Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
13 | | - |
14 | | - |
15 | | - |
16 | #include "includes.h" | - |
17 | | - |
18 | #include <sys/types.h> | - |
19 | #include <sys/wait.h> | - |
20 | #include <sys/stat.h> | - |
21 | #include <sys/socket.h> | - |
22 | #ifdef HAVE_SYS_TIME_H | - |
23 | # include <sys/time.h> | - |
24 | #endif | - |
25 | | - |
26 | #include <net/if.h> | - |
27 | #include <netinet/in.h> | - |
28 | #include <arpa/inet.h> | - |
29 | | - |
30 | #include <ctype.h> | - |
31 | #include <errno.h> | - |
32 | #include <fcntl.h> | - |
33 | #include <netdb.h> | - |
34 | #ifdef HAVE_PATHS_H | - |
35 | #include <paths.h> | - |
36 | #endif | - |
37 | #include <pwd.h> | - |
38 | #ifdef HAVE_POLL_H | - |
39 | #include <poll.h> | - |
40 | #endif | - |
41 | #include <signal.h> | - |
42 | #include <stdarg.h> | - |
43 | #include <stdio.h> | - |
44 | #include <stdlib.h> | - |
45 | #include <string.h> | - |
46 | #include <unistd.h> | - |
47 | #ifdef HAVE_IFADDRS_H | - |
48 | # include <ifaddrs.h> | - |
49 | #endif | - |
50 | | - |
51 | #include "xmalloc.h" | - |
52 | #include "hostfile.h" | - |
53 | #include "ssh.h" | - |
54 | #include "sshbuf.h" | - |
55 | #include "packet.h" | - |
56 | #include "compat.h" | - |
57 | #include "sshkey.h" | - |
58 | #include "sshconnect.h" | - |
59 | #include "hostfile.h" | - |
60 | #include "log.h" | - |
61 | #include "misc.h" | - |
62 | #include "readconf.h" | - |
63 | #include "atomicio.h" | - |
64 | #include "dns.h" | - |
65 | #include "monitor_fdpass.h" | - |
66 | #include "ssh2.h" | - |
67 | #include "version.h" | - |
68 | #include "authfile.h" | - |
69 | #include "ssherr.h" | - |
70 | #include "authfd.h" | - |
71 | | - |
72 | char *client_version_string = NULL; | - |
73 | char *server_version_string = NULL; | - |
74 | struct sshkey *previous_host_key = NULL; | - |
75 | | - |
76 | static int matching_host_key_dns = 0; | - |
77 | | - |
78 | static pid_t proxy_command_pid = 0; | - |
79 | | - |
80 | | - |
81 | extern Options options; | - |
82 | extern char *__progname; | - |
83 | | - |
84 | static int show_other_keys(struct hostkeys *, struct sshkey *); | - |
85 | static void warn_changed_key(struct sshkey *); | - |
86 | | - |
87 | | - |
88 | static char * | - |
89 | expand_proxy_command(const char *proxy_command, const char *user, | - |
90 | const char *host, int port) | - |
91 | { | - |
92 | char *tmp, *ret, strport[NI_MAXSERV]; | - |
93 | | - |
94 | snprintf(strport, sizeof strport, "%d", port); | - |
95 | xasprintf(&tmp, "exec %s", proxy_command); | - |
96 | ret = percent_expand(tmp, "h", host, "p", strport, | - |
97 | "r", options.user, (char *)NULL); | - |
98 | free(tmp); | - |
99 | return ret; never executed: return ret; | 0 |
100 | } | - |
101 | | - |
102 | | - |
103 | | - |
104 | | - |
105 | | - |
106 | static int | - |
107 | ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, u_short port, | - |
108 | const char *proxy_command) | - |
109 | { | - |
110 | char *command_string; | - |
111 | int sp[2], sock; | - |
112 | pid_t pid; | - |
113 | char *shell; | - |
114 | | - |
115 | if ((shell = getenv("SHELL")) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
116 | shell = _PATH_BSHELL; never executed: shell = "/bin/sh" ; | 0 |
117 | | - |
118 | if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
119 | fatal("Could not create socketpair to communicate with " never executed: fatal("Could not create socketpair to communicate with " "proxy dialer: %.100s", strerror( (*__errno_location ()) )); | 0 |
120 | "proxy dialer: %.100s", strerror(errno)); never executed: fatal("Could not create socketpair to communicate with " "proxy dialer: %.100s", strerror( (*__errno_location ()) )); | 0 |
121 | | - |
122 | command_string = expand_proxy_command(proxy_command, options.user, | - |
123 | host, port); | - |
124 | debug("Executing proxy dialer command: %.500s", command_string); | - |
125 | | - |
126 | | - |
127 | if ((pid = fork()) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
128 | char *argv[10]; | - |
129 | | - |
130 | close(sp[1]); | - |
131 | | - |
132 | if (sp[0] != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
133 | if (dup2(sp[0], 0) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
134 | perror("dup2 stdin"); never executed: perror("dup2 stdin"); | 0 |
135 | } never executed: end of block | 0 |
136 | if (sp[0] != 1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
137 | if (dup2(sp[0], 1) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
138 | perror("dup2 stdout"); never executed: perror("dup2 stdout"); | 0 |
139 | } never executed: end of block | 0 |
140 | if (sp[0] >= 2)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
141 | close(sp[0]); never executed: close(sp[0]); | 0 |
142 | | - |
143 | | - |
144 | | - |
145 | | - |
146 | | - |
147 | argv[0] = shell; | - |
148 | argv[1] = "-c"; | - |
149 | argv[2] = command_string; | - |
150 | argv[3] = NULL; | - |
151 | | - |
152 | | - |
153 | | - |
154 | | - |
155 | | - |
156 | execv(argv[0], argv); | - |
157 | perror(argv[0]); | - |
158 | exit(1); never executed: exit(1); | 0 |
159 | } | - |
160 | | - |
161 | if (pid < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
162 | fatal("fork failed: %.100s", strerror(errno)); never executed: fatal("fork failed: %.100s", strerror( (*__errno_location ()) )); | 0 |
163 | close(sp[0]); | - |
164 | free(command_string); | - |
165 | | - |
166 | if ((sock = mm_receive_fd(sp[1])) == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
167 | fatal("proxy dialer did not pass back a connection"); never executed: fatal("proxy dialer did not pass back a connection"); | 0 |
168 | close(sp[1]); | - |
169 | | - |
170 | while (waitpid(pid, NULL, 0) == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
171 | if (errno != EINTR)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
172 | fatal("Couldn't wait for child: %s", strerror(errno)); never executed: fatal("Couldn't wait for child: %s", strerror( (*__errno_location ()) )); | 0 |
173 | | - |
174 | | - |
175 | if (ssh_packet_set_connection(ssh, sock, sock) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
176 | return -1; never executed: return -1; | 0 |
177 | | - |
178 | return 0; never executed: return 0; | 0 |
179 | } | - |
180 | | - |
181 | | - |
182 | | - |
183 | | - |
184 | static int | - |
185 | ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, | - |
186 | const char *proxy_command) | - |
187 | { | - |
188 | char *command_string; | - |
189 | int pin[2], pout[2]; | - |
190 | pid_t pid; | - |
191 | char *shell; | - |
192 | | - |
193 | if ((shell = getenv("SHELL")) == NULL || *shell == '\0')TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
194 | shell = _PATH_BSHELL; never executed: shell = "/bin/sh" ; | 0 |
195 | | - |
196 | | - |
197 | if (pipe(pin) < 0 || pipe(pout) < 0)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
198 | fatal("Could not create pipes to communicate with the proxy: %.100s", never executed: fatal("Could not create pipes to communicate with the proxy: %.100s", strerror( (*__errno_location ()) )); | 0 |
199 | strerror(errno)); never executed: fatal("Could not create pipes to communicate with the proxy: %.100s", strerror( (*__errno_location ()) )); | 0 |
200 | | - |
201 | command_string = expand_proxy_command(proxy_command, options.user, | - |
202 | host, port); | - |
203 | debug("Executing proxy command: %.500s", command_string); | - |
204 | | - |
205 | | - |
206 | if ((pid = fork()) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
207 | char *argv[10]; | - |
208 | | - |
209 | | - |
210 | close(pin[1]); | - |
211 | if (pin[0] != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
212 | if (dup2(pin[0], 0) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
213 | perror("dup2 stdin"); never executed: perror("dup2 stdin"); | 0 |
214 | close(pin[0]); | - |
215 | } never executed: end of block | 0 |
216 | close(pout[0]); | - |
217 | if (dup2(pout[1], 1) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
218 | perror("dup2 stdout"); never executed: perror("dup2 stdout"); | 0 |
219 | | - |
220 | close(pout[1]); | - |
221 | | - |
222 | | - |
223 | | - |
224 | argv[0] = shell; | - |
225 | argv[1] = "-c"; | - |
226 | argv[2] = command_string; | - |
227 | argv[3] = NULL; | - |
228 | | - |
229 | | - |
230 | | - |
231 | signal(SIGPIPE, SIG_DFL); | - |
232 | execv(argv[0], argv); | - |
233 | perror(argv[0]); | - |
234 | exit(1); never executed: exit(1); | 0 |
235 | } | - |
236 | | - |
237 | if (pid < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
238 | fatal("fork failed: %.100s", strerror(errno)); never executed: fatal("fork failed: %.100s", strerror( (*__errno_location ()) )); | 0 |
239 | else | - |
240 | proxy_command_pid = pid; never executed: proxy_command_pid = pid; | 0 |
241 | | - |
242 | | - |
243 | close(pin[0]); | - |
244 | close(pout[1]); | - |
245 | | - |
246 | | - |
247 | free(command_string); | - |
248 | | - |
249 | | - |
250 | if (ssh_packet_set_connection(ssh, pout[0], pin[1]) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
251 | return -1; never executed: return -1; | 0 |
252 | | - |
253 | return 0; never executed: return 0; | 0 |
254 | } | - |
255 | | - |
256 | void | - |
257 | ssh_kill_proxy_command(void) | - |
258 | { | - |
259 | | - |
260 | | - |
261 | | - |
262 | | - |
263 | if (proxy_command_pid > 1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
264 | kill(proxy_command_pid, SIGHUP); never executed: kill(proxy_command_pid, 1 ); | 0 |
265 | } never executed: end of block | 0 |
266 | | - |
267 | #ifdef HAVE_IFADDRS_H | - |
268 | | - |
269 | | - |
270 | | - |
271 | | - |
272 | | - |
273 | static int | - |
274 | check_ifaddrs(const char *ifname, int af, const struct ifaddrs *ifaddrs, | - |
275 | struct sockaddr_storage *resultp, socklen_t *rlenp) | - |
276 | { | - |
277 | struct sockaddr_in6 *sa6; | - |
278 | struct sockaddr_in *sa; | - |
279 | struct in6_addr *v6addr; | - |
280 | const struct ifaddrs *ifa; | - |
281 | int allow_local; | - |
282 | | - |
283 | | - |
284 | | - |
285 | | - |
286 | | - |
287 | for (allow_local = 0; allow_local < 2; allow_local++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
288 | for (ifa = ifaddrs; ifa != NULL; ifa = ifa->ifa_next) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
289 | if (ifa->ifa_addr == NULL || ifa->ifa_name == NULL ||TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
290 | (ifa->ifa_flags & IFF_UP) == 0 ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
291 | ifa->ifa_addr->sa_family != af ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
292 | strcmp(ifa->ifa_name, options.bind_interface) != 0) never executed: __result = (((const unsigned char *) (const char *) ( ifa->ifa_name ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( options.bind_interface ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
293 | continue; never executed: continue; | 0 |
294 | switch (ifa->ifa_addr->sa_family) { | - |
295 | case AF_INET: never executed: case 2 : | 0 |
296 | sa = (struct sockaddr_in *)ifa->ifa_addr; | - |
297 | if (!allow_local && sa->sin_addr.s_addr ==TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
298 | htonl(INADDR_LOOPBACK))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
299 | continue; never executed: continue; | 0 |
300 | if (*rlenp < sizeof(struct sockaddr_in)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
301 | error("%s: v4 addr doesn't fit", | - |
302 | __func__); | - |
303 | return -1; never executed: return -1; | 0 |
304 | } | - |
305 | *rlenp = sizeof(struct sockaddr_in); | - |
306 | memcpy(resultp, sa, *rlenp); | - |
307 | return 0; never executed: return 0; | 0 |
308 | case AF_INET6: never executed: case 10 : | 0 |
309 | sa6 = (struct sockaddr_in6 *)ifa->ifa_addr; | - |
310 | v6addr = &sa6->sin6_addr; | - |
311 | if (!allow_local &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
312 | (IN6_IS_ADDR_LINKLOCAL(v6addr) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
313 | IN6_IS_ADDR_LOOPBACK(v6addr)))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
314 | continue; never executed: continue; | 0 |
315 | if (*rlenp < sizeof(struct sockaddr_in6)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
316 | error("%s: v6 addr doesn't fit", | - |
317 | __func__); | - |
318 | return -1; never executed: return -1; | 0 |
319 | } | - |
320 | *rlenp = sizeof(struct sockaddr_in6); | - |
321 | memcpy(resultp, sa6, *rlenp); | - |
322 | return 0; never executed: return 0; | 0 |
323 | } | - |
324 | } never executed: end of block | 0 |
325 | } never executed: end of block | 0 |
326 | return -1; never executed: return -1; | 0 |
327 | } | - |
328 | #endif | - |
329 | | - |
330 | | - |
331 | | - |
332 | | - |
333 | static int | - |
334 | ssh_create_socket(struct addrinfo *ai) | - |
335 | { | - |
336 | int sock, r; | - |
337 | struct sockaddr_storage bindaddr; | - |
338 | socklen_t bindaddrlen = 0; | - |
339 | struct addrinfo hints, *res = NULL; | - |
340 | #ifdef HAVE_IFADDRS_H | - |
341 | struct ifaddrs *ifaddrs = NULL; | - |
342 | #endif | - |
343 | char ntop[NI_MAXHOST]; | - |
344 | | - |
345 | sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); | - |
346 | if (sock < 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
347 | error("socket: %s", strerror(errno)); | - |
348 | return -1; never executed: return -1; | 0 |
349 | } | - |
350 | fcntl(sock, F_SETFD, FD_CLOEXEC); | - |
351 | | - |
352 | | - |
353 | if (options.bind_address == NULL && options.bind_interface == NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
354 | return sock; never executed: return sock; | 0 |
355 | | - |
356 | if (options.bind_address != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
357 | memset(&hints, 0, sizeof(hints)); | - |
358 | hints.ai_family = ai->ai_family; | - |
359 | hints.ai_socktype = ai->ai_socktype; | - |
360 | hints.ai_protocol = ai->ai_protocol; | - |
361 | hints.ai_flags = AI_PASSIVE; | - |
362 | if ((r = getaddrinfo(options.bind_address, NULL,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
363 | &hints, &res)) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
364 | error("getaddrinfo: %s: %s", options.bind_address, | - |
365 | ssh_gai_strerror(r)); | - |
366 | goto fail; never executed: goto fail; | 0 |
367 | } | - |
368 | if (res == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
369 | error("getaddrinfo: no addrs"); | - |
370 | goto fail; never executed: goto fail; | 0 |
371 | } | - |
372 | if (res->ai_addrlen > sizeof(bindaddr)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
373 | error("%s: addr doesn't fit", __func__); | - |
374 | goto fail; never executed: goto fail; | 0 |
375 | } | - |
376 | memcpy(&bindaddr, res->ai_addr, res->ai_addrlen); | - |
377 | bindaddrlen = res->ai_addrlen; | - |
378 | } else if (options.bind_interface != NULL) { never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
379 | #ifdef HAVE_IFADDRS_H | - |
380 | if ((r = getifaddrs(&ifaddrs)) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
381 | error("getifaddrs: %s: %s", options.bind_interface, | - |
382 | strerror(errno)); | - |
383 | goto fail; never executed: goto fail; | 0 |
384 | } | - |
385 | bindaddrlen = sizeof(bindaddr); | - |
386 | if (check_ifaddrs(options.bind_interface, ai->ai_family,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
387 | ifaddrs, &bindaddr, &bindaddrlen) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
388 | logit("getifaddrs: %s: no suitable addresses", | - |
389 | options.bind_interface); | - |
390 | goto fail; never executed: goto fail; | 0 |
391 | } | - |
392 | #else | - |
393 | error("BindInterface not supported on this platform."); | - |
394 | #endif | - |
395 | } never executed: end of block | 0 |
396 | if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
397 | ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
398 | error("%s: getnameinfo failed: %s", __func__, | - |
399 | ssh_gai_strerror(r)); | - |
400 | goto fail; never executed: goto fail; | 0 |
401 | } | - |
402 | if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
403 | error("bind %s: %s", ntop, strerror(errno)); | - |
404 | goto fail; never executed: goto fail; | 0 |
405 | } | - |
406 | debug("%s: bound to %s", __func__, ntop); | - |
407 | | - |
408 | goto out; never executed: goto out; | 0 |
409 | fail: | - |
410 | close(sock); | - |
411 | sock = -1; | - |
412 | out: code before this statement never executed: out: | 0 |
413 | if (res != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
414 | freeaddrinfo(res); never executed: freeaddrinfo(res); | 0 |
415 | #ifdef HAVE_IFADDRS_H | - |
416 | if (ifaddrs != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
417 | freeifaddrs(ifaddrs); never executed: freeifaddrs(ifaddrs); | 0 |
418 | #endif | - |
419 | return sock; never executed: return sock; | 0 |
420 | } | - |
421 | | - |
422 | | - |
423 | | - |
424 | | - |
425 | | - |
426 | | - |
427 | static int | - |
428 | waitrfd(int fd, int *timeoutp) | - |
429 | { | - |
430 | struct pollfd pfd; | - |
431 | struct timeval t_start; | - |
432 | int oerrno, r; | - |
433 | | - |
434 | monotime_tv(&t_start); | - |
435 | pfd.fd = fd; | - |
436 | pfd.events = POLLIN; | - |
437 | for (; *timeoutp >= 0;) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
438 | r = poll(&pfd, 1, *timeoutp); | - |
439 | oerrno = errno; | - |
440 | ms_subtract_diff(&t_start, timeoutp); | - |
441 | errno = oerrno; | - |
442 | if (r > 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
443 | return 0; never executed: return 0; | 0 |
444 | else if (r == -1 && errno != EAGAIN)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
445 | return -1; never executed: return -1; | 0 |
446 | else if (r == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
447 | break; never executed: break; | 0 |
448 | } never executed: end of block | 0 |
449 | | - |
450 | errno = ETIMEDOUT; | - |
451 | return -1; never executed: return -1; | 0 |
452 | } | - |
453 | | - |
454 | static int | - |
455 | timeout_connect(int sockfd, const struct sockaddr *serv_addr, | - |
456 | socklen_t addrlen, int *timeoutp) | - |
457 | { | - |
458 | int optval = 0; | - |
459 | socklen_t optlen = sizeof(optval); | - |
460 | | - |
461 | | - |
462 | if (*timeoutp <= 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
463 | return connect(sockfd, serv_addr, addrlen); never executed: return connect(sockfd, serv_addr, addrlen); | 0 |
464 | | - |
465 | set_nonblock(sockfd); | - |
466 | if (connect(sockfd, serv_addr, addrlen) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
467 | | - |
468 | unset_nonblock(sockfd); | - |
469 | return 0; never executed: return 0; | 0 |
470 | } else if (errno != EINPROGRESS)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
471 | return -1; never executed: return -1; | 0 |
472 | | - |
473 | if (waitrfd(sockfd, timeoutp) == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
474 | return -1; never executed: return -1; | 0 |
475 | | - |
476 | | - |
477 | if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
478 | debug("getsockopt: %s", strerror(errno)); | - |
479 | return -1; never executed: return -1; | 0 |
480 | } | - |
481 | if (optval != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
482 | errno = optval; | - |
483 | return -1; never executed: return -1; | 0 |
484 | } | - |
485 | unset_nonblock(sockfd); | - |
486 | return 0; never executed: return 0; | 0 |
487 | } | - |
488 | | - |
489 | | - |
490 | | - |
491 | | - |
492 | | - |
493 | | - |
494 | | - |
495 | | - |
496 | | - |
497 | | - |
498 | static int | - |
499 | ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, | - |
500 | struct sockaddr_storage *hostaddr, u_short port, int family, | - |
501 | int connection_attempts, int *timeout_ms, int want_keepalive) | - |
502 | { | - |
503 | int on = 1; | - |
504 | int oerrno, sock = -1, attempt; | - |
505 | char ntop[NI_MAXHOST], strport[NI_MAXSERV]; | - |
506 | struct addrinfo *ai; | - |
507 | | - |
508 | debug2("%s", __func__); | - |
509 | memset(ntop, 0, sizeof(ntop)); | - |
510 | memset(strport, 0, sizeof(strport)); | - |
511 | | - |
512 | for (attempt = 0; attempt < connection_attempts; attempt++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
513 | if (attempt > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
514 | | - |
515 | sleep(1); | - |
516 | debug("Trying again..."); | - |
517 | } never executed: end of block | 0 |
518 | | - |
519 | | - |
520 | | - |
521 | | - |
522 | for (ai = aitop; ai; ai = ai->ai_next) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
523 | if (ai->ai_family != AF_INET &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
524 | ai->ai_family != AF_INET6) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
525 | errno = EAFNOSUPPORT; | - |
526 | continue; never executed: continue; | 0 |
527 | } | - |
528 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
529 | ntop, sizeof(ntop), strport, sizeof(strport),TRUE | never evaluated | FALSE | never evaluated |
| 0 |
530 | NI_NUMERICHOST|NI_NUMERICSERV) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
531 | oerrno = errno; | - |
532 | error("%s: getnameinfo failed", __func__); | - |
533 | errno = oerrno; | - |
534 | continue; never executed: continue; | 0 |
535 | } | - |
536 | debug("Connecting to %.200s [%.100s] port %s.", | - |
537 | host, ntop, strport); | - |
538 | | - |
539 | | - |
540 | sock = ssh_create_socket(ai); | - |
541 | if (sock < 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
542 | | - |
543 | errno = 0; | - |
544 | continue; never executed: continue; | 0 |
545 | } | - |
546 | | - |
547 | if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
548 | timeout_ms) >= 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
549 | | - |
550 | memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); | - |
551 | break; never executed: break; | 0 |
552 | } else { | - |
553 | oerrno = errno; | - |
554 | debug("connect to address %s port %s: %s", | - |
555 | ntop, strport, strerror(errno)); | - |
556 | close(sock); | - |
557 | sock = -1; | - |
558 | errno = oerrno; | - |
559 | } never executed: end of block | 0 |
560 | } | - |
561 | if (sock != -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
562 | break; never executed: break; | 0 |
563 | } never executed: end of block | 0 |
564 | | - |
565 | | - |
566 | if (sock == -1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
567 | error("ssh: connect to host %s port %s: %s", | - |
568 | host, strport, errno == 0 ? "failure" : strerror(errno)); | - |
569 | return -1; never executed: return -1; | 0 |
570 | } | - |
571 | | - |
572 | debug("Connection established."); | - |
573 | | - |
574 | | - |
575 | if (want_keepalive &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
576 | setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
577 | sizeof(on)) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
578 | error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); never executed: error("setsockopt SO_KEEPALIVE: %.100s", strerror( (*__errno_location ()) )); | 0 |
579 | | - |
580 | | - |
581 | if (ssh_packet_set_connection(ssh, sock, sock) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
582 | return -1; never executed: return -1; | 0 |
583 | | - |
584 | return 0; never executed: return 0; | 0 |
585 | } | - |
586 | | - |
587 | int | - |
588 | ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs, | - |
589 | struct sockaddr_storage *hostaddr, u_short port, int family, | - |
590 | int connection_attempts, int *timeout_ms, int want_keepalive) | - |
591 | { | - |
592 | if (options.proxy_command == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
593 | return ssh_connect_direct(ssh, host, addrs, hostaddr, port, never executed: return ssh_connect_direct(ssh, host, addrs, hostaddr, port, family, connection_attempts, timeout_ms, want_keepalive); | 0 |
594 | family, connection_attempts, timeout_ms, want_keepalive); never executed: return ssh_connect_direct(ssh, host, addrs, hostaddr, port, family, connection_attempts, timeout_ms, want_keepalive); | 0 |
595 | } else if (strcmp(options.proxy_command, "-") == 0) { never executed: __result = (((const unsigned char *) (const char *) ( options.proxy_command ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "-" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
596 | if ((ssh_packet_set_connection(ssh,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
597 | STDIN_FILENO, STDOUT_FILENO)) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
598 | return -1; never executed: return -1; | 0 |
599 | return 0; never executed: return 0; | 0 |
600 | } else if (options.proxy_use_fdpass) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
601 | return ssh_proxy_fdpass_connect(ssh, host, port, never executed: return ssh_proxy_fdpass_connect(ssh, host, port, options.proxy_command); | 0 |
602 | options.proxy_command); never executed: return ssh_proxy_fdpass_connect(ssh, host, port, options.proxy_command); | 0 |
603 | } | - |
604 | return ssh_proxy_connect(ssh, host, port, options.proxy_command); never executed: return ssh_proxy_connect(ssh, host, port, options.proxy_command); | 0 |
605 | } | - |
606 | | - |
607 | static void | - |
608 | send_client_banner(int connection_out, int minor1) | - |
609 | { | - |
610 | | - |
611 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", | - |
612 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); | - |
613 | if (atomicio(vwrite, connection_out, client_version_string,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
614 | strlen(client_version_string)) != strlen(client_version_string))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
615 | fatal("write: %.100s", strerror(errno)); never executed: fatal("write: %.100s", strerror( (*__errno_location ()) )); | 0 |
616 | chop(client_version_string); | - |
617 | debug("Local version string %.100s", client_version_string); | - |
618 | } never executed: end of block | 0 |
619 | | - |
620 | | - |
621 | | - |
622 | | - |
623 | | - |
624 | void | - |
625 | ssh_exchange_identification(int timeout_ms) | - |
626 | { | - |
627 | char buf[256], remote_version[256]; | - |
628 | int remote_major, remote_minor, mismatch; | - |
629 | int connection_in = packet_get_connection_in(); | - |
630 | int connection_out = packet_get_connection_out(); | - |
631 | u_int i, n; | - |
632 | size_t len; | - |
633 | int rc; | - |
634 | | - |
635 | send_client_banner(connection_out, 0); | - |
636 | | - |
637 | | - |
638 | for (n = 0;;) { | - |
639 | for (i = 0; i < sizeof(buf) - 1; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
640 | if (timeout_ms > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
641 | rc = waitrfd(connection_in, &timeout_ms); | - |
642 | if (rc == -1 && errno == ETIMEDOUT) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
643 | fatal("Connection timed out during " | - |
644 | "banner exchange"); | - |
645 | } else if (rc == -1) { never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
646 | fatal("%s: %s", | - |
647 | __func__, strerror(errno)); | - |
648 | } never executed: end of block | 0 |
649 | } never executed: end of block | 0 |
650 | | - |
651 | len = atomicio(read, connection_in, &buf[i], 1); | - |
652 | if (len != 1 && errno == EPIPE)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
653 | fatal("ssh_exchange_identification: " never executed: fatal("ssh_exchange_identification: " "Connection closed by remote host"); | 0 |
654 | "Connection closed by remote host"); never executed: fatal("ssh_exchange_identification: " "Connection closed by remote host"); | 0 |
655 | else if (len != 1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
656 | fatal("ssh_exchange_identification: " never executed: fatal("ssh_exchange_identification: " "read: %.100s", strerror( (*__errno_location ()) )); | 0 |
657 | "read: %.100s", strerror(errno)); never executed: fatal("ssh_exchange_identification: " "read: %.100s", strerror( (*__errno_location ()) )); | 0 |
658 | if (buf[i] == '\r') {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
659 | buf[i] = '\n'; | - |
660 | buf[i + 1] = 0; | - |
661 | continue; never executed: continue; | 0 |
662 | } | - |
663 | if (buf[i] == '\n') {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
664 | buf[i + 1] = 0; | - |
665 | break; never executed: break; | 0 |
666 | } | - |
667 | if (++n > 65536)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
668 | fatal("ssh_exchange_identification: " never executed: fatal("ssh_exchange_identification: " "No banner received"); | 0 |
669 | "No banner received"); never executed: fatal("ssh_exchange_identification: " "No banner received"); | 0 |
670 | } never executed: end of block | 0 |
671 | buf[sizeof(buf) - 1] = 0; | - |
672 | if (strncmp(buf, "SSH-", 4) == 0) never executed: __result = (((const unsigned char *) (const char *) ( buf ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "SSH-" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
673 | break; never executed: break; | 0 |
674 | debug("ssh_exchange_identification: %s", buf); | - |
675 | } never executed: end of block | 0 |
676 | server_version_string = xstrdup(buf); | - |
677 | | - |
678 | | - |
679 | | - |
680 | | - |
681 | | - |
682 | if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",TRUE | never evaluated | FALSE | never evaluated |
| 0 |
683 | &remote_major, &remote_minor, remote_version) != 3)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
684 | fatal("Bad remote protocol version identification: '%.100s'", buf); never executed: fatal("Bad remote protocol version identification: '%.100s'", buf); | 0 |
685 | debug("Remote protocol version %d.%d, remote software version %.100s", | - |
686 | remote_major, remote_minor, remote_version); | - |
687 | | - |
688 | active_state->compat = compat_datafellows(remote_version); | - |
689 | mismatch = 0; | - |
690 | | - |
691 | switch (remote_major) { | - |
692 | case 2: never executed: case 2: | 0 |
693 | break; never executed: break; | 0 |
694 | case 1: never executed: case 1: | 0 |
695 | if (remote_minor != 99)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
696 | mismatch = 1; never executed: mismatch = 1; | 0 |
697 | break; never executed: break; | 0 |
698 | default: never executed: default: | 0 |
699 | mismatch = 1; | - |
700 | break; never executed: break; | 0 |
701 | } | - |
702 | if (mismatch)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
703 | fatal("Protocol major versions differ: %d vs. %d", never executed: fatal("Protocol major versions differ: %d vs. %d", 2, remote_major); | 0 |
704 | PROTOCOL_MAJOR_2, remote_major); never executed: fatal("Protocol major versions differ: %d vs. %d", 2, remote_major); | 0 |
705 | if ((datafellows & SSH_BUG_RSASIGMD5) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
706 | logit("Server version \"%.100s\" uses unsafe RSA signature " never executed: logit("Server version \"%.100s\" uses unsafe RSA signature " "scheme; disabling use of RSA keys", remote_version); | 0 |
707 | "scheme; disabling use of RSA keys", remote_version); never executed: logit("Server version \"%.100s\" uses unsafe RSA signature " "scheme; disabling use of RSA keys", remote_version); | 0 |
708 | chop(server_version_string); | - |
709 | } never executed: end of block | 0 |
710 | | - |
711 | | - |
712 | static int | - |
713 | confirm(const char *prompt) | - |
714 | { | - |
715 | const char *msg, *again = "Please type 'yes' or 'no': "; | - |
716 | char *p; | - |
717 | int ret = -1; | - |
718 | | - |
719 | if (options.batch_mode)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
720 | return 0; never executed: return 0; | 0 |
721 | for (msg = prompt;;msg = again) { | - |
722 | p = read_passphrase(msg, RP_ECHO); | - |
723 | if (p == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
724 | return 0; never executed: return 0; | 0 |
725 | p[strcspn(p, "\n")] = '\0'; | - |
726 | if (p[0] == '\0' || strcasecmp(p, "no") == 0)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
727 | ret = 0; never executed: ret = 0; | 0 |
728 | else if (strcasecmp(p, "yes") == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
729 | ret = 1; never executed: ret = 1; | 0 |
730 | free(p); | - |
731 | if (ret != -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
732 | return ret; never executed: return ret; | 0 |
733 | } never executed: end of block | 0 |
734 | } never executed: end of block | 0 |
735 | | - |
736 | static int | - |
737 | check_host_cert(const char *host, const struct sshkey *key) | - |
738 | { | - |
739 | const char *reason; | - |
740 | int r; | - |
741 | | - |
742 | if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
743 | error("%s", reason); | - |
744 | return 0; never executed: return 0; | 0 |
745 | } | - |
746 | if (sshbuf_len(key->cert->critical) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
747 | error("Certificate for %s contains unsupported " | - |
748 | "critical options(s)", host); | - |
749 | return 0; never executed: return 0; | 0 |
750 | } | - |
751 | if ((r = sshkey_check_cert_sigtype(key,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
752 | options.ca_sign_algorithms)) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
753 | logit("%s: certificate signature algorithm %s: %s", __func__, | - |
754 | (key->cert == NULL || key->cert->signature_type == NULL) ? | - |
755 | "(null)" : key->cert->signature_type, ssh_err(r)); | - |
756 | return 0; never executed: return 0; | 0 |
757 | } | - |
758 | | - |
759 | return 1; never executed: return 1; | 0 |
760 | } | - |
761 | | - |
762 | static int | - |
763 | sockaddr_is_local(struct sockaddr *hostaddr) | - |
764 | { | - |
765 | switch (hostaddr->sa_family) { | - |
766 | case AF_INET: never executed: case 2 : | 0 |
767 | return (ntohl(((struct sockaddr_in *)hostaddr)-> never executed: return ( __bswap_32 ( ((struct sockaddr_in *)hostaddr)-> sin_addr.s_addr ) >> 24) == 127 ; | 0 |
768 | sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; never executed: return ( __bswap_32 ( ((struct sockaddr_in *)hostaddr)-> sin_addr.s_addr ) >> 24) == 127 ; | 0 |
769 | case AF_INET6: never executed: case 10 : | 0 |
770 | return IN6_IS_ADDR_LOOPBACK( never executed: return (__extension__ ({ const struct in6_addr *__a = (const struct in6_addr *) ( &(((struct sockaddr_in6 *)hostaddr)->sin6_addr) ); __a->__in6_u.__u6_addr32[0] == 0 && __a->__in6_u.__u6_addr32[1] == 0 && __a->__in6_u.__u6_addr32[2] == 0 && __a->__in6_u.__u6_addr32[3] == __bswap_32 (1); })) ; | 0 |
771 | &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); never executed: return (__extension__ ({ const struct in6_addr *__a = (const struct in6_addr *) ( &(((struct sockaddr_in6 *)hostaddr)->sin6_addr) ); __a->__in6_u.__u6_addr32[0] == 0 && __a->__in6_u.__u6_addr32[1] == 0 && __a->__in6_u.__u6_addr32[2] == 0 && __a->__in6_u.__u6_addr32[3] == __bswap_32 (1); })) ; | 0 |
772 | default: never executed: default: | 0 |
773 | return 0; never executed: return 0; | 0 |
774 | } | - |
775 | } | - |
776 | | - |
777 | | - |
778 | | - |
779 | | - |
780 | | - |
781 | void | - |
782 | get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr, | - |
783 | u_short port, char **hostfile_hostname, char **hostfile_ipaddr) | - |
784 | { | - |
785 | char ntop[NI_MAXHOST]; | - |
786 | socklen_t addrlen; | - |
787 | | - |
788 | switch (hostaddr == NULL ? -1 : hostaddr->sa_family) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
789 | case -1: never executed: case -1: | 0 |
790 | addrlen = 0; | - |
791 | break; never executed: break; | 0 |
792 | case AF_INET: never executed: case 2 : | 0 |
793 | addrlen = sizeof(struct sockaddr_in); | - |
794 | break; never executed: break; | 0 |
795 | case AF_INET6: never executed: case 10 : | 0 |
796 | addrlen = sizeof(struct sockaddr_in6); | - |
797 | break; never executed: break; | 0 |
798 | default: never executed: default: | 0 |
799 | addrlen = sizeof(struct sockaddr); | - |
800 | break; never executed: break; | 0 |
801 | } | - |
802 | | - |
803 | | - |
804 | | - |
805 | | - |
806 | | - |
807 | if (hostfile_ipaddr != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
808 | if (options.proxy_command == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
809 | if (getnameinfo(hostaddr, addrlen,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
810 | ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
811 | fatal("%s: getnameinfo failed", __func__); never executed: fatal("%s: getnameinfo failed", __func__); | 0 |
812 | *hostfile_ipaddr = put_host_port(ntop, port); | - |
813 | } else { never executed: end of block | 0 |
814 | *hostfile_ipaddr = xstrdup("<no hostip for proxy " | - |
815 | "command>"); | - |
816 | } never executed: end of block | 0 |
817 | } | - |
818 | | - |
819 | | - |
820 | | - |
821 | | - |
822 | | - |
823 | | - |
824 | | - |
825 | if (hostfile_hostname != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
826 | if (options.host_key_alias != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
827 | *hostfile_hostname = xstrdup(options.host_key_alias); | - |
828 | debug("using hostkeyalias: %s", *hostfile_hostname); | - |
829 | } else { never executed: end of block | 0 |
830 | *hostfile_hostname = put_host_port(hostname, port); | - |
831 | } never executed: end of block | 0 |
832 | } | - |
833 | } never executed: end of block | 0 |
834 | | - |
835 | | - |
836 | | - |
837 | | - |
838 | | - |
839 | #define RDRW 0 | - |
840 | #define RDONLY 1 | - |
841 | #define ROQUIET 2 | - |
842 | static int | - |
843 | check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | - |
844 | struct sshkey *host_key, int readonly, | - |
845 | char **user_hostfiles, u_int num_user_hostfiles, | - |
846 | char **system_hostfiles, u_int num_system_hostfiles) | - |
847 | { | - |
848 | HostStatus host_status; | - |
849 | HostStatus ip_status; | - |
850 | struct sshkey *raw_key = NULL; | - |
851 | char *ip = NULL, *host = NULL; | - |
852 | char hostline[1000], *hostp, *fp, *ra; | - |
853 | char msg[1024]; | - |
854 | const char *type; | - |
855 | const struct hostkey_entry *host_found, *ip_found; | - |
856 | int len, cancelled_forwarding = 0; | - |
857 | int local = sockaddr_is_local(hostaddr); | - |
858 | int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; | - |
859 | int hostkey_trusted = 0; | - |
860 | struct hostkeys *host_hostkeys, *ip_hostkeys; | - |
861 | u_int i; | - |
862 | | - |
863 | | - |
864 | | - |
865 | | - |
866 | | - |
867 | | - |
868 | | - |
869 | | - |
870 | | - |
871 | if (options.no_host_authentication_for_localhost == 1 && local &&TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
872 | options.host_key_alias == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
873 | debug("Forcing accepting of host key for " | - |
874 | "loopback/localhost."); | - |
875 | return 0; never executed: return 0; | 0 |
876 | } | - |
877 | | - |
878 | | - |
879 | | - |
880 | | - |
881 | | - |
882 | get_hostfile_hostname_ipaddr(hostname, hostaddr, port, &host, &ip); | - |
883 | | - |
884 | | - |
885 | | - |
886 | | - |
887 | | - |
888 | if (options.check_host_ip && (local ||TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
889 | strcmp(hostname, ip) == 0 || options.proxy_command != NULL)) never executed: __result = (((const unsigned char *) (const char *) ( hostname ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( ip ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
890 | options.check_host_ip = 0; never executed: options.check_host_ip = 0; | 0 |
891 | | - |
892 | host_hostkeys = init_hostkeys(); | - |
893 | for (i = 0; i < num_user_hostfiles; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
894 | load_hostkeys(host_hostkeys, host, user_hostfiles[i]); never executed: load_hostkeys(host_hostkeys, host, user_hostfiles[i]); | 0 |
895 | for (i = 0; i < num_system_hostfiles; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
896 | load_hostkeys(host_hostkeys, host, system_hostfiles[i]); never executed: load_hostkeys(host_hostkeys, host, system_hostfiles[i]); | 0 |
897 | | - |
898 | ip_hostkeys = NULL; | - |
899 | if (!want_cert && options.check_host_ip) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
900 | ip_hostkeys = init_hostkeys(); | - |
901 | for (i = 0; i < num_user_hostfiles; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
902 | load_hostkeys(ip_hostkeys, ip, user_hostfiles[i]); never executed: load_hostkeys(ip_hostkeys, ip, user_hostfiles[i]); | 0 |
903 | for (i = 0; i < num_system_hostfiles; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
904 | load_hostkeys(ip_hostkeys, ip, system_hostfiles[i]); never executed: load_hostkeys(ip_hostkeys, ip, system_hostfiles[i]); | 0 |
905 | } never executed: end of block | 0 |
906 | | - |
907 | retry: code before this statement never executed: retry: | 0 |
908 | | - |
909 | want_cert = sshkey_is_cert(host_key); | - |
910 | type = sshkey_type(host_key); | - |
911 | | - |
912 | | - |
913 | | - |
914 | | - |
915 | | - |
916 | host_status = check_key_in_hostkeys(host_hostkeys, host_key, | - |
917 | &host_found); | - |
918 | | - |
919 | | - |
920 | | - |
921 | | - |
922 | | - |
923 | | - |
924 | if (!want_cert && ip_hostkeys != NULL) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
925 | ip_status = check_key_in_hostkeys(ip_hostkeys, host_key, | - |
926 | &ip_found); | - |
927 | if (host_status == HOST_CHANGED &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
928 | (ip_status != HOST_CHANGED || TRUE | never evaluated | FALSE | never evaluated |
| 0 |
929 | (ip_found != NULL &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
930 | !sshkey_equal(ip_found->key, host_found->key))))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
931 | host_ip_differ = 1; never executed: host_ip_differ = 1; | 0 |
932 | } else never executed: end of block | 0 |
933 | ip_status = host_status; never executed: ip_status = host_status; | 0 |
934 | | - |
935 | switch (host_status) { | - |
936 | case HOST_OK: never executed: case HOST_OK: | 0 |
937 | | - |
938 | debug("Host '%.200s' is known and matches the %s host %s.", | - |
939 | host, type, want_cert ? "certificate" : "key"); | - |
940 | debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", | - |
941 | host_found->file, host_found->line); | - |
942 | if (want_cert &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
943 | !check_host_cert(options.host_key_alias == NULL ?TRUE | never evaluated | FALSE | never evaluated |
| 0 |
944 | hostname : options.host_key_alias, host_key))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
945 | goto fail; never executed: goto fail; | 0 |
946 | if (options.check_host_ip && ip_status == HOST_NEW) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
947 | if (readonly || want_cert)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
948 | logit("%s host key for IP address " never executed: logit("%s host key for IP address " "'%.128s' not in list of known hosts.", type, ip); | 0 |
949 | "'%.128s' not in list of known hosts.", never executed: logit("%s host key for IP address " "'%.128s' not in list of known hosts.", type, ip); | 0 |
950 | type, ip); never executed: logit("%s host key for IP address " "'%.128s' not in list of known hosts.", type, ip); | 0 |
951 | else if (!add_host_to_hostfile(user_hostfiles[0], ip,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
952 | host_key, options.hash_known_hosts))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
953 | logit("Failed to add the %s host key for IP " never executed: logit("Failed to add the %s host key for IP " "address '%.128s' to the list of known " "hosts (%.500s).", type, ip, user_hostfiles[0]); | 0 |
954 | "address '%.128s' to the list of known " never executed: logit("Failed to add the %s host key for IP " "address '%.128s' to the list of known " "hosts (%.500s).", type, ip, user_hostfiles[0]); | 0 |
955 | "hosts (%.500s).", type, ip, never executed: logit("Failed to add the %s host key for IP " "address '%.128s' to the list of known " "hosts (%.500s).", type, ip, user_hostfiles[0]); | 0 |
956 | user_hostfiles[0]); never executed: logit("Failed to add the %s host key for IP " "address '%.128s' to the list of known " "hosts (%.500s).", type, ip, user_hostfiles[0]); | 0 |
957 | else | - |
958 | logit("Warning: Permanently added the %s host " never executed: logit("Warning: Permanently added the %s host " "key for IP address '%.128s' to the list " "of known hosts.", type, ip); | 0 |
959 | "key for IP address '%.128s' to the list " never executed: logit("Warning: Permanently added the %s host " "key for IP address '%.128s' to the list " "of known hosts.", type, ip); | 0 |
960 | "of known hosts.", type, ip); never executed: logit("Warning: Permanently added the %s host " "key for IP address '%.128s' to the list " "of known hosts.", type, ip); | 0 |
961 | } else if (options.visual_host_key) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
962 | fp = sshkey_fingerprint(host_key, | - |
963 | options.fingerprint_hash, SSH_FP_DEFAULT); | - |
964 | ra = sshkey_fingerprint(host_key, | - |
965 | options.fingerprint_hash, SSH_FP_RANDOMART); | - |
966 | if (fp == NULL || ra == NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
967 | fatal("%s: sshkey_fingerprint fail", __func__); never executed: fatal("%s: sshkey_fingerprint fail", __func__); | 0 |
968 | logit("Host key fingerprint is %s\n%s", fp, ra); | - |
969 | free(ra); | - |
970 | free(fp); | - |
971 | } never executed: end of block | 0 |
972 | hostkey_trusted = 1; | - |
973 | break; never executed: break; | 0 |
974 | case HOST_NEW: never executed: case HOST_NEW: | 0 |
975 | if (options.host_key_alias == NULL && port != 0 &&TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
976 | port != SSH_DEFAULT_PORT) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
977 | debug("checking without port identifier"); | - |
978 | if (check_host_key(hostname, hostaddr, 0, host_key,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
979 | ROQUIET, user_hostfiles, num_user_hostfiles,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
980 | system_hostfiles, num_system_hostfiles) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
981 | debug("found matching key w/out port"); | - |
982 | break; never executed: break; | 0 |
983 | } | - |
984 | } never executed: end of block | 0 |
985 | if (readonly || want_cert)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
986 | goto fail; never executed: goto fail; | 0 |
987 | | - |
988 | if (options.strict_host_key_checking ==TRUE | never evaluated | FALSE | never evaluated |
| 0 |
989 | SSH_STRICT_HOSTKEY_YES) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
990 | | - |
991 | | - |
992 | | - |
993 | | - |
994 | | - |
995 | error("No %s host key is known for %.200s and you " | - |
996 | "have requested strict checking.", type, host); | - |
997 | goto fail; never executed: goto fail; | 0 |
998 | } else if (options.strict_host_key_checking ==TRUE | never evaluated | FALSE | never evaluated |
| 0 |
999 | SSH_STRICT_HOSTKEY_ASK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1000 | char msg1[1024], msg2[1024]; | - |
1001 | | - |
1002 | if (show_other_keys(host_hostkeys, host_key))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1003 | snprintf(msg1, sizeof(msg1), never executed: snprintf(msg1, sizeof(msg1), "\nbut keys of different type are already" " known for this host."); | 0 |
1004 | "\nbut keys of different type are already" never executed: snprintf(msg1, sizeof(msg1), "\nbut keys of different type are already" " known for this host."); | 0 |
1005 | " known for this host."); never executed: snprintf(msg1, sizeof(msg1), "\nbut keys of different type are already" " known for this host."); | 0 |
1006 | else | - |
1007 | snprintf(msg1, sizeof(msg1), "."); never executed: snprintf(msg1, sizeof(msg1), "."); | 0 |
1008 | | - |
1009 | fp = sshkey_fingerprint(host_key, | - |
1010 | options.fingerprint_hash, SSH_FP_DEFAULT); | - |
1011 | ra = sshkey_fingerprint(host_key, | - |
1012 | options.fingerprint_hash, SSH_FP_RANDOMART); | - |
1013 | if (fp == NULL || ra == NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1014 | fatal("%s: sshkey_fingerprint fail", __func__); never executed: fatal("%s: sshkey_fingerprint fail", __func__); | 0 |
1015 | msg2[0] = '\0'; | - |
1016 | if (options.verify_host_key_dns) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1017 | if (matching_host_key_dns)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1018 | snprintf(msg2, sizeof(msg2), never executed: snprintf(msg2, sizeof(msg2), "Matching host key fingerprint" " found in DNS.\n"); | 0 |
1019 | "Matching host key fingerprint" never executed: snprintf(msg2, sizeof(msg2), "Matching host key fingerprint" " found in DNS.\n"); | 0 |
1020 | " found in DNS.\n"); never executed: snprintf(msg2, sizeof(msg2), "Matching host key fingerprint" " found in DNS.\n"); | 0 |
1021 | else | - |
1022 | snprintf(msg2, sizeof(msg2), never executed: snprintf(msg2, sizeof(msg2), "No matching host key fingerprint" " found in DNS.\n"); | 0 |
1023 | "No matching host key fingerprint" never executed: snprintf(msg2, sizeof(msg2), "No matching host key fingerprint" " found in DNS.\n"); | 0 |
1024 | " found in DNS.\n"); never executed: snprintf(msg2, sizeof(msg2), "No matching host key fingerprint" " found in DNS.\n"); | 0 |
1025 | } | - |
1026 | snprintf(msg, sizeof(msg), | - |
1027 | "The authenticity of host '%.200s (%s)' can't be " | - |
1028 | "established%s\n" | - |
1029 | "%s key fingerprint is %s.%s%s\n%s" | - |
1030 | "Are you sure you want to continue connecting " | - |
1031 | "(yes/no)? ", | - |
1032 | host, ip, msg1, type, fp, | - |
1033 | options.visual_host_key ? "\n" : "", | - |
1034 | options.visual_host_key ? ra : "", | - |
1035 | msg2); | - |
1036 | free(ra); | - |
1037 | free(fp); | - |
1038 | if (!confirm(msg))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1039 | goto fail; never executed: goto fail; | 0 |
1040 | hostkey_trusted = 1; | - |
1041 | } never executed: end of block | 0 |
1042 | | - |
1043 | | - |
1044 | | - |
1045 | | - |
1046 | if (options.check_host_ip && ip_status == HOST_NEW) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1047 | snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); | - |
1048 | hostp = hostline; | - |
1049 | if (options.hash_known_hosts) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1050 | | - |
1051 | r = add_host_to_hostfile(user_hostfiles[0],TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1052 | host, host_key, options.hash_known_hosts) &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1053 | add_host_to_hostfile(user_hostfiles[0], ip,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1054 | host_key, options.hash_known_hosts);TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1055 | } else { never executed: end of block | 0 |
1056 | | - |
1057 | r = add_host_to_hostfile(user_hostfiles[0], | - |
1058 | hostline, host_key, | - |
1059 | options.hash_known_hosts); | - |
1060 | } never executed: end of block | 0 |
1061 | } else { | - |
1062 | r = add_host_to_hostfile(user_hostfiles[0], host, | - |
1063 | host_key, options.hash_known_hosts); | - |
1064 | hostp = host; | - |
1065 | } never executed: end of block | 0 |
1066 | | - |
1067 | if (!r)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1068 | logit("Failed to add the host to the list of known " never executed: logit("Failed to add the host to the list of known " "hosts (%.500s).", user_hostfiles[0]); | 0 |
1069 | "hosts (%.500s).", user_hostfiles[0]); never executed: logit("Failed to add the host to the list of known " "hosts (%.500s).", user_hostfiles[0]); | 0 |
1070 | else | - |
1071 | logit("Warning: Permanently added '%.200s' (%s) to the " never executed: logit("Warning: Permanently added '%.200s' (%s) to the " "list of known hosts.", hostp, type); | 0 |
1072 | "list of known hosts.", hostp, type); never executed: logit("Warning: Permanently added '%.200s' (%s) to the " "list of known hosts.", hostp, type); | 0 |
1073 | break; never executed: break; | 0 |
1074 | case HOST_REVOKED: never executed: case HOST_REVOKED: | 0 |
1075 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | - |
1076 | error("@ WARNING: REVOKED HOST KEY DETECTED! @"); | - |
1077 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | - |
1078 | error("The %s host key for %s is marked as revoked.", type, host); | - |
1079 | error("This could mean that a stolen key is being used to"); | - |
1080 | error("impersonate this host."); | - |
1081 | | - |
1082 | | - |
1083 | | - |
1084 | | - |
1085 | | - |
1086 | if (options.strict_host_key_checking !=TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1087 | SSH_STRICT_HOSTKEY_OFF) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1088 | error("%s host key for %.200s was revoked and you have " | - |
1089 | "requested strict checking.", type, host); | - |
1090 | goto fail; never executed: goto fail; | 0 |
1091 | } | - |
1092 | goto continue_unsafe; never executed: goto continue_unsafe; | 0 |
1093 | | - |
1094 | case HOST_CHANGED: never executed: case HOST_CHANGED: | 0 |
1095 | if (want_cert) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1096 | | - |
1097 | | - |
1098 | | - |
1099 | | - |
1100 | | - |
1101 | debug("Host certificate authority does not " | - |
1102 | "match %s in %s:%lu", CA_MARKER, | - |
1103 | host_found->file, host_found->line); | - |
1104 | goto fail; never executed: goto fail; | 0 |
1105 | } | - |
1106 | if (readonly == ROQUIET)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1107 | goto fail; never executed: goto fail; | 0 |
1108 | if (options.check_host_ip && host_ip_differ) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1109 | char *key_msg; | - |
1110 | if (ip_status == HOST_NEW)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1111 | key_msg = "is unknown"; never executed: key_msg = "is unknown"; | 0 |
1112 | else if (ip_status == HOST_OK)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1113 | key_msg = "is unchanged"; never executed: key_msg = "is unchanged"; | 0 |
1114 | else | - |
1115 | key_msg = "has a different value"; never executed: key_msg = "has a different value"; | 0 |
1116 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | - |
1117 | error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); | - |
1118 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | - |
1119 | error("The %s host key for %s has changed,", type, host); | - |
1120 | error("and the key for the corresponding IP address %s", ip); | - |
1121 | error("%s. This could either mean that", key_msg); | - |
1122 | error("DNS SPOOFING is happening or the IP address for the host"); | - |
1123 | error("and its host key have changed at the same time."); | - |
1124 | if (ip_status != HOST_NEW)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1125 | error("Offending key for IP in %s:%lu", never executed: error("Offending key for IP in %s:%lu", ip_found->file, ip_found->line); | 0 |
1126 | ip_found->file, ip_found->line); never executed: error("Offending key for IP in %s:%lu", ip_found->file, ip_found->line); | 0 |
1127 | } never executed: end of block | 0 |
1128 | | - |
1129 | warn_changed_key(host_key); | - |
1130 | error("Add correct host key in %.100s to get rid of this message.", | - |
1131 | user_hostfiles[0]); | - |
1132 | error("Offending %s key in %s:%lu", | - |
1133 | sshkey_type(host_found->key), | - |
1134 | host_found->file, host_found->line); | - |
1135 | | - |
1136 | | - |
1137 | | - |
1138 | | - |
1139 | | - |
1140 | if (options.strict_host_key_checking !=TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1141 | SSH_STRICT_HOSTKEY_OFF) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1142 | error("%s host key for %.200s has changed and you have " | - |
1143 | "requested strict checking.", type, host); | - |
1144 | goto fail; never executed: goto fail; | 0 |
1145 | } | - |
1146 | | - |
1147 | continue_unsafe: code before this statement never executed: continue_unsafe: | 0 |
1148 | | - |
1149 | | - |
1150 | | - |
1151 | | - |
1152 | | - |
1153 | if (options.password_authentication) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1154 | error("Password authentication is disabled to avoid " | - |
1155 | "man-in-the-middle attacks."); | - |
1156 | options.password_authentication = 0; | - |
1157 | cancelled_forwarding = 1; | - |
1158 | } never executed: end of block | 0 |
1159 | if (options.kbd_interactive_authentication) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1160 | error("Keyboard-interactive authentication is disabled" | - |
1161 | " to avoid man-in-the-middle attacks."); | - |
1162 | options.kbd_interactive_authentication = 0; | - |
1163 | options.challenge_response_authentication = 0; | - |
1164 | cancelled_forwarding = 1; | - |
1165 | } never executed: end of block | 0 |
1166 | if (options.challenge_response_authentication) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1167 | error("Challenge/response authentication is disabled" | - |
1168 | " to avoid man-in-the-middle attacks."); | - |
1169 | options.challenge_response_authentication = 0; | - |
1170 | cancelled_forwarding = 1; | - |
1171 | } never executed: end of block | 0 |
1172 | if (options.forward_agent) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1173 | error("Agent forwarding is disabled to avoid " | - |
1174 | "man-in-the-middle attacks."); | - |
1175 | options.forward_agent = 0; | - |
1176 | cancelled_forwarding = 1; | - |
1177 | } never executed: end of block | 0 |
1178 | if (options.forward_x11) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1179 | error("X11 forwarding is disabled to avoid " | - |
1180 | "man-in-the-middle attacks."); | - |
1181 | options.forward_x11 = 0; | - |
1182 | cancelled_forwarding = 1; | - |
1183 | } never executed: end of block | 0 |
1184 | if (options.num_local_forwards > 0 ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1185 | options.num_remote_forwards > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1186 | error("Port forwarding is disabled to avoid " | - |
1187 | "man-in-the-middle attacks."); | - |
1188 | options.num_local_forwards = | - |
1189 | options.num_remote_forwards = 0; | - |
1190 | cancelled_forwarding = 1; | - |
1191 | } never executed: end of block | 0 |
1192 | if (options.tun_open != SSH_TUNMODE_NO) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1193 | error("Tunnel forwarding is disabled to avoid " | - |
1194 | "man-in-the-middle attacks."); | - |
1195 | options.tun_open = SSH_TUNMODE_NO; | - |
1196 | cancelled_forwarding = 1; | - |
1197 | } never executed: end of block | 0 |
1198 | if (options.exit_on_forward_failure && cancelled_forwarding)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1199 | fatal("Error: forwarding disabled due to host key " never executed: fatal("Error: forwarding disabled due to host key " "check failure"); | 0 |
1200 | "check failure"); never executed: fatal("Error: forwarding disabled due to host key " "check failure"); | 0 |
1201 | | - |
1202 | | - |
1203 | | - |
1204 | | - |
1205 | | - |
1206 | | - |
1207 | | - |
1208 | | - |
1209 | break; never executed: break; | 0 |
1210 | case HOST_FOUND: never executed: case HOST_FOUND: | 0 |
1211 | fatal("internal error"); | - |
1212 | break; never executed: break; | 0 |
1213 | } | - |
1214 | | - |
1215 | if (options.check_host_ip && host_status != HOST_CHANGED &&TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1216 | ip_status == HOST_CHANGED) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1217 | snprintf(msg, sizeof(msg), | - |
1218 | "Warning: the %s host key for '%.200s' " | - |
1219 | "differs from the key for the IP address '%.128s'" | - |
1220 | "\nOffending key for IP in %s:%lu", | - |
1221 | type, host, ip, ip_found->file, ip_found->line); | - |
1222 | if (host_status == HOST_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1223 | len = strlen(msg); | - |
1224 | snprintf(msg + len, sizeof(msg) - len, | - |
1225 | "\nMatching host key in %s:%lu", | - |
1226 | host_found->file, host_found->line); | - |
1227 | } never executed: end of block | 0 |
1228 | if (options.strict_host_key_checking ==TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1229 | SSH_STRICT_HOSTKEY_ASK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1230 | strlcat(msg, "\nAre you sure you want " | - |
1231 | "to continue connecting (yes/no)? ", sizeof(msg)); | - |
1232 | if (!confirm(msg))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1233 | goto fail; never executed: goto fail; | 0 |
1234 | } else if (options.strict_host_key_checking != never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1235 | SSH_STRICT_HOSTKEY_OFF) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1236 | logit("%s", msg); | - |
1237 | error("Exiting, you have requested strict checking."); | - |
1238 | goto fail; never executed: goto fail; | 0 |
1239 | } else { | - |
1240 | logit("%s", msg); | - |
1241 | } never executed: end of block | 0 |
1242 | } | - |
1243 | | - |
1244 | if (!hostkey_trusted && options.update_hostkeys) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1245 | debug("%s: hostkey not known or explicitly trusted: " | - |
1246 | "disabling UpdateHostkeys", __func__); | - |
1247 | options.update_hostkeys = 0; | - |
1248 | } never executed: end of block | 0 |
1249 | | - |
1250 | free(ip); | - |
1251 | free(host); | - |
1252 | if (host_hostkeys != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1253 | free_hostkeys(host_hostkeys); never executed: free_hostkeys(host_hostkeys); | 0 |
1254 | if (ip_hostkeys != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1255 | free_hostkeys(ip_hostkeys); never executed: free_hostkeys(ip_hostkeys); | 0 |
1256 | return 0; never executed: return 0; | 0 |
1257 | | - |
1258 | fail: | - |
1259 | if (want_cert && host_status != HOST_REVOKED) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1260 | | - |
1261 | | - |
1262 | | - |
1263 | | - |
1264 | debug("No matching CA found. Retry with plain key"); | - |
1265 | if ((r = sshkey_from_private(host_key, &raw_key)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1266 | fatal("%s: sshkey_from_private: %s", never executed: fatal("%s: sshkey_from_private: %s", __func__, ssh_err(r)); | 0 |
1267 | __func__, ssh_err(r)); never executed: fatal("%s: sshkey_from_private: %s", __func__, ssh_err(r)); | 0 |
1268 | if ((r = sshkey_drop_cert(raw_key)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1269 | fatal("Couldn't drop certificate: %s", ssh_err(r)); never executed: fatal("Couldn't drop certificate: %s", ssh_err(r)); | 0 |
1270 | host_key = raw_key; | - |
1271 | goto retry; never executed: goto retry; | 0 |
1272 | } | - |
1273 | sshkey_free(raw_key); | - |
1274 | free(ip); | - |
1275 | free(host); | - |
1276 | if (host_hostkeys != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1277 | free_hostkeys(host_hostkeys); never executed: free_hostkeys(host_hostkeys); | 0 |
1278 | if (ip_hostkeys != NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1279 | free_hostkeys(ip_hostkeys); never executed: free_hostkeys(ip_hostkeys); | 0 |
1280 | return -1; never executed: return -1; | 0 |
1281 | } | - |
1282 | | - |
1283 | | - |
1284 | int | - |
1285 | verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) | - |
1286 | { | - |
1287 | u_int i; | - |
1288 | int r = -1, flags = 0; | - |
1289 | char valid[64], *fp = NULL, *cafp = NULL; | - |
1290 | struct sshkey *plain = NULL; | - |
1291 | | - |
1292 | if ((fp = sshkey_fingerprint(host_key,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1293 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1294 | error("%s: fingerprint host key: %s", __func__, ssh_err(r)); | - |
1295 | r = -1; | - |
1296 | goto out; never executed: goto out; | 0 |
1297 | } | - |
1298 | | - |
1299 | if (sshkey_is_cert(host_key)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1300 | if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1301 | options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1302 | error("%s: fingerprint CA key: %s", | - |
1303 | __func__, ssh_err(r)); | - |
1304 | r = -1; | - |
1305 | goto out; never executed: goto out; | 0 |
1306 | } | - |
1307 | sshkey_format_cert_validity(host_key->cert, | - |
1308 | valid, sizeof(valid)); | - |
1309 | debug("Server host certificate: %s %s, serial %llu " | - |
1310 | "ID \"%s\" CA %s %s valid %s", | - |
1311 | sshkey_ssh_name(host_key), fp, | - |
1312 | (unsigned long long)host_key->cert->serial, | - |
1313 | host_key->cert->key_id, | - |
1314 | sshkey_ssh_name(host_key->cert->signature_key), cafp, | - |
1315 | valid); | - |
1316 | for (i = 0; i < host_key->cert->nprincipals; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1317 | debug2("Server host certificate hostname: %s", | - |
1318 | host_key->cert->principals[i]); | - |
1319 | } never executed: end of block | 0 |
1320 | } else { never executed: end of block | 0 |
1321 | debug("Server host key: %s %s", sshkey_ssh_name(host_key), fp); | - |
1322 | } never executed: end of block | 0 |
1323 | | - |
1324 | if (sshkey_equal(previous_host_key, host_key)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1325 | debug2("%s: server host key %s %s matches cached key", | - |
1326 | __func__, sshkey_type(host_key), fp); | - |
1327 | r = 0; | - |
1328 | goto out; never executed: goto out; | 0 |
1329 | } | - |
1330 | | - |
1331 | | - |
1332 | if (options.revoked_host_keys != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1333 | r = sshkey_check_revoked(host_key, options.revoked_host_keys); | - |
1334 | switch (r) { | - |
1335 | case 0: never executed: case 0: | 0 |
1336 | break; never executed: break; | 0 |
1337 | case SSH_ERR_KEY_REVOKED: never executed: case -51: | 0 |
1338 | error("Host key %s %s revoked by file %s", | - |
1339 | sshkey_type(host_key), fp, | - |
1340 | options.revoked_host_keys); | - |
1341 | r = -1; | - |
1342 | goto out; never executed: goto out; | 0 |
1343 | default: never executed: default: | 0 |
1344 | error("Error checking host key %s %s in " | - |
1345 | "revoked keys file %s: %s", sshkey_type(host_key), | - |
1346 | fp, options.revoked_host_keys, ssh_err(r)); | - |
1347 | r = -1; | - |
1348 | goto out; never executed: goto out; | 0 |
1349 | } | - |
1350 | } | - |
1351 | | - |
1352 | if (options.verify_host_key_dns) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1353 | | - |
1354 | | - |
1355 | | - |
1356 | | - |
1357 | if ((r = sshkey_from_private(host_key, &plain)) != 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1358 | goto out; never executed: goto out; | 0 |
1359 | if (sshkey_is_cert(plain))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1360 | sshkey_drop_cert(plain); never executed: sshkey_drop_cert(plain); | 0 |
1361 | if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1362 | if (flags & DNS_VERIFY_FOUND) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1363 | if (options.verify_host_key_dns == 1 &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1364 | flags & DNS_VERIFY_MATCH &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1365 | flags & DNS_VERIFY_SECURE) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1366 | r = 0; | - |
1367 | goto out; never executed: goto out; | 0 |
1368 | } | - |
1369 | if (flags & DNS_VERIFY_MATCH) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1370 | matching_host_key_dns = 1; | - |
1371 | } else { never executed: end of block | 0 |
1372 | warn_changed_key(plain); | - |
1373 | error("Update the SSHFP RR in DNS " | - |
1374 | "with the new host key to get rid " | - |
1375 | "of this message."); | - |
1376 | } never executed: end of block | 0 |
1377 | } | - |
1378 | } never executed: end of block | 0 |
1379 | } never executed: end of block | 0 |
1380 | r = check_host_key(host, hostaddr, options.port, host_key, RDRW, | - |
1381 | options.user_hostfiles, options.num_user_hostfiles, | - |
1382 | options.system_hostfiles, options.num_system_hostfiles); | - |
1383 | | - |
1384 | out: code before this statement never executed: out: | 0 |
1385 | sshkey_free(plain); | - |
1386 | free(fp); | - |
1387 | free(cafp); | - |
1388 | if (r == 0 && host_key != NULL) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1389 | sshkey_free(previous_host_key); | - |
1390 | r = sshkey_from_private(host_key, &previous_host_key); | - |
1391 | } never executed: end of block | 0 |
1392 | | - |
1393 | return r; never executed: return r; | 0 |
1394 | } | - |
1395 | | - |
1396 | | - |
1397 | | - |
1398 | | - |
1399 | | - |
1400 | | - |
1401 | | - |
1402 | | - |
1403 | void | - |
1404 | ssh_login(Sensitive *sensitive, const char *orighost, | - |
1405 | struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms) | - |
1406 | { | - |
1407 | char *host; | - |
1408 | char *server_user, *local_user; | - |
1409 | | - |
1410 | local_user = xstrdup(pw->pw_name); | - |
1411 | server_user = options.user ? options.user : local_user;TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1412 | | - |
1413 | | - |
1414 | host = xstrdup(orighost); | - |
1415 | lowercase(host); | - |
1416 | | - |
1417 | | - |
1418 | ssh_exchange_identification(timeout_ms); | - |
1419 | | - |
1420 | | - |
1421 | packet_set_nonblocking(); | - |
1422 | | - |
1423 | | - |
1424 | | - |
1425 | debug("Authenticating to %s:%d as '%s'", host, port, server_user); | - |
1426 | ssh_kex2(host, hostaddr, port); | - |
1427 | ssh_userauth2(local_user, server_user, host, sensitive); | - |
1428 | free(local_user); | - |
1429 | } never executed: end of block | 0 |
1430 | | - |
1431 | void | - |
1432 | ssh_put_password(char *password) | - |
1433 | { | - |
1434 | int size; | - |
1435 | char *padded; | - |
1436 | | - |
1437 | if (datafellows & SSH_BUG_PASSWORDPAD) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1438 | packet_put_cstring(password); | - |
1439 | return; never executed: return; | 0 |
1440 | } | - |
1441 | size = ROUNDUP(strlen(password) + 1, 32); | - |
1442 | padded = xcalloc(1, size); | - |
1443 | strlcpy(padded, password, size); | - |
1444 | packet_put_string(padded, size); | - |
1445 | explicit_bzero(padded, size); | - |
1446 | free(padded); | - |
1447 | } never executed: end of block | 0 |
1448 | | - |
1449 | | - |
1450 | static int | - |
1451 | show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) | - |
1452 | { | - |
1453 | int type[] = { | - |
1454 | KEY_RSA, | - |
1455 | KEY_DSA, | - |
1456 | KEY_ECDSA, | - |
1457 | KEY_ED25519, | - |
1458 | KEY_XMSS, | - |
1459 | -1 | - |
1460 | }; | - |
1461 | int i, ret = 0; | - |
1462 | char *fp, *ra; | - |
1463 | const struct hostkey_entry *found; | - |
1464 | | - |
1465 | for (i = 0; type[i] != -1; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1466 | if (type[i] == key->type)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1467 | continue; never executed: continue; | 0 |
1468 | if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1469 | continue; never executed: continue; | 0 |
1470 | fp = sshkey_fingerprint(found->key, | - |
1471 | options.fingerprint_hash, SSH_FP_DEFAULT); | - |
1472 | ra = sshkey_fingerprint(found->key, | - |
1473 | options.fingerprint_hash, SSH_FP_RANDOMART); | - |
1474 | if (fp == NULL || ra == NULL)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1475 | fatal("%s: sshkey_fingerprint fail", __func__); never executed: fatal("%s: sshkey_fingerprint fail", __func__); | 0 |
1476 | logit("WARNING: %s key found for host %s\n" | - |
1477 | "in %s:%lu\n" | - |
1478 | "%s key fingerprint %s.", | - |
1479 | sshkey_type(found->key), | - |
1480 | found->host, found->file, found->line, | - |
1481 | sshkey_type(found->key), fp); | - |
1482 | if (options.visual_host_key)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1483 | logit("%s", ra); never executed: logit("%s", ra); | 0 |
1484 | free(ra); | - |
1485 | free(fp); | - |
1486 | ret = 1; | - |
1487 | } never executed: end of block | 0 |
1488 | return ret; never executed: return ret; | 0 |
1489 | } | - |
1490 | | - |
1491 | static void | - |
1492 | warn_changed_key(struct sshkey *host_key) | - |
1493 | { | - |
1494 | char *fp; | - |
1495 | | - |
1496 | fp = sshkey_fingerprint(host_key, options.fingerprint_hash, | - |
1497 | SSH_FP_DEFAULT); | - |
1498 | if (fp == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1499 | fatal("%s: sshkey_fingerprint fail", __func__); never executed: fatal("%s: sshkey_fingerprint fail", __func__); | 0 |
1500 | | - |
1501 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | - |
1502 | error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); | - |
1503 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | - |
1504 | error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); | - |
1505 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | - |
1506 | error("It is also possible that a host key has just been changed."); | - |
1507 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | - |
1508 | sshkey_type(host_key), fp); | - |
1509 | error("Please contact your system administrator."); | - |
1510 | | - |
1511 | free(fp); | - |
1512 | } never executed: end of block | 0 |
1513 | | - |
1514 | | - |
1515 | | - |
1516 | | - |
1517 | int | - |
1518 | ssh_local_cmd(const char *args) | - |
1519 | { | - |
1520 | char *shell; | - |
1521 | pid_t pid; | - |
1522 | int status; | - |
1523 | void (*osighand)(int); | - |
1524 | | - |
1525 | if (!options.permit_local_command ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1526 | args == NULL || !*args)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1527 | return (1); never executed: return (1); | 0 |
1528 | | - |
1529 | if ((shell = getenv("SHELL")) == NULL || *shell == '\0')TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1530 | shell = _PATH_BSHELL; never executed: shell = "/bin/sh" ; | 0 |
1531 | | - |
1532 | osighand = signal(SIGCHLD, SIG_DFL); | - |
1533 | pid = fork(); | - |
1534 | if (pid == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1535 | signal(SIGPIPE, SIG_DFL); | - |
1536 | debug3("Executing %s -c \"%s\"", shell, args); | - |
1537 | execl(shell, shell, "-c", args, (char *)NULL); | - |
1538 | error("Couldn't execute %s -c \"%s\": %s", | - |
1539 | shell, args, strerror(errno)); | - |
1540 | _exit(1); | - |
1541 | } else if (pid == -1) never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1542 | fatal("fork failed: %.100s", strerror(errno)); never executed: fatal("fork failed: %.100s", strerror( (*__errno_location ()) )); | 0 |
1543 | while (waitpid(pid, &status, 0) == -1)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1544 | if (errno != EINTR)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1545 | fatal("Couldn't wait for child: %s", strerror(errno)); never executed: fatal("Couldn't wait for child: %s", strerror( (*__errno_location ()) )); | 0 |
1546 | signal(SIGCHLD, osighand); | - |
1547 | | - |
1548 | if (!WIFEXITED(status))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1549 | return (1); never executed: return (1); | 0 |
1550 | | - |
1551 | return (WEXITSTATUS(status)); never executed: return ( ((( status ) & 0xff00) >> 8) ); | 0 |
1552 | } | - |
1553 | | - |
1554 | void | - |
1555 | maybe_add_key_to_agent(char *authfile, const struct sshkey *private, | - |
1556 | char *comment, char *passphrase) | - |
1557 | { | - |
1558 | int auth_sock = -1, r; | - |
1559 | | - |
1560 | if (options.add_keys_to_agent == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1561 | return; never executed: return; | 0 |
1562 | | - |
1563 | if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1564 | debug3("no authentication agent, not adding key"); | - |
1565 | return; never executed: return; | 0 |
1566 | } | - |
1567 | | - |
1568 | if (options.add_keys_to_agent == 2 &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1569 | !ask_permission("Add key %s (%s) to agent?", authfile, comment)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1570 | debug3("user denied adding this key"); | - |
1571 | close(auth_sock); | - |
1572 | return; never executed: return; | 0 |
1573 | } | - |
1574 | | - |
1575 | if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1576 | (options.add_keys_to_agent == 3), 0)) == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
1577 | debug("identity added to agent: %s", authfile); never executed: debug("identity added to agent: %s", authfile); | 0 |
1578 | else | - |
1579 | debug("could not add identity to agent: %s (%d)", authfile, r); never executed: debug("could not add identity to agent: %s (%d)", authfile, r); | 0 |
1580 | close(auth_sock); | - |
1581 | } never executed: end of block | 0 |
| | |