diff options
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/sshconnect.c b/sshconnect.c index 324f5e0a3..563405ecb 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -54,9 +54,9 @@ | |||
| 54 | #include "sshconnect.h" | 54 | #include "sshconnect.h" |
| 55 | #include "hostfile.h" | 55 | #include "hostfile.h" |
| 56 | #include "log.h" | 56 | #include "log.h" |
| 57 | #include "misc.h" | ||
| 57 | #include "readconf.h" | 58 | #include "readconf.h" |
| 58 | #include "atomicio.h" | 59 | #include "atomicio.h" |
| 59 | #include "misc.h" | ||
| 60 | #include "dns.h" | 60 | #include "dns.h" |
| 61 | #include "roaming.h" | 61 | #include "roaming.h" |
| 62 | #include "monitor_fdpass.h" | 62 | #include "monitor_fdpass.h" |
| @@ -65,6 +65,7 @@ | |||
| 65 | 65 | ||
| 66 | char *client_version_string = NULL; | 66 | char *client_version_string = NULL; |
| 67 | char *server_version_string = NULL; | 67 | char *server_version_string = NULL; |
| 68 | Key *previous_host_key = NULL; | ||
| 68 | 69 | ||
| 69 | static int matching_host_key_dns = 0; | 70 | static int matching_host_key_dns = 0; |
| 70 | 71 | ||
| @@ -709,7 +710,7 @@ check_host_cert(const char *host, const Key *host_key) | |||
| 709 | error("%s", reason); | 710 | error("%s", reason); |
| 710 | return 0; | 711 | return 0; |
| 711 | } | 712 | } |
| 712 | if (buffer_len(&host_key->cert->critical) != 0) { | 713 | if (buffer_len(host_key->cert->critical) != 0) { |
| 713 | error("Certificate for %s contains unsupported " | 714 | error("Certificate for %s contains unsupported " |
| 714 | "critical options(s)", host); | 715 | "critical options(s)", host); |
| 715 | return 0; | 716 | return 0; |
| @@ -1222,7 +1223,7 @@ fail: | |||
| 1222 | int | 1223 | int |
| 1223 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 1224 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
| 1224 | { | 1225 | { |
| 1225 | int flags = 0; | 1226 | int r = -1, flags = 0; |
| 1226 | char *fp; | 1227 | char *fp; |
| 1227 | Key *plain = NULL; | 1228 | Key *plain = NULL; |
| 1228 | 1229 | ||
| @@ -1230,6 +1231,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1230 | debug("Server host key: %s %s", key_type(host_key), fp); | 1231 | debug("Server host key: %s %s", key_type(host_key), fp); |
| 1231 | free(fp); | 1232 | free(fp); |
| 1232 | 1233 | ||
| 1234 | if (key_equal(previous_host_key, host_key)) { | ||
| 1235 | debug("%s: server host key matches cached key", __func__); | ||
| 1236 | return 0; | ||
| 1237 | } | ||
| 1238 | |||
| 1233 | if (options.verify_host_key_dns) { | 1239 | if (options.verify_host_key_dns) { |
| 1234 | /* | 1240 | /* |
| 1235 | * XXX certs are not yet supported for DNS, so downgrade | 1241 | * XXX certs are not yet supported for DNS, so downgrade |
| @@ -1244,7 +1250,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1244 | flags & DNS_VERIFY_MATCH && | 1250 | flags & DNS_VERIFY_MATCH && |
| 1245 | flags & DNS_VERIFY_SECURE) { | 1251 | flags & DNS_VERIFY_SECURE) { |
| 1246 | key_free(plain); | 1252 | key_free(plain); |
| 1247 | return 0; | 1253 | r = 0; |
| 1254 | goto done; | ||
| 1248 | } | 1255 | } |
| 1249 | if (flags & DNS_VERIFY_MATCH) { | 1256 | if (flags & DNS_VERIFY_MATCH) { |
| 1250 | matching_host_key_dns = 1; | 1257 | matching_host_key_dns = 1; |
| @@ -1259,9 +1266,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1259 | key_free(plain); | 1266 | key_free(plain); |
| 1260 | } | 1267 | } |
| 1261 | 1268 | ||
| 1262 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | 1269 | r = check_host_key(host, hostaddr, options.port, host_key, RDRW, |
| 1263 | options.user_hostfiles, options.num_user_hostfiles, | 1270 | options.user_hostfiles, options.num_user_hostfiles, |
| 1264 | options.system_hostfiles, options.num_system_hostfiles); | 1271 | options.system_hostfiles, options.num_system_hostfiles); |
| 1272 | |||
| 1273 | done: | ||
| 1274 | if (r == 0 && host_key != NULL) { | ||
| 1275 | key_free(previous_host_key); | ||
| 1276 | previous_host_key = key_from_private(host_key); | ||
| 1277 | } | ||
| 1278 | |||
| 1279 | return r; | ||
| 1265 | } | 1280 | } |
| 1266 | 1281 | ||
| 1267 | /* | 1282 | /* |
| @@ -1297,8 +1312,12 @@ ssh_login(Sensitive *sensitive, const char *orighost, | |||
| 1297 | ssh_kex2(host, hostaddr, port); | 1312 | ssh_kex2(host, hostaddr, port); |
| 1298 | ssh_userauth2(local_user, server_user, host, sensitive); | 1313 | ssh_userauth2(local_user, server_user, host, sensitive); |
| 1299 | } else { | 1314 | } else { |
| 1315 | #ifdef WITH_SSH1 | ||
| 1300 | ssh_kex(host, hostaddr); | 1316 | ssh_kex(host, hostaddr); |
| 1301 | ssh_userauth1(local_user, server_user, host, sensitive); | 1317 | ssh_userauth1(local_user, server_user, host, sensitive); |
| 1318 | #else | ||
| 1319 | fatal("ssh1 is not unsupported"); | ||
| 1320 | #endif | ||
| 1302 | } | 1321 | } |
| 1303 | free(local_user); | 1322 | free(local_user); |
| 1304 | } | 1323 | } |