diff options
author | Niels Provos <provos@cvs.openbsd.org> | 1999-10-03 21:50:05 +0000 |
---|---|---|
committer | Niels Provos <provos@cvs.openbsd.org> | 1999-10-03 21:50:05 +0000 |
commit | dce30fe4c3eed210d1830b1bb7d5434ad4f15607 (patch) | |
tree | 2d57dbe7a3d712ad0e757a1b39965798ed6c67ba /usr.bin/ssh/hostfile.c | |
parent | 99b7880be93ded91810507804eb4226b2ee29edd (diff) |
add code to detect DNS spoofing:
the main idea is to not only store the host key for the hostname but
also for the according IP address. When we check the host key in the
known_hosts file, we also check the key against the according IP address.
When the server key changes, host_status = HOST_CHANGED. If
check_host_in_hostfile() returns differing status for the IP address
that means that either DNS was spoofed or that the IP address
for the host and the host key changed at the same time.
Diffstat (limited to 'usr.bin/ssh/hostfile.c')
-rw-r--r-- | usr.bin/ssh/hostfile.c | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/usr.bin/ssh/hostfile.c b/usr.bin/ssh/hostfile.c index 9b36e39e828..6982899dec6 100644 --- a/usr.bin/ssh/hostfile.c +++ b/usr.bin/ssh/hostfile.c @@ -14,7 +14,7 @@ Functions for manipulating the known hosts files. */ #include "includes.h" -RCSID("$Id: hostfile.c,v 1.2 1999/09/28 04:45:36 provos Exp $"); +RCSID("$Id: hostfile.c,v 1.3 1999/10/03 21:50:03 provos Exp $"); #include "packet.h" #include "ssh.h" @@ -168,7 +168,8 @@ match_hostname(const char *host, const char *pattern, unsigned int len) HostStatus check_host_in_hostfile(const char *filename, const char *host, unsigned int bits, - BIGNUM *e, BIGNUM *n) + BIGNUM *e, BIGNUM *n, + BIGNUM *ke, BIGNUM *kn) { FILE *f; char line[8192]; @@ -176,7 +177,6 @@ check_host_in_hostfile(const char *filename, char *cp, *cp2; HostStatus end_return; struct stat st; - BIGNUM *ke, *kn; /* Open the file containing the list of known hosts. */ f = fopen(filename, "r"); @@ -190,10 +190,6 @@ check_host_in_hostfile(const char *filename, return HOST_NEW; } - /* Initialize mp-int variables. */ - ke = BN_new(); - kn = BN_new(); - /* Cache the length of the host name. */ hostlen = strlen(host); @@ -235,8 +231,6 @@ check_host_in_hostfile(const char *filename, if (kbits == bits && BN_cmp(ke, e) == 0 && BN_cmp(kn, n) == 0) { /* Ok, they match. */ - BN_clear_free(ke); - BN_clear_free(kn); fclose(f); return HOST_OK; } @@ -246,8 +240,6 @@ check_host_in_hostfile(const char *filename, end_return = HOST_CHANGED; } /* Clear variables and close the file. */ - BN_clear_free(ke); - BN_clear_free(kn); fclose(f); /* Return either HOST_NEW or HOST_CHANGED, depending on whether we saw a |