aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2018-12-31 11:07:21 +0100
committerAndreas Schneider <asn@cryptomilk.org>2018-12-31 11:07:21 +0100
commit811db10fe8b6d4e2aa579caf185149450fd1586b (patch)
tree84fc6b03abb942dd60337c24b6f2afb61d2a6f5e
parent891de68eb40cc6cc24f3f5aca5eeac21987bdf03 (diff)
downloadcsync-811db10fe8b6d4e2aa579caf185149450fd1586b.tar.gz
csync-811db10fe8b6d4e2aa579caf185149450fd1586b.tar.xz
csync-811db10fe8b6d4e2aa579caf185149450fd1586b.zip
modules: Use new known_hosts API from libssh 0.8
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--modules/CMakeLists.txt2
-rw-r--r--modules/csync_sftp.c234
2 files changed, 119 insertions, 117 deletions
diff --git a/modules/CMakeLists.txt b/modules/CMakeLists.txt
index ff49f58..30db6a2 100644
--- a/modules/CMakeLists.txt
+++ b/modules/CMakeLists.txt
@@ -1,6 +1,6 @@
project(modules C)
-find_package(libssh 0.7.4)
+find_package(libssh 0.8.4)
find_package(Neon 0.29.0)
set(PLUGIN_VERSION_INSTALL_DIR "${PLUGIN_INSTALL_DIR}-${LIBRARY_SOVERSION}")
diff --git a/modules/csync_sftp.c b/modules/csync_sftp.c
index 3246583..cab88a0 100644
--- a/modules/csync_sftp.c
+++ b/modules/csync_sftp.c
@@ -297,7 +297,7 @@ static int _sftp_connect(const char *uri)
goto out;
}
- rc = ssh_get_publickey(_ssh_session, &srv_pubkey);
+ rc = ssh_get_server_publickey(_ssh_session, &srv_pubkey);
if (rc < 0) {
fprintf(stderr,
"csync_sftp - error connecting to the server: %s\n",
@@ -309,7 +309,7 @@ static int _sftp_connect(const char *uri)
}
rc = ssh_get_publickey_hash(srv_pubkey,
- SSH_PUBLICKEY_HASH_SHA1,
+ SSH_PUBLICKEY_HASH_SHA256,
&hash,
&hlen);
ssh_key_free(srv_pubkey);
@@ -324,130 +324,132 @@ static int _sftp_connect(const char *uri)
}
/* check the server public key hash */
- state = ssh_is_server_known(_ssh_session);
+ state = ssh_session_is_known_server(_ssh_session);
switch (state) {
- case SSH_SERVER_KNOWN_OK:
- break;
- case SSH_SERVER_KNOWN_CHANGED:
- fprintf(stderr,
- "csync_sftp - The host key for this server was not found, "
- "but another type of key exists.\n"
- "An attacker might change the default server key to "
- "confuse your client into thinking the key does not "
- "exist.\n"
- "Please contact your system administrator.\n"
- "%s\n",
- ssh_get_error(_ssh_session));
- ssh_print_hexa("csync_sftp - public key hash", hash, hlen);
-
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- break;
- case SSH_SERVER_FOUND_OTHER:
- fprintf(stderr,
- "csync_sftp - the host key for this server was not "
- "found but an other type of key exists.\n");
- fprintf(stderr,
- "csync_sftp - an attacker might change the default "
- "server key to confuse your client into thinking the key does not "
- "exist\n");
- fprintf(stderr,
- "The host key for the server %s has changed.\n"
- "This could either mean that DNS SPOOFING is happening or the IP "
- "address for the host and its host key have changed at the same time.\n"
- "The fingerprint for the key sent by the remote host is:\n", host);
- ssh_print_hexa("", hash, hlen);
- fprintf(stderr,
- "Please contact your system administrator.\n"
- "%s\n",
- ssh_get_error(_ssh_session));
-
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- break;
- case SSH_SERVER_NOT_KNOWN:
- if (_authcb) {
- char *hexa;
- char *prompt;
- char buf[4] = {0};
-
- hexa = ssh_get_hexa(hash, hlen);
- if (hexa == NULL) {
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- }
+ case SSH_KNOWN_HOSTS_CHANGED:
+ fprintf(stderr,
+ "csync_sftp - The host key for this server was not found, "
+ "but another type of key exists.\n"
+ "An attacker might change the default server key to "
+ "confuse your client into thinking the key does not "
+ "exist.\n"
+ "Please contact your system administrator.\n");
+ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
+ ssh_clean_pubkey_hash(&hash);
- if (asprintf(&prompt,
- "The authenticity of host '%s' can't be established.\n"
- "RSA key fingerprint is %s.\n"
- "Are you sure you want to continue connecting (yes/no)?",
- host, hexa) < 0 ) {
- free(hexa);
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- }
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ case SSH_KNOWN_HOSTS_OTHER:
+ fprintf(stderr,
+ "csync_sftp - the host key for this server was not "
+ "found but an other type of key exists.\n");
+ fprintf(stderr,
+ "csync_sftp - an attacker might change the default "
+ "server key to confuse your client into thinking the key does not "
+ "exist\n");
+ fprintf(stderr,
+ "The host key for the server %s has changed.\n"
+ "This could either mean that DNS SPOOFING is happening or the IP "
+ "address for the host and its host key have changed at the same time.\n"
+ "The fingerprint for the key sent by the remote host is:\n", host);
+ fprintf(stderr,
+ "Please contact your system administrator.\n");
+ ssh_clean_pubkey_hash(&hash);
- free(hexa);
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ case SSH_KNOWN_HOSTS_NOT_FOUND:
+ fprintf(stderr,
+ "Could not find known host file. If you accept the host key here, "
+ "the file will be automatically created.\n");
+ case SSH_SERVER_NOT_KNOWN:
+ if (_authcb != NULL) {
+ char *h;
+ char *prompt;
+ char buf[4] = {0};
+ int cmp;
+
+ h = ssh_get_fingerprint_hash(SSH_PUBLICKEY_HASH_SHA256,
+ hash,
+ hlen);
+ ssh_clean_pubkey_hash(&hash);
+ if (h == NULL) {
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ }
- if ((*_authcb)(prompt, buf, sizeof(buf), 1, 0, _userdata) < 0) {
- free(prompt);
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- }
+ rc = asprintf(&prompt,
+ "The authenticity of host '%s' can't be established.\n"
+ "Fingerprint SHA256:%s.\n"
+ "Are you sure you want to continue connecting (yes/no)?",
+ host, h);
+ ssh_string_free_char(h);
+ if (rc < 0 ) {
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ }
+ rc = (*_authcb)(prompt, buf, sizeof(buf), 1, 0, _userdata);
+ if (rc < 0) {
free(prompt);
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ }
- if (strncasecmp(buf, "yes", 3) != 0) {
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- }
+ free(prompt);
- if (ssh_write_knownhost(_ssh_session) < 0) {
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- }
- } else {
- fprintf(stderr,"csync_sftp - the server is unknown. Connect manually to "
- "the host to retrieve the public key hash, then try again.\n");
+ cmp = strncasecmp(buf, "yes", 3);
+ if (cmp != 0) {
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
}
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- break;
- case SSH_SERVER_ERROR:
- fprintf(stderr, "%s\n", ssh_get_error(_ssh_session));
- ssh_disconnect(_ssh_session);
- _ssh_session = NULL;
- ssh_finalize();
- rc = -1;
- goto out;
- break;
- default:
- break;
+ rc = ssh_session_update_known_hosts(_ssh_session);
+ if (rc < 0) {
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ }
+ } else {
+ fprintf(stderr,"csync_sftp - the server is unknown. Connect manually to "
+ "the host to retrieve the public key hash, then try again.\n");
+ }
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ case SSH_KNOWN_HOSTS_ERROR:
+ fprintf(stderr, "%s\n", ssh_get_error(_ssh_session));
+ ssh_clean_pubkey_hash(&hash);
+
+ ssh_disconnect(_ssh_session);
+ _ssh_session = NULL;
+ ssh_finalize();
+ rc = -1;
+ goto out;
+ case SSH_KNOWN_HOSTS_OK:
+ break; /* ok */
}
/* Try to authenticate */