cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH 2/2] ssh: do not crash if MD5 fingerprint is not provided by libssh2

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 12 Sep 2012 16:37:39 +0200

The MD5 fingerprint cannot be computed when running in FIPS mode.

---
 RELEASE-NOTES |    1 +
 lib/ssh.c     |   22 ++++++++++++++--------
 2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b1ae3eb..d8e08ad 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -42,6 +42,7 @@ This release includes the following bugfixes:
  o gnutls: do not fail on non-fatal handshake errors [15]
  o SMTP: only send SIZE if supported [16]
  o ftpserver: respond with a 250 to SMTP EHLO
+ o ssh: do not crash if MD5 fingerprint is not provided by libssh2
 
 This release includes the following known bugs:
 
diff --git a/lib/ssh.c b/lib/ssh.c
index e289632..879a02d 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -650,19 +650,25 @@ static bool ssh_check_fingerpring(struct connectdata *conn)
   const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
       LIBSSH2_HOSTKEY_HASH_MD5);
 
-  /* The fingerprint points to static storage (!), don't free() it. */
-  for(i = 0; i < 16; i++)
-    snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
-  infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
+  if(fingerprint) {
+    /* The fingerprint points to static storage (!), don't free() it. */
+    for(i = 0; i < 16; i++)
+      snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
+    infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
+  }
 
   /* Before we authenticate we check the hostkey's MD5 fingerprint
    * against a known fingerprint, if available.
    */
   if(pubkey_md5 && strlen(pubkey_md5) == 32) {
-    if(!strequal(md5buffer, pubkey_md5)) {
-      failf(data,
-          "Denied establishing ssh session: mismatch md5 fingerprint. "
-          "Remote %s is not equal to %s", md5buffer, pubkey_md5);
+    if(!fingerprint || !strequal(md5buffer, pubkey_md5)) {
+      if(fingerprint)
+        failf(data,
+            "Denied establishing ssh session: mismatch md5 fingerprint. "
+            "Remote %s is not equal to %s", md5buffer, pubkey_md5);
+      else
+        failf(data,
+            "Denied establishing ssh session: md5 fingerprint not available");
       state(conn, SSH_SESSION_FREE);
       sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
       return sshc->actualcode;
-- 
1.7.1
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2012-09-12

This message: [ Message body ]
Next message: Kamil Dudka: "Re: [PATCH 1/2] ssh: move the fingerprint checking code to a separate fnc"
Previous message: Kamil Dudka: "[PATCH 1/2] ssh: move the fingerprint checking code to a separate fnc"
In reply to: Kamil Dudka: "[PATCH 1/2] ssh: move the fingerprint checking code to a separate fnc"
Next in thread: Kamil Dudka: "Re: [PATCH 1/2] ssh: move the fingerprint checking code to a separate fnc"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]