1
1

Improve the ssh_get_pubkey_hash() function.

git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@337 7dcaeef0-15fb-0310-b436-a5af3365683c
Этот коммит содержится в:
Andreas Schneider 2009-04-02 07:31:54 +00:00
родитель 4c84a3e0f2
Коммит 3a67aaa428
3 изменённых файлов: 58 добавлений и 24 удалений

Просмотреть файл

@ -237,7 +237,7 @@ void ssh_print_hexa(const char *descr, const unsigned char *what, size_t len);
int ssh_get_random(void *where,int len,int strong); int ssh_get_random(void *where,int len,int strong);
/* this one can be called by the client to see the hash of the public key before accepting it */ /* this one can be called by the client to see the hash of the public key before accepting it */
int ssh_get_pubkey_hash(SSH_SESSION *session,unsigned char hash[MD5_DIGEST_LEN]); int ssh_get_pubkey_hash(SSH_SESSION *session, unsigned char **hash);
STRING *ssh_get_pubkey(SSH_SESSION *session); STRING *ssh_get_pubkey(SSH_SESSION *session);
/* in connect.c */ /* in connect.c */

Просмотреть файл

@ -496,6 +496,7 @@ void generate_session_keys(SSH_SESSION *session){
if(session->next_crypto->out_cipher->keysize > SHA_DIGEST_LEN*8){ if(session->next_crypto->out_cipher->keysize > SHA_DIGEST_LEN*8){
ctx=sha1_init(); ctx=sha1_init();
if (ctx == NULL) { if (ctx == NULL) {
leave_function();
return; return;
} }
sha1_update(ctx,k_string,string_len(k_string)+4); sha1_update(ctx,k_string,string_len(k_string)+4);
@ -533,27 +534,52 @@ void generate_session_keys(SSH_SESSION *session){
/** \addtogroup ssh_session /** \addtogroup ssh_session
* @{ */ * @{ */
/** \brief get the md5 hash of the server public key /**
* \param session ssh session * @brief Allocates a buffer with the MD5 hash of the server public key.
* \param hash destination for the md5 hash *
* \return size of the hash in bytes * @param session The SSH session to use.
* \warning it is very important that you verify at some moment that the hash matches *
* a known server. If you don't do it, cryptography won't help you at making things secure * @param hash The buffer to allocate.
* \see ssh_is_server_known() *
* @return The bytes allocated or < 0 on error.
*
* @warning It is very important that you verify at some moment that the hash
* matches a known server. If you don't do it, cryptography wont help
* you at making things secure
*
* @see ssh_is_server_known()
* @see ssh_get_hexa()
* @see ssh_print_hexa()
*/ */
int ssh_get_pubkey_hash(SSH_SESSION *session,unsigned char hash[MD5_DIGEST_LEN]){ int ssh_get_pubkey_hash(SSH_SESSION *session, unsigned char **hash) {
STRING *pubkey=session->current_crypto->server_pubkey; STRING *pubkey;
MD5CTX ctx; MD5CTX ctx;
int len=string_len(pubkey); unsigned char *h;
ctx=md5_init(); if (session == NULL || hash == NULL) {
if (ctx == NULL) { return -1;
return 0; }
}
md5_update(ctx,pubkey->string,len); *hash = NULL;
md5_final(hash,ctx);
return MD5_DIGEST_LEN; h = malloc(sizeof(unsigned char *) * MD5_DIGEST_LEN);
if (h == NULL) {
return -1;
}
ctx = md5_init();
if (ctx == NULL) {
return -1;
}
pubkey = session->current_crypto->server_pubkey;
md5_update(ctx, pubkey->string, string_len(pubkey));
md5_final(h, ctx);
*hash = h;
return MD5_DIGEST_LEN;
} }
STRING *ssh_get_pubkey(SSH_SESSION *session){ STRING *ssh_get_pubkey(SSH_SESSION *session){

Просмотреть файл

@ -406,7 +406,8 @@ int main(int argc, char **argv){
char *hexa; char *hexa;
int state; int state;
char buf[10]; char buf[10];
unsigned char hash[MD5_DIGEST_LEN]; unsigned char *hash = NULL;
int hlen;
options=ssh_options_new(); options=ssh_options_new();
if(ssh_options_getopt(options,&argc, argv)){ if(ssh_options_getopt(options,&argc, argv)){
@ -427,13 +428,20 @@ int main(int argc, char **argv){
return 1; return 1;
} }
state=ssh_is_server_known(session); state=ssh_is_server_known(session);
hlen = ssh_get_pubkey_hash(session, &hash);
if (hlen < 0) {
ssh_disconnect(session);
ssh_finalize();
return 1;
}
switch(state){ switch(state){
case SSH_SERVER_KNOWN_OK: case SSH_SERVER_KNOWN_OK:
break; /* ok */ break; /* ok */
case SSH_SERVER_KNOWN_CHANGED: case SSH_SERVER_KNOWN_CHANGED:
fprintf(stderr,"Host key for server changed : server's one is now :\n"); fprintf(stderr,"Host key for server changed : server's one is now :\n");
ssh_get_pubkey_hash(session,hash); ssh_print_hexa("Public key hash",hash, hlen);
ssh_print_hexa("Public key hash",hash,MD5_DIGEST_LEN); free(hash);
fprintf(stderr,"For security reason, connection will be stopped\n"); fprintf(stderr,"For security reason, connection will be stopped\n");
ssh_disconnect(session); ssh_disconnect(session);
ssh_finalize(); ssh_finalize();
@ -447,8 +455,8 @@ int main(int argc, char **argv){
ssh_finalize(); ssh_finalize();
exit(-1); exit(-1);
case SSH_SERVER_NOT_KNOWN: case SSH_SERVER_NOT_KNOWN:
ssh_get_pubkey_hash(session, hash); hexa = ssh_get_hexa(hash, hlen);
hexa = ssh_get_hexa(hash, MD5_DIGEST_LEN); free(hash);
fprintf(stderr,"The server is unknown. Do you trust the host key ?\n"); fprintf(stderr,"The server is unknown. Do you trust the host key ?\n");
fprintf(stderr, "Public key hash: %s\n", hexa); fprintf(stderr, "Public key hash: %s\n", hexa);
free(hexa); free(hexa);