diff options
author | Kamil Dudka <kdudka@redhat.com> | 2012-09-12 16:18:36 +0200 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2012-09-12 16:49:10 +0200 |
commit | f05e51362f310cb04b0ad8d086b9cf693aad5c9d (patch) | |
tree | f9d5161198d834aedd4b5ec80d93fe2b8c097c26 | |
parent | ce515e993fe7bc7e95549317fe5180b196454d4c (diff) |
ssh: do not crash if MD5 fingerprint is not provided by libssh2
The MD5 fingerprint cannot be computed when running in FIPS mode.
-rw-r--r-- | RELEASE-NOTES | 1 | ||||
-rw-r--r-- | lib/ssh.c | 22 |
2 files changed, 15 insertions, 8 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b1ae3ebbd..d8e08ad13 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -42,6 +42,7 @@ This release includes the following bugfixes: o gnutls: do not fail on non-fatal handshake errors [15] o SMTP: only send SIZE if supported [16] o ftpserver: respond with a 250 to SMTP EHLO + o ssh: do not crash if MD5 fingerprint is not provided by libssh2 This release includes the following known bugs: @@ -650,19 +650,25 @@ static bool ssh_check_fingerprint(struct connectdata *conn) const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session, LIBSSH2_HOSTKEY_HASH_MD5); - /* The fingerprint points to static storage (!), don't free() it. */ - for(i = 0; i < 16; i++) - snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); - infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); + if(fingerprint) { + /* The fingerprint points to static storage (!), don't free() it. */ + for(i = 0; i < 16; i++) + snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); + infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); + } /* Before we authenticate we check the hostkey's MD5 fingerprint * against a known fingerprint, if available. */ if(pubkey_md5 && strlen(pubkey_md5) == 32) { - if(!strequal(md5buffer, pubkey_md5)) { - failf(data, - "Denied establishing ssh session: mismatch md5 fingerprint. " - "Remote %s is not equal to %s", md5buffer, pubkey_md5); + if(!fingerprint || !strequal(md5buffer, pubkey_md5)) { + if(fingerprint) + failf(data, + "Denied establishing ssh session: mismatch md5 fingerprint. " + "Remote %s is not equal to %s", md5buffer, pubkey_md5); + else + failf(data, + "Denied establishing ssh session: md5 fingerprint not available"); state(conn, SSH_SESSION_FREE); sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; return sshc->actualcode; |