summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sshconnect.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/sshconnect.c')
-rw-r--r--crypto/openssh/sshconnect.c31
1 files changed, 25 insertions, 6 deletions
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index 3384de6..88ea7be 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -56,9 +56,9 @@ __RCSID("$FreeBSD$");
#include "sshconnect.h"
#include "hostfile.h"
#include "log.h"
+#include "misc.h"
#include "readconf.h"
#include "atomicio.h"
-#include "misc.h"
#include "dns.h"
#include "roaming.h"
#include "monitor_fdpass.h"
@@ -67,6 +67,7 @@ __RCSID("$FreeBSD$");
char *client_version_string = NULL;
char *server_version_string = NULL;
+Key *previous_host_key = NULL;
static int matching_host_key_dns = 0;
@@ -710,7 +711,7 @@ check_host_cert(const char *host, const Key *host_key)
error("%s", reason);
return 0;
}
- if (buffer_len(&host_key->cert->critical) != 0) {
+ if (buffer_len(host_key->cert->critical) != 0) {
error("Certificate for %s contains unsupported "
"critical options(s)", host);
return 0;
@@ -1218,7 +1219,7 @@ fail:
int
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
- int flags = 0;
+ int r = -1, flags = 0;
char *fp;
Key *plain = NULL;
@@ -1226,6 +1227,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
debug("Server host key: %s %s", key_type(host_key), fp);
free(fp);
+ if (key_equal(previous_host_key, host_key)) {
+ debug("%s: server host key matches cached key", __func__);
+ return 0;
+ }
+
if (options.verify_host_key_dns) {
/*
* XXX certs are not yet supported for DNS, so downgrade
@@ -1240,7 +1246,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
flags & DNS_VERIFY_MATCH &&
flags & DNS_VERIFY_SECURE) {
key_free(plain);
- return 0;
+ r = 0;
+ goto done;
}
if (flags & DNS_VERIFY_MATCH) {
matching_host_key_dns = 1;
@@ -1255,9 +1262,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
key_free(plain);
}
- return check_host_key(host, hostaddr, options.port, host_key, RDRW,
+ r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
options.user_hostfiles, options.num_user_hostfiles,
options.system_hostfiles, options.num_system_hostfiles);
+
+done:
+ if (r == 0 && host_key != NULL) {
+ key_free(previous_host_key);
+ previous_host_key = key_from_private(host_key);
+ }
+
+ return r;
}
/*
@@ -1293,8 +1308,12 @@ ssh_login(Sensitive *sensitive, const char *orighost,
ssh_kex2(host, hostaddr, port);
ssh_userauth2(local_user, server_user, host, sensitive);
} else {
+#ifdef WITH_SSH1
ssh_kex(host, hostaddr);
ssh_userauth1(local_user, server_user, host, sensitive);
+#else
+ fatal("ssh1 is not unsupported");
+#endif
}
free(local_user);
}
OpenPOWER on IntegriCloud