1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 08:38:49 -05:00

sftp: add the option CURLKHSTAT_FINE_REPLACE

Replace the old fingerprint of the host with a new.

Closes #5685
This commit is contained in:
Michael Musset 2020-07-15 16:39:40 +02:00 committed by Daniel Stenberg
parent ddf47bbc0a
commit ebc6c54c74
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
4 changed files with 20 additions and 4 deletions

View File

@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___ .\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____| .\" * \___|\___/|_| \_\_____|
.\" * .\" *
.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" * .\" *
.\" * This software is licensed as described in the file COPYING, which .\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms .\" * you should have received as part of this distribution. The terms
@ -35,6 +35,7 @@ enum curl_khstat {
now so this causes a CURLE_DEFER error but now so this causes a CURLE_DEFER error but
otherwise the connection will be left intact otherwise the connection will be left intact
etc */ etc */
CURLKHSTAT_FINE_REPLACE
}; };
enum curl_khmatch { enum curl_khmatch {
@ -72,7 +73,13 @@ known_hosts file \fIknownkey\fP, the key from the remote site \fIfoundkey\fP,
info from libcurl on the matching status and a custom pointer (set with info from libcurl on the matching status and a custom pointer (set with
\fICURLOPT_SSH_KEYDATA(3)\fP). It MUST return one of the following return \fICURLOPT_SSH_KEYDATA(3)\fP). It MUST return one of the following return
codes to tell libcurl how to act: codes to tell libcurl how to act:
.IP CURLKHSTAT_FINE_REPLACE
The new host+key is accepted and libcurl will replace the old host+key into
the known_hosts file before continuing with the connection. This will also
add the new host+key combo to the known_host pool kept in memory if it wasn't
already present there. The adding of data to the file is done by completely
replacing the file with a new copy, so the permissions of the file must allow
this. (Added in 7.73.0)
.IP CURLKHSTAT_FINE_ADD_TO_FILE .IP CURLKHSTAT_FINE_ADD_TO_FILE
The host+key is accepted and libcurl will append it to the known_hosts file The host+key is accepted and libcurl will append it to the known_hosts file
before continuing with the connection. This will also add the host+key combo before continuing with the connection. This will also add the host+key combo

View File

@ -311,6 +311,7 @@ CURLKHMATCH_OK 7.19.6
CURLKHSTAT_DEFER 7.19.6 CURLKHSTAT_DEFER 7.19.6
CURLKHSTAT_FINE 7.19.6 CURLKHSTAT_FINE 7.19.6
CURLKHSTAT_FINE_ADD_TO_FILE 7.19.6 CURLKHSTAT_FINE_ADD_TO_FILE 7.19.6
CURLKHSTAT_FINE_REPLACE 7.73.0
CURLKHSTAT_REJECT 7.19.6 CURLKHSTAT_REJECT 7.19.6
CURLKHTYPE_DSS 7.19.6 CURLKHTYPE_DSS 7.19.6
CURLKHTYPE_ECDSA 7.58.0 CURLKHTYPE_ECDSA 7.58.0

View File

@ -832,6 +832,7 @@ enum curl_khstat {
CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so
this causes a CURLE_DEFER error but otherwise the this causes a CURLE_DEFER error but otherwise the
connection will be left intact etc */ connection will be left intact etc */
CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/
CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */
}; };

View File

@ -442,6 +442,7 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
if(data->set.str[STRING_SSH_KNOWNHOSTS]) { if(data->set.str[STRING_SSH_KNOWNHOSTS]) {
/* we're asked to verify the host against a file */ /* we're asked to verify the host against a file */
struct ssh_conn *sshc = &conn->proto.sshc; struct ssh_conn *sshc = &conn->proto.sshc;
struct libssh2_knownhost *host = NULL;
int rc; int rc;
int keytype; int keytype;
size_t keylen; size_t keylen;
@ -456,7 +457,6 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
* What host name does OpenSSH store in its file if an IDN name is * What host name does OpenSSH store in its file if an IDN name is
* used? * used?
*/ */
struct libssh2_knownhost *host;
enum curl_khmatch keymatch; enum curl_khmatch keymatch;
curl_sshkeycallback func = curl_sshkeycallback func =
data->set.ssh_keyfunc?data->set.ssh_keyfunc:sshkeycallback; data->set.ssh_keyfunc?data->set.ssh_keyfunc:sshkeycallback;
@ -568,7 +568,13 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
/* DEFER means bail out but keep the SSH_HOSTKEY state */ /* DEFER means bail out but keep the SSH_HOSTKEY state */
result = sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; result = sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
break; break;
case CURLKHSTAT_FINE_REPLACE:
/* remove old host+key that doesn't match */
if(host)
libssh2_knownhost_del(sshc->kh, host);
/*FALLTHROUGH*/
case CURLKHSTAT_FINE: case CURLKHSTAT_FINE:
/*FALLTHROUGH*/
case CURLKHSTAT_FINE_ADD_TO_FILE: case CURLKHSTAT_FINE_ADD_TO_FILE:
/* proceed */ /* proceed */
if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) {
@ -583,7 +589,8 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
if(addrc) if(addrc)
infof(data, "Warning adding the known host %s failed!\n", infof(data, "Warning adding the known host %s failed!\n",
conn->host.name); conn->host.name);
else if(rc == CURLKHSTAT_FINE_ADD_TO_FILE) { else if(rc == CURLKHSTAT_FINE_ADD_TO_FILE ||
rc == CURLKHSTAT_FINE_REPLACE) {
/* now we write the entire in-memory list of known hosts to the /* now we write the entire in-memory list of known hosts to the
known_hosts file */ known_hosts file */
int wrc = int wrc =