diff options
Diffstat (limited to 'crypto/openssh/sshconnect.c')
-rw-r--r-- | crypto/openssh/sshconnect.c | 42 |
1 files changed, 32 insertions, 10 deletions
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 8030583c50aa..d8efc50ce395 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.356 2021/12/19 22:10:24 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.366 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -54,7 +54,6 @@ #include "ssh.h" #include "sshbuf.h" #include "packet.h" -#include "compat.h" #include "sshkey.h" #include "sshconnect.h" #include "log.h" @@ -364,7 +363,7 @@ ssh_create_socket(struct addrinfo *ai) error("socket: %s", strerror(errno)); return -1; } - fcntl(sock, F_SETFD, FD_CLOEXEC); + (void)fcntl(sock, F_SETFD, FD_CLOEXEC); /* Use interactive QOS (if specified) until authentication completed */ if (options.ip_qos_interactive != INT_MAX) @@ -482,6 +481,14 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, errno = oerrno; continue; } + if (options.address_family != AF_UNSPEC && + ai->ai_family != options.address_family) { + debug2_f("skipping address [%s]:%s: " + "wrong address family", ntop, strport); + errno = EAFNOSUPPORT; + continue; + } + debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport); @@ -816,7 +823,7 @@ other_hostkeys_message(const char *host, const char *ip, system_hostfiles, num_system_hostfiles, &othernames, &num_othernames); if (num_othernames == 0) - return xstrdup("This key is not known by any other names"); + return xstrdup("This key is not known by any other names."); xasprintf(&ret, "This host key is known by the following other " "names/addresses:"); @@ -935,7 +942,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; char msg[1024]; - const char *type, *fail_reason; + const char *type, *fail_reason = NULL; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; int len, cancelled_forwarding = 0, confirmed; int local = sockaddr_is_local(hostaddr); @@ -961,6 +968,17 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, } /* + * Don't ever try to write an invalid name to a known hosts file. + * Note: do this before get_hostfile_hostname_ipaddr() to catch + * '[' or ']' in the name before they are added. + */ + if (strcspn(hostname, "@?*#[]|'\'\"\\") != strlen(hostname)) { + debug_f("invalid hostname \"%s\"; will not record: %s", + hostname, fail_reason); + readonly = RDONLY; + } + + /* * Prepare the hostname and address strings used for hostkey lookup. * In some cases, these will have a port number appended. */ @@ -1265,8 +1283,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, } /* The host key has changed. */ warn_changed_key(host_key); - error("Add correct host key in %.100s to get rid of this message.", - user_hostfiles[0]); + if (num_user_hostfiles > 0 || num_system_hostfiles > 0) { + error("Add correct host key in %.100s to get rid " + "of this message.", num_user_hostfiles > 0 ? + user_hostfiles[0] : system_hostfiles[0]); + } error("Offending %s key in %s:%lu", sshkey_type(host_found->key), host_found->file, host_found->line); @@ -1334,7 +1355,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, if (options.exit_on_forward_failure && cancelled_forwarding) fatal("Error: forwarding disabled due to host key " "check failure"); - + /* * XXX Should permit the user to change to use the new id. * This could be done by converting the host key to an @@ -1553,8 +1574,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, lowercase(host); /* Exchange protocol version identification strings with the server. */ - if ((r = kex_exchange_identification(ssh, timeout_ms, - options.version_addendum)) != 0) + if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ @@ -1575,7 +1595,9 @@ show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) { int type[] = { KEY_RSA, +#ifdef WITH_DSA KEY_DSA, +#endif KEY_ECDSA, KEY_ED25519, KEY_XMSS, |