diff options
Diffstat (limited to 'crypto/openssh/sshconnect.c')
-rw-r--r-- | crypto/openssh/sshconnect.c | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 3384de6..88ea7be 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -56,9 +56,9 @@ __RCSID("$FreeBSD$"); #include "sshconnect.h" #include "hostfile.h" #include "log.h" +#include "misc.h" #include "readconf.h" #include "atomicio.h" -#include "misc.h" #include "dns.h" #include "roaming.h" #include "monitor_fdpass.h" @@ -67,6 +67,7 @@ __RCSID("$FreeBSD$"); char *client_version_string = NULL; char *server_version_string = NULL; +Key *previous_host_key = NULL; static int matching_host_key_dns = 0; @@ -710,7 +711,7 @@ check_host_cert(const char *host, const Key *host_key) error("%s", reason); return 0; } - if (buffer_len(&host_key->cert->critical) != 0) { + if (buffer_len(host_key->cert->critical) != 0) { error("Certificate for %s contains unsupported " "critical options(s)", host); return 0; @@ -1218,7 +1219,7 @@ fail: int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { - int flags = 0; + int r = -1, flags = 0; char *fp; Key *plain = NULL; @@ -1226,6 +1227,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) debug("Server host key: %s %s", key_type(host_key), fp); free(fp); + if (key_equal(previous_host_key, host_key)) { + debug("%s: server host key matches cached key", __func__); + return 0; + } + if (options.verify_host_key_dns) { /* * XXX certs are not yet supported for DNS, so downgrade @@ -1240,7 +1246,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) flags & DNS_VERIFY_MATCH && flags & DNS_VERIFY_SECURE) { key_free(plain); - return 0; + r = 0; + goto done; } if (flags & DNS_VERIFY_MATCH) { matching_host_key_dns = 1; @@ -1255,9 +1262,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) key_free(plain); } - return check_host_key(host, hostaddr, options.port, host_key, RDRW, + r = check_host_key(host, hostaddr, options.port, host_key, RDRW, options.user_hostfiles, options.num_user_hostfiles, options.system_hostfiles, options.num_system_hostfiles); + +done: + if (r == 0 && host_key != NULL) { + key_free(previous_host_key); + previous_host_key = key_from_private(host_key); + } + + return r; } /* @@ -1293,8 +1308,12 @@ ssh_login(Sensitive *sensitive, const char *orighost, ssh_kex2(host, hostaddr, port); ssh_userauth2(local_user, server_user, host, sensitive); } else { +#ifdef WITH_SSH1 ssh_kex(host, hostaddr); ssh_userauth1(local_user, server_user, host, sensitive); +#else + fatal("ssh1 is not unsupported"); +#endif } free(local_user); } |