diff options
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/sshconnect.c b/sshconnect.c index 324f5e0a3..563405ecb 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -54,9 +54,9 @@ | |||
54 | #include "sshconnect.h" | 54 | #include "sshconnect.h" |
55 | #include "hostfile.h" | 55 | #include "hostfile.h" |
56 | #include "log.h" | 56 | #include "log.h" |
57 | #include "misc.h" | ||
57 | #include "readconf.h" | 58 | #include "readconf.h" |
58 | #include "atomicio.h" | 59 | #include "atomicio.h" |
59 | #include "misc.h" | ||
60 | #include "dns.h" | 60 | #include "dns.h" |
61 | #include "roaming.h" | 61 | #include "roaming.h" |
62 | #include "monitor_fdpass.h" | 62 | #include "monitor_fdpass.h" |
@@ -65,6 +65,7 @@ | |||
65 | 65 | ||
66 | char *client_version_string = NULL; | 66 | char *client_version_string = NULL; |
67 | char *server_version_string = NULL; | 67 | char *server_version_string = NULL; |
68 | Key *previous_host_key = NULL; | ||
68 | 69 | ||
69 | static int matching_host_key_dns = 0; | 70 | static int matching_host_key_dns = 0; |
70 | 71 | ||
@@ -709,7 +710,7 @@ check_host_cert(const char *host, const Key *host_key) | |||
709 | error("%s", reason); | 710 | error("%s", reason); |
710 | return 0; | 711 | return 0; |
711 | } | 712 | } |
712 | if (buffer_len(&host_key->cert->critical) != 0) { | 713 | if (buffer_len(host_key->cert->critical) != 0) { |
713 | error("Certificate for %s contains unsupported " | 714 | error("Certificate for %s contains unsupported " |
714 | "critical options(s)", host); | 715 | "critical options(s)", host); |
715 | return 0; | 716 | return 0; |
@@ -1222,7 +1223,7 @@ fail: | |||
1222 | int | 1223 | int |
1223 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | 1224 | verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
1224 | { | 1225 | { |
1225 | int flags = 0; | 1226 | int r = -1, flags = 0; |
1226 | char *fp; | 1227 | char *fp; |
1227 | Key *plain = NULL; | 1228 | Key *plain = NULL; |
1228 | 1229 | ||
@@ -1230,6 +1231,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
1230 | debug("Server host key: %s %s", key_type(host_key), fp); | 1231 | debug("Server host key: %s %s", key_type(host_key), fp); |
1231 | free(fp); | 1232 | free(fp); |
1232 | 1233 | ||
1234 | if (key_equal(previous_host_key, host_key)) { | ||
1235 | debug("%s: server host key matches cached key", __func__); | ||
1236 | return 0; | ||
1237 | } | ||
1238 | |||
1233 | if (options.verify_host_key_dns) { | 1239 | if (options.verify_host_key_dns) { |
1234 | /* | 1240 | /* |
1235 | * XXX certs are not yet supported for DNS, so downgrade | 1241 | * XXX certs are not yet supported for DNS, so downgrade |
@@ -1244,7 +1250,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
1244 | flags & DNS_VERIFY_MATCH && | 1250 | flags & DNS_VERIFY_MATCH && |
1245 | flags & DNS_VERIFY_SECURE) { | 1251 | flags & DNS_VERIFY_SECURE) { |
1246 | key_free(plain); | 1252 | key_free(plain); |
1247 | return 0; | 1253 | r = 0; |
1254 | goto done; | ||
1248 | } | 1255 | } |
1249 | if (flags & DNS_VERIFY_MATCH) { | 1256 | if (flags & DNS_VERIFY_MATCH) { |
1250 | matching_host_key_dns = 1; | 1257 | matching_host_key_dns = 1; |
@@ -1259,9 +1266,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
1259 | key_free(plain); | 1266 | key_free(plain); |
1260 | } | 1267 | } |
1261 | 1268 | ||
1262 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | 1269 | r = check_host_key(host, hostaddr, options.port, host_key, RDRW, |
1263 | options.user_hostfiles, options.num_user_hostfiles, | 1270 | options.user_hostfiles, options.num_user_hostfiles, |
1264 | options.system_hostfiles, options.num_system_hostfiles); | 1271 | options.system_hostfiles, options.num_system_hostfiles); |
1272 | |||
1273 | done: | ||
1274 | if (r == 0 && host_key != NULL) { | ||
1275 | key_free(previous_host_key); | ||
1276 | previous_host_key = key_from_private(host_key); | ||
1277 | } | ||
1278 | |||
1279 | return r; | ||
1265 | } | 1280 | } |
1266 | 1281 | ||
1267 | /* | 1282 | /* |
@@ -1297,8 +1312,12 @@ ssh_login(Sensitive *sensitive, const char *orighost, | |||
1297 | ssh_kex2(host, hostaddr, port); | 1312 | ssh_kex2(host, hostaddr, port); |
1298 | ssh_userauth2(local_user, server_user, host, sensitive); | 1313 | ssh_userauth2(local_user, server_user, host, sensitive); |
1299 | } else { | 1314 | } else { |
1315 | #ifdef WITH_SSH1 | ||
1300 | ssh_kex(host, hostaddr); | 1316 | ssh_kex(host, hostaddr); |
1301 | ssh_userauth1(local_user, server_user, host, sensitive); | 1317 | ssh_userauth1(local_user, server_user, host, sensitive); |
1318 | #else | ||
1319 | fatal("ssh1 is not unsupported"); | ||
1320 | #endif | ||
1302 | } | 1321 | } |
1303 | free(local_user); | 1322 | free(local_user); |
1304 | } | 1323 | } |