summaryrefslogtreecommitdiff
path: root/sshconnect.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshconnect.c')
-rw-r--r--sshconnect.c31
1 files changed, 25 insertions, 6 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 324f5e0a3..563405ecb 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -54,9 +54,9 @@
54#include "sshconnect.h" 54#include "sshconnect.h"
55#include "hostfile.h" 55#include "hostfile.h"
56#include "log.h" 56#include "log.h"
57#include "misc.h"
57#include "readconf.h" 58#include "readconf.h"
58#include "atomicio.h" 59#include "atomicio.h"
59#include "misc.h"
60#include "dns.h" 60#include "dns.h"
61#include "roaming.h" 61#include "roaming.h"
62#include "monitor_fdpass.h" 62#include "monitor_fdpass.h"
@@ -65,6 +65,7 @@
65 65
66char *client_version_string = NULL; 66char *client_version_string = NULL;
67char *server_version_string = NULL; 67char *server_version_string = NULL;
68Key *previous_host_key = NULL;
68 69
69static int matching_host_key_dns = 0; 70static int matching_host_key_dns = 0;
70 71
@@ -709,7 +710,7 @@ check_host_cert(const char *host, const Key *host_key)
709 error("%s", reason); 710 error("%s", reason);
710 return 0; 711 return 0;
711 } 712 }
712 if (buffer_len(&host_key->cert->critical) != 0) { 713 if (buffer_len(host_key->cert->critical) != 0) {
713 error("Certificate for %s contains unsupported " 714 error("Certificate for %s contains unsupported "
714 "critical options(s)", host); 715 "critical options(s)", host);
715 return 0; 716 return 0;
@@ -1222,7 +1223,7 @@ fail:
1222int 1223int
1223verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) 1224verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1224{ 1225{
1225 int flags = 0; 1226 int r = -1, flags = 0;
1226 char *fp; 1227 char *fp;
1227 Key *plain = NULL; 1228 Key *plain = NULL;
1228 1229
@@ -1230,6 +1231,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1230 debug("Server host key: %s %s", key_type(host_key), fp); 1231 debug("Server host key: %s %s", key_type(host_key), fp);
1231 free(fp); 1232 free(fp);
1232 1233
1234 if (key_equal(previous_host_key, host_key)) {
1235 debug("%s: server host key matches cached key", __func__);
1236 return 0;
1237 }
1238
1233 if (options.verify_host_key_dns) { 1239 if (options.verify_host_key_dns) {
1234 /* 1240 /*
1235 * XXX certs are not yet supported for DNS, so downgrade 1241 * XXX certs are not yet supported for DNS, so downgrade
@@ -1244,7 +1250,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1244 flags & DNS_VERIFY_MATCH && 1250 flags & DNS_VERIFY_MATCH &&
1245 flags & DNS_VERIFY_SECURE) { 1251 flags & DNS_VERIFY_SECURE) {
1246 key_free(plain); 1252 key_free(plain);
1247 return 0; 1253 r = 0;
1254 goto done;
1248 } 1255 }
1249 if (flags & DNS_VERIFY_MATCH) { 1256 if (flags & DNS_VERIFY_MATCH) {
1250 matching_host_key_dns = 1; 1257 matching_host_key_dns = 1;
@@ -1259,9 +1266,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1259 key_free(plain); 1266 key_free(plain);
1260 } 1267 }
1261 1268
1262 return check_host_key(host, hostaddr, options.port, host_key, RDRW, 1269 r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
1263 options.user_hostfiles, options.num_user_hostfiles, 1270 options.user_hostfiles, options.num_user_hostfiles,
1264 options.system_hostfiles, options.num_system_hostfiles); 1271 options.system_hostfiles, options.num_system_hostfiles);
1272
1273done:
1274 if (r == 0 && host_key != NULL) {
1275 key_free(previous_host_key);
1276 previous_host_key = key_from_private(host_key);
1277 }
1278
1279 return r;
1265} 1280}
1266 1281
1267/* 1282/*
@@ -1297,8 +1312,12 @@ ssh_login(Sensitive *sensitive, const char *orighost,
1297 ssh_kex2(host, hostaddr, port); 1312 ssh_kex2(host, hostaddr, port);
1298 ssh_userauth2(local_user, server_user, host, sensitive); 1313 ssh_userauth2(local_user, server_user, host, sensitive);
1299 } else { 1314 } else {
1315#ifdef WITH_SSH1
1300 ssh_kex(host, hostaddr); 1316 ssh_kex(host, hostaddr);
1301 ssh_userauth1(local_user, server_user, host, sensitive); 1317 ssh_userauth1(local_user, server_user, host, sensitive);
1318#else
1319 fatal("ssh1 is not unsupported");
1320#endif
1302 } 1321 }
1303 free(local_user); 1322 free(local_user);
1304} 1323}