Working new known_host algorithm

git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@302 7dcaeef0-15fb-0310-b436-a5af3365683c
2025-12-03 13:31:11 +03:00 · 2009-03-28 23:43:17 +00:00
parent 75d5bb457f
commit 3090d104cf
3 changed files with 195 additions and 131 deletions
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -681,6 +681,9 @@ int channel_write1(CHANNEL *channel, void *data, int len);
 int ssh_handle_packets(SSH_SESSION *session);
 /* match.c */
 int match_hostname(const char *host, const char *pattern, unsigned int len);
 /* log.c */
 #define _enter_function(sess) \
--- a/libssh/keyfiles.c
+++ b/libssh/keyfiles.c
@@ -28,6 +28,7 @@ MA 02111-1307, USA. */
 #include <unistd.h>
 #include <stdlib.h>
 #include <fcntl.h>
 #include <ctype.h>
 #include "libssh/priv.h"
 #ifdef HAVE_LIBGCRYPT
 #include <gcrypt.h>
@@ -780,124 +781,101 @@ static int alldigits(char *s)
       }
       return 1;
 }
 /** @}
 */
-#define FOUND_OTHER ( (void *)-1)
+/** \brief lowercases a string
-#define FILE_NOT_FOUND ((void *)-2)
+ * \arg string string to lowercase
-/* will return a token array containing [host,]ip keytype key */
+ * \internal
-/* NULL if no match was found, FOUND_OTHER if the match is on an other */
+ */
-/* type of key (ie dsa if type was rsa) */
+static void lowercase(char *string){
-static char **ssh_parse_knownhost(char *filename, char *hostname, char *type){
+	for (;*string;string++){
-    FILE *file=fopen(filename,"r");
+		*string=tolower(*string);
 	}
 }
 /** \brief frees a token array
 * \internal
 */
 static void tokens_free(char **tokens){
 	free(tokens[0]);
 	/* It's not needed to free other pointers because tokens generated by
 	 * space_tokenize fit all in one malloc
 	 */
 	free(tokens);
 }
 /** \brief returns one line of known host file
 * will return a token array containing (host|ip) keytype key
 * \internal
 * \returns NULL if no match was found or the file was not found
 * \returns found_type type of key (ie "dsa","ssh-rsa1"). Don't free that value.
 */
 static char **ssh_get_knownhost_line(SSH_SESSION *session,FILE **file, char *filename,char **found_type){
    char buffer[4096];
    char *ptr;
    char *found_type;
    char **tokens;
-    char **ret=NULL;
+    enter_function();
-    if(!file)
+    if(!*file){
-        return FILE_NOT_FOUND;
+    	*file=fopen(filename,"r");
-    while(fgets(buffer,sizeof(buffer),file)){
+    	if(!file){
    		leave_function();
    		return NULL;
    	}
    }
    while(fgets(buffer,sizeof(buffer),*file)){
        ptr=strchr(buffer,'\n');
        if(ptr) *ptr=0;
        if((ptr=strchr(buffer,'\r'))) *ptr=0;
-        if(!buffer[0])
+        if(!buffer[0] || buffer[0]=='#')
            continue; /* skip empty lines */
        tokens=space_tokenize(buffer);
        if(!tokens[0] || !tokens[1] || !tokens[2]){
            /* it should have at least 3 tokens */
-            free(tokens[0]);
+            tokens_free(tokens);
            free(tokens);
            continue;
        }
-       found_type = tokens[1];
+        *found_type = tokens[1];
        if(tokens[3]){
           /* openssh rsa1 format has 4 tokens on the line. Recognize it
              by the fact that everything is all digits */
           if (tokens[4]) {
               /* that's never valid */
-               free(tokens[0]);
+               tokens_free(tokens);
               free(tokens);
               continue;
           }
           if (alldigits(tokens[1]) && alldigits(tokens[2]) && alldigits(tokens[3])) {
-               found_type = "ssh-rsa1";
+               *found_type = "ssh-rsa1";
           } else {
               /* 3 tokens only, not four */
-               free(tokens[0]);
+               tokens_free(tokens);
               free(tokens);
               continue;
           }
        }
-        ptr=tokens[0];
+        leave_function();
        while(*ptr==' ')
            ptr++; /* skip the initial spaces */
        /* we allow spaces or ',' to follow the hostname. It's generaly an IP */
        /* we don't care about ip, if the host key match there is no problem with ip */
        if(strncasecmp(ptr,hostname,strlen(hostname))==0){
            if(ptr[strlen(hostname)]==' ' || ptr[strlen(hostname)]=='\0'
                    || ptr[strlen(hostname)]==','){
                if(strcasecmp(found_type, type)==0){
                    fclose(file);
        return tokens;
                } else {
                    ret=FOUND_OTHER;
    }
-            }
+    fclose(*file);
-        }
+    *file=NULL;
-        /* not the good one */
+    /* we did not find anything, end of file*/
-        free(tokens[0]);
+    leave_function();
-        free(tokens);
+    return NULL;
    }
    fclose(file);
    /* we did not find */
    return ret;
 }
-/** @}
+/** \brief Check the public key in the known host line matches the
 * public key of the currently connected server.
 * \arg tokens list of tokens in the known_hosts line.
 * \return 1 if the key matches
 * \return 0 if the key doesn't match
 * \return -1 on error
 */
-/** \addtogroup ssh_session
+
- * @{ */
+static int check_public_key(SSH_SESSION *session, char **tokens){
 /** checks the user's known host file for a previous connection to the
 * current server.
 * \brief test if the server is known
 * \param session ssh session
 * \return SSH_SERVER_KNOWN_OK : the server is known and has not changed\n
 * SSH_SERVER_KNOWN_CHANGED : The server key has changed. Either you are under
 * attack or the administrator changed the key. you HAVE to warn the user about
 * a possible attack\n
 * SSH_SERVER_FOUND_OTHER : the server gave use a key of a type while we
 * had an other type recorded. It is a possible attack \n
 * SSH_SERVER_NOT_KNOWN : the server is unknown. User should confirm the MD5 is correct\n
 * SSH_SERVER_ERROR : Some error happened
 * \see ssh_options_set_wanted_algo()
 * \see ssh_get_pubkey_hash()
 * \bug there is no current way to remove or modify an entry into the known host table
 * \todo TODO this is a real mess. Clean this up someday
 */
 int ssh_is_server_known(SSH_SESSION *session){
    char *pubkey_64;
    BUFFER *pubkey_buffer;
    STRING *pubkey=session->current_crypto->server_pubkey;
    char **tokens;
    ssh_options_default_known_hosts_file(session->options);
    if(!session->options->host){
        ssh_set_error(session,SSH_FATAL,"Can't verify host in known hosts if the hostname isn't known");
        return SSH_SERVER_ERROR;
    }
    tokens=ssh_parse_knownhost(session->options->known_hosts_file,
        session->options->host,session->current_crypto->server_pubkey_type);
    if(tokens==NULL)
        return SSH_SERVER_NOT_KNOWN;
    if(tokens==FOUND_OTHER)
        return SSH_SERVER_FOUND_OTHER;
    if(tokens==FILE_NOT_FOUND){
        ssh_set_error(session,SSH_FATAL,"verifying that server is a known host : file %s not found",session->options->known_hosts_file);
        return SSH_SERVER_ERROR;
    }
 	/* ok we found some public key in known hosts file. now un-base64it */
-    /* Some time, we may verify the IP address did not change. I honestly think */
+	if (alldigits(tokens[1])) {
-    /* it's not an important matter as IP address are known not to be secure */
+		/* openssh rsa1 format */
    /* and the crypto stuff is enough to prove the server's identity */
    if (alldigits(tokens[1])) { /* openssh rsa1 format */
 		bignum tmpbn;
 		int i;
 		unsigned int len;
@@ -927,28 +905,111 @@ int ssh_is_server_known(SSH_SESSION *session){
 			free(tmpstring);
 		}
 	} else {
 		/* ssh-dss or ssh-rsa */
 		pubkey_64=tokens[2];
 		pubkey_buffer=base64_to_bin(pubkey_64);
 	}
-    /* at this point, we may free the tokens */
+
    free(tokens[0]);
    free(tokens);
 	if(!pubkey_buffer){
 		ssh_set_error(session,SSH_FATAL,"verifying that server is a known host : base 64 error");
-        return SSH_SERVER_ERROR;
+		return -1;
 	}
 	if(buffer_get_len(pubkey_buffer)!=string_len(pubkey)){
 		buffer_free(pubkey_buffer);
-        return SSH_SERVER_KNOWN_CHANGED;
+		return 0;
 	}
 	/* now test that they are identical */
 	if(memcmp(buffer_get(pubkey_buffer),pubkey->string,buffer_get_len(pubkey_buffer))!=0){
 		buffer_free(pubkey_buffer);
-        return SSH_SERVER_KNOWN_CHANGED;
+		return 0;
 	}
 	buffer_free(pubkey_buffer);
 	return 1;
 }
 /* How it's working :
 * 1- we open the known host file and bitch if it doesn't exist
 * 2- we need to examine each line of the file, until going on state SSH_SERVER_KNOWN_OK:
 *  - there's a match. if the key is good, state is SSH_SERVER_KNOWN_OK,
 *    else it's SSH_SERVER_KNOWN_CHANGED (or SSH_SERVER_FOUND_OTHER)
 *  - there's no match : no change
 *  - there's an antimatch : no change (that line is simply ignored)
 */
 /** \addtogroup ssh_session
 * @{ */
 /** checks the user's known host file for a previous connection to the
 * current server.
 * \brief test if the server is known
 * \param session ssh session
 * \return SSH_SERVER_KNOWN_OK : the server is known and has not changed\n
 * SSH_SERVER_KNOWN_CHANGED : The server key has changed. Either you are under
 * attack or the administrator changed the key. you HAVE to warn the user about
 * a possible attack\n
 * SSH_SERVER_FOUND_OTHER : the server gave use a key of a type while we
 * had an other type recorded. It is a possible attack \n
 * SSH_SERVER_NOT_KNOWN : the server is unknown. User should confirm the MD5 is correct\n
 * SSH_SERVER_ERROR : Some error happened
 * \see ssh_options_set_wanted_algo()
 * \see ssh_get_pubkey_hash()
 * \bug there is no current way to remove or modify an entry into the known host table
 * \todo TODO this is a real mess. Clean this up someday
 */
 int ssh_is_server_known(SSH_SESSION *session){
    char **tokens;
    char *host;
    char *type;
    int match;
    FILE *file=NULL;
    int ret=SSH_SERVER_NOT_KNOWN;
    enter_function();
    ssh_options_default_known_hosts_file(session->options);
    if(!session->options->host){
        ssh_set_error(session,SSH_FATAL,"Can't verify host in known hosts if the hostname isn't known");
        leave_function();
        return SSH_SERVER_ERROR;
    }
    host=strdup(session->options->host);
    lowercase(host);
    do {
    	tokens=ssh_get_knownhost_line(session,&file,session->options->known_hosts_file,&type);
    	//
    	/* End of file, return the current state */
    	if(tokens==NULL)
    		break;
    	match=match_hostname(host,tokens[0],strlen(tokens[0]));
    	if(match){
    		// We got a match. Now check the key type
    		if(strcmp(session->current_crypto->server_pubkey_type,type)!=0){
    			// different type. We don't override the known_changed error which is more important
    			if(ret != SSH_SERVER_KNOWN_CHANGED)
    				ret= SSH_SERVER_FOUND_OTHER;
    			tokens_free(tokens);
    			continue;
    		}
    		// so we know the key type is good. We may get a good key or a bad key.
 			match=check_public_key(session,tokens);
 			tokens_free(tokens);
 			if(match<0){
 				leave_function();
 				return SSH_SERVER_ERROR;
 			}
 			if(match==1){
 				fclose(file);
 				leave_function();
 				return SSH_SERVER_KNOWN_OK;
 			}
 			if(match==0){
 				/* We override the status with the wrong key state */
 				ret=SSH_SERVER_KNOWN_CHANGED;
 			}
    	}
    } while (1);
    /* Return the current state at end of file */
    leave_function();
    return ret;
 }
 /** You generaly use it when ssh_is_server_known() answered SSH_SERVER_NOT_KNOWN
 * \brief write the current server as known in the known hosts file
--- a/libssh/match.c
+++ b/libssh/match.c
@@ -37,7 +37,7 @@
 #include <sys/types.h>
 #include <ctype.h>
 #include <string.h>
-
+#include "libssh/priv.h"
 /*
 * Returns true if the given string matches the pattern (which may contain ?
 * and * as wildcards), and zero if it does not match.
@@ -164,6 +164,6 @@ static int match_pattern_list(const char *string, const char *pattern,
 * indicate negation).  Returns -1 if negation matches, 1 if there is
 * a positive match, 0 if there is no match at all.
 */
-static int match_hostname(const char *host, const char *pattern, unsigned int len) {
+int match_hostname(const char *host, const char *pattern, unsigned int len) {
 	return match_pattern_list(host, pattern, len, 1);
 }