | |||
1648 | ssh_kex(host, hostaddr); | 1645 | ssh_kex(host, hostaddr); |
1649 | if (supported_authentications == 0) | 1646 | if (supported_authentications == 0) |
1650 | fatal("supported_authentications == 0."); | 1647 | fatal("supported_authentications == 0."); |
1648 | |||
1651 | /* authenticate user */ | 1649 | /* authenticate user */ |
1652 | ssh_userauth(host_key_valid, own_host_key, original_real_uid, host); | 1650 | ssh_userauth(host_key_valid, own_host_key, original_real_uid, host); |
1653 | } | 1651 | } |