diff options
Diffstat (limited to 'crypto/openssh/sshconnect.c')
-rw-r--r-- | crypto/openssh/sshconnect.c | 75 |
1 files changed, 65 insertions, 10 deletions
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 11a9cf6..d0b70ea 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.271 2016/01/14 22:56:56 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -61,12 +61,12 @@ __RCSID("$FreeBSD$"); #include "readconf.h" #include "atomicio.h" #include "dns.h" -#include "roaming.h" #include "monitor_fdpass.h" #include "ssh2.h" #include "version.h" #include "authfile.h" #include "ssherr.h" +#include "authfd.h" char *client_version_string = NULL; char *server_version_string = NULL; @@ -169,6 +169,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port, if ((sock = mm_receive_fd(sp[1])) == -1) fatal("proxy dialer did not pass back a connection"); + close(sp[1]); while (waitpid(pid, NULL, 0) == -1) if (errno != EINTR) @@ -434,7 +435,9 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo *ai; - debug2("ssh_connect: needpriv %d", needpriv); + debug2("%s: needpriv %d", __func__, needpriv); + memset(ntop, 0, sizeof(ntop)); + memset(strport, 0, sizeof(strport)); for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { @@ -453,7 +456,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - error("ssh_connect: getnameinfo failed"); + error("%s: getnameinfo failed", __func__); continue; } debug("Connecting to %.200s [%.100s] port %s.", @@ -530,7 +533,7 @@ send_client_banner(int connection_out, int minor1) SSH_VERSION, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, compat20 ? "\r\n" : "\n"); - if (roaming_atomicio(vwrite, connection_out, client_version_string, + if (atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) fatal("write: %.100s", strerror(errno)); chop(client_version_string); @@ -590,7 +593,7 @@ ssh_exchange_identification(int timeout_ms) } } - len = roaming_atomicio(read, connection_in, &buf[i], 1); + len = atomicio(read, connection_in, &buf[i], 1); if (len != 1 && errno == EPIPE) fatal("ssh_exchange_identification: " @@ -926,7 +929,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.fingerprint_hash, SSH_FP_RANDOMART); if (fp == NULL || ra == NULL) fatal("%s: sshkey_fingerprint fail", __func__); - logit("Host key fingerprint is %s\n%s\n", fp, ra); + logit("Host key fingerprint is %s\n%s", fp, ra); free(ra); free(fp); } @@ -1237,8 +1240,9 @@ fail: int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { + u_int i; int r = -1, flags = 0; - char *fp = NULL; + char valid[64], *fp = NULL, *cafp = NULL; struct sshkey *plain = NULL; if ((fp = sshkey_fingerprint(host_key, @@ -1248,8 +1252,31 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) goto out; } - debug("Server host key: %s %s", - compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); + if (sshkey_is_cert(host_key)) { + if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { + error("%s: fingerprint CA key: %s", + __func__, ssh_err(r)); + r = -1; + goto out; + } + sshkey_format_cert_validity(host_key->cert, + valid, sizeof(valid)); + debug("Server host certificate: %s %s, serial %llu " + "ID \"%s\" CA %s %s valid %s", + sshkey_ssh_name(host_key), fp, + (unsigned long long)host_key->cert->serial, + host_key->cert->key_id, + sshkey_ssh_name(host_key->cert->signature_key), cafp, + valid); + for (i = 0; i < host_key->cert->nprincipals; i++) { + debug2("Server host certificate hostname: %s", + host_key->cert->principals[i]); + } + } else { + debug("Server host key: %s %s", compat20 ? + sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); + } if (sshkey_equal(previous_host_key, host_key)) { debug2("%s: server host key %s %s matches cached key", @@ -1314,6 +1341,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) out: sshkey_free(plain); free(fp); + free(cafp); if (r == 0 && host_key != NULL) { key_free(previous_host_key); previous_host_key = key_from_private(host_key); @@ -1488,3 +1516,30 @@ ssh_local_cmd(const char *args) return (WEXITSTATUS(status)); } + +void +maybe_add_key_to_agent(char *authfile, Key *private, char *comment, + char *passphrase) +{ + int auth_sock = -1, r; + + if (options.add_keys_to_agent == 0) + return; + + if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) { + debug3("no authentication agent, not adding key"); + return; + } + + if (options.add_keys_to_agent == 2 && + !ask_permission("Add key %s (%s) to agent?", authfile, comment)) { + debug3("user denied adding this key"); + return; + } + + if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0, + (options.add_keys_to_agent == 3))) == 0) + debug("identity added to agent: %s", authfile); + else + debug("could not add identity to agent: %s (%d)", authfile, r); +} |