diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-10-07 04:22:23 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-10-07 04:34:11 +0200 |
| commit | aa623142e426ca1ab9db77b06dcc9b1b70bd102b (patch) | |
| tree | 5fa919cf2096ec5f2b1bf85eba0f50aea2021591 /sshconnect.c | |
| parent | upstream: simply disable UpdateHostkeys when a certificate (diff) | |
| download | openssh-aa623142e426ca1ab9db77b06dcc9b1b70bd102b.tar.xz openssh-aa623142e426ca1ab9db77b06dcc9b1b70bd102b.zip | |
upstream: revert kex->flags cert hostkey downgrade back to a plain
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.
ok markus@
OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 55 |
1 files changed, 12 insertions, 43 deletions
diff --git a/sshconnect.c b/sshconnect.c index ba07a5ff3..4591e6a6e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.336 2020/10/07 02:20:35 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.337 2020/10/07 02:22:23 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -694,10 +694,6 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr, /* * check whether the supplied host key is valid, return -1 if the key * is not valid. user_hostfile[0] will not be updated if 'readonly' is true. - * - * If cert_fallbackp is not NULL then will attempt to convert certificate host - * keys to plain keys if no certificate match was found and will return - * non-zero via *cert_fallbackp if this fall-back was used. */ #define RDRW 0 #define RDONLY 1 @@ -706,7 +702,7 @@ static int check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, struct sshkey *host_key, int readonly, char **user_hostfiles, u_int num_user_hostfiles, - char **system_hostfiles, u_int num_system_hostfiles, int *cert_fallbackp) + char **system_hostfiles, u_int num_system_hostfiles) { HostStatus host_status; HostStatus ip_status; @@ -717,15 +713,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, const char *type; const struct hostkey_entry *host_found, *ip_found; int len, cancelled_forwarding = 0, confirmed; - int local = sockaddr_is_local(hostaddr), cert_fallback = 0; + int local = sockaddr_is_local(hostaddr); int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; int hostkey_trusted = 0; /* Known or explicitly accepted by user */ struct hostkeys *host_hostkeys, *ip_hostkeys; u_int i; - if (cert_fallbackp != NULL) - *cert_fallbackp = 0; - /* * Force accepting of the host key for loopback/localhost. The * problem is that if the home directory is NFS-mounted to multiple @@ -841,15 +834,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, if (options.host_key_alias == NULL && port != 0 && port != SSH_DEFAULT_PORT) { debug("checking without port identifier"); - /* - * NB. do not perform cert->key fallback in this - * recursive call. Fallback will only be performed in - * the top-level call. - */ if (check_host_key(hostname, hostaddr, 0, host_key, ROQUIET, user_hostfiles, num_user_hostfiles, - system_hostfiles, num_system_hostfiles, - NULL) == 0) { + system_hostfiles, num_system_hostfiles) == 0) { debug("found matching key w/out port"); break; } @@ -1126,13 +1113,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) free_hostkeys(ip_hostkeys); - if (cert_fallbackp != NULL) - *cert_fallbackp = cert_fallback; return 0; fail: - if (cert_fallbackp != NULL && want_cert && - host_status != HOST_REVOKED) { + if (want_cert && host_status != HOST_REVOKED) { /* * No matching certificate. Downgrade cert to raw key and * search normally. @@ -1144,7 +1128,6 @@ fail: if ((r = sshkey_drop_cert(raw_key)) != 0) fatal("Couldn't drop certificate: %s", ssh_err(r)); host_key = raw_key; - cert_fallback = 1; goto retry; } sshkey_free(raw_key); @@ -1157,24 +1140,15 @@ fail: return -1; } -/* - * returns 0 if key verifies or -1 if key does NOT verify. - * - * If the host key was a certificate that was downgraded to a plain key in - * the process of matching, then cert_fallbackp will be non-zero. - */ +/* returns 0 if key verifies or -1 if key does NOT verify */ int -verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key, - int *cert_fallbackp) +verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) { u_int i; - int r = -1, flags = 0, cert_fallback = 0; + int r = -1, flags = 0; char valid[64], *fp = NULL, *cafp = NULL; struct sshkey *plain = NULL; - if (cert_fallbackp != NULL) - *cert_fallbackp = 0; - if ((fp = sshkey_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { error("%s: fingerprint host key: %s", __func__, ssh_err(r)); @@ -1265,20 +1239,15 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key, } r = check_host_key(host, hostaddr, options.port, host_key, RDRW, options.user_hostfiles, options.num_user_hostfiles, - options.system_hostfiles, options.num_system_hostfiles, - &cert_fallback); + options.system_hostfiles, options.num_system_hostfiles); out: sshkey_free(plain); free(fp); free(cafp); - if (r == 0) { - if (host_key != NULL) { - sshkey_free(previous_host_key); - r = sshkey_from_private(host_key, &previous_host_key); - } - if (r == 0 && cert_fallbackp != NULL) - *cert_fallbackp = cert_fallback; + if (r == 0 && host_key != NULL) { + sshkey_free(previous_host_key); + r = sshkey_from_private(host_key, &previous_host_key); } return r; |