summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-01-26 06:10:03 +0000
committerDamien Miller <djm@mindrot.org>2015-01-27 00:00:57 +1100
commit5104db7cbd6cdd9c5971f4358e74414862fc1022 (patch)
tree94692c77a4888f8adade706324fdee3a999bc6b0
parent8d4f87258f31cb6def9b3b55b6a7321d84728ff2 (diff)
upstream commit
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration). ok markus, "looks mechanical" deraadt@
-rw-r--r--auth.h6
-rw-r--r--kex.c3
-rw-r--r--kex.h7
-rw-r--r--kexc25519c.c6
-rw-r--r--kexc25519s.c8
-rw-r--r--kexdhc.c6
-rw-r--r--kexdhs.c8
-rw-r--r--kexecdhc.c6
-rw-r--r--kexecdhs.c8
-rw-r--r--kexgexc.c8
-rw-r--r--kexgexs.c8
-rw-r--r--ssh_api.c16
-rw-r--r--sshconnect.c5
-rw-r--r--sshd.c15
14 files changed, 68 insertions, 42 deletions
diff --git a/auth.h b/auth.h
index 60d1c3355..d28261929 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.80 2015/01/19 20:16:15 markus Exp $ */ 1/* $OpenBSD: auth.h,v 1.81 2015/01/26 06:10:03 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -204,8 +204,8 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *,
204/* hostkey handling */ 204/* hostkey handling */
205Key *get_hostkey_by_index(int); 205Key *get_hostkey_by_index(int);
206Key *get_hostkey_public_by_index(int, struct ssh *); 206Key *get_hostkey_public_by_index(int, struct ssh *);
207Key *get_hostkey_public_by_type(int, struct ssh *); 207Key *get_hostkey_public_by_type(int, int, struct ssh *);
208Key *get_hostkey_private_by_type(int, struct ssh *); 208Key *get_hostkey_private_by_type(int, int, struct ssh *);
209int get_hostkey_index(Key *, struct ssh *); 209int get_hostkey_index(Key *, struct ssh *);
210int ssh1_session_key(BIGNUM *); 210int ssh1_session_key(BIGNUM *);
211int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, u_char *, size_t, u_int); 211int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, u_char *, size_t, u_int);
diff --git a/kex.c b/kex.c
index 5b7b1e86a..7eb3185e6 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.103 2015/01/20 23:14:00 deraadt Exp $ */ 1/* $OpenBSD: kex.c,v 1.104 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -546,6 +546,7 @@ choose_hostkeyalg(struct kex *k, char *client, char *server)
546 k->hostkey_type = sshkey_type_from_name(hostkeyalg); 546 k->hostkey_type = sshkey_type_from_name(hostkeyalg);
547 if (k->hostkey_type == KEY_UNSPEC) 547 if (k->hostkey_type == KEY_UNSPEC)
548 return SSH_ERR_INTERNAL_ERROR; 548 return SSH_ERR_INTERNAL_ERROR;
549 k->hostkey_nid = sshkey_ecdsa_nid_from_name(hostkeyalg);
549 free(hostkeyalg); 550 free(hostkeyalg);
550 return 0; 551 return 0;
551} 552}
diff --git a/kex.h b/kex.h
index 1798eea4d..45d35773c 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.69 2015/01/19 20:16:15 markus Exp $ */ 1/* $OpenBSD: kex.h,v 1.70 2015/01/26 06:10:03 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -116,6 +116,7 @@ struct kex {
116 int server; 116 int server;
117 char *name; 117 char *name;
118 int hostkey_type; 118 int hostkey_type;
119 int hostkey_nid;
119 u_int kex_type; 120 u_int kex_type;
120 int roaming; 121 int roaming;
121 struct sshbuf *my; 122 struct sshbuf *my;
@@ -127,8 +128,8 @@ struct kex {
127 char *client_version_string; 128 char *client_version_string;
128 char *server_version_string; 129 char *server_version_string;
129 int (*verify_host_key)(struct sshkey *, struct ssh *); 130 int (*verify_host_key)(struct sshkey *, struct ssh *);
130 struct sshkey *(*load_host_public_key)(int, struct ssh *); 131 struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
131 struct sshkey *(*load_host_private_key)(int, struct ssh *); 132 struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
132 int (*host_key_index)(struct sshkey *, struct ssh *); 133 int (*host_key_index)(struct sshkey *, struct ssh *);
133 int (*sign)(struct sshkey *, struct sshkey *, 134 int (*sign)(struct sshkey *, struct sshkey *,
134 u_char **, size_t *, u_char *, size_t, u_int); 135 u_char **, size_t *, u_char *, size_t, u_int);
diff --git a/kexc25519c.c b/kexc25519c.c
index 833ce0544..b7ef65dc3 100644
--- a/kexc25519c.c
+++ b/kexc25519c.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexc25519c.c,v 1.6 2015/01/19 20:16:15 markus Exp $ */ 1/* $OpenBSD: kexc25519c.c,v 1.7 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -92,7 +92,9 @@ input_kex_c25519_reply(int type, u_int32_t seq, void *ctxt)
92 (r = sshkey_from_blob(server_host_key_blob, sbloblen, 92 (r = sshkey_from_blob(server_host_key_blob, sbloblen,
93 &server_host_key)) != 0) 93 &server_host_key)) != 0)
94 goto out; 94 goto out;
95 if (server_host_key->type != kex->hostkey_type) { 95 if (server_host_key->type != kex->hostkey_type ||
96 (kex->hostkey_type == KEY_ECDSA &&
97 server_host_key->ecdsa_nid != kex->hostkey_nid)) {
96 r = SSH_ERR_KEY_TYPE_MISMATCH; 98 r = SSH_ERR_KEY_TYPE_MISMATCH;
97 goto out; 99 goto out;
98 } 100 }
diff --git a/kexc25519s.c b/kexc25519s.c
index d840856d2..b2d2c858f 100644
--- a/kexc25519s.c
+++ b/kexc25519s.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexc25519s.c,v 1.7 2015/01/20 07:55:33 djm Exp $ */ 1/* $OpenBSD: kexc25519s.c,v 1.8 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -75,8 +75,10 @@ input_kex_c25519_init(int type, u_int32_t seq, void *ctxt)
75 r = SSH_ERR_INVALID_ARGUMENT; 75 r = SSH_ERR_INVALID_ARGUMENT;
76 goto out; 76 goto out;
77 } 77 }
78 server_host_public = kex->load_host_public_key(kex->hostkey_type, ssh); 78 server_host_public = kex->load_host_public_key(kex->hostkey_type,
79 server_host_private = kex->load_host_private_key(kex->hostkey_type, ssh); 79 kex->hostkey_nid, ssh);
80 server_host_private = kex->load_host_private_key(kex->hostkey_type,
81 kex->hostkey_nid, ssh);
80 if (server_host_public == NULL) { 82 if (server_host_public == NULL) {
81 r = SSH_ERR_NO_HOSTKEY_LOADED; 83 r = SSH_ERR_NO_HOSTKEY_LOADED;
82 goto out; 84 goto out;
diff --git a/kexdhc.c b/kexdhc.c
index 52b752295..af259f16a 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexdhc.c,v 1.17 2015/01/19 20:16:15 markus Exp $ */ 1/* $OpenBSD: kexdhc.c,v 1.18 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -114,7 +114,9 @@ input_kex_dh(int type, u_int32_t seq, void *ctxt)
114 (r = sshkey_from_blob(server_host_key_blob, sbloblen, 114 (r = sshkey_from_blob(server_host_key_blob, sbloblen,
115 &server_host_key)) != 0) 115 &server_host_key)) != 0)
116 goto out; 116 goto out;
117 if (server_host_key->type != kex->hostkey_type) { 117 if (server_host_key->type != kex->hostkey_type ||
118 (kex->hostkey_type == KEY_ECDSA &&
119 server_host_key->ecdsa_nid != kex->hostkey_nid)) {
118 r = SSH_ERR_KEY_TYPE_MISMATCH; 120 r = SSH_ERR_KEY_TYPE_MISMATCH;
119 goto out; 121 goto out;
120 } 122 }
diff --git a/kexdhs.c b/kexdhs.c
index 0bfa08b07..de7c05b17 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexdhs.c,v 1.21 2015/01/20 07:55:33 djm Exp $ */ 1/* $OpenBSD: kexdhs.c,v 1.22 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -101,8 +101,10 @@ input_kex_dh_init(int type, u_int32_t seq, void *ctxt)
101 r = SSH_ERR_INVALID_ARGUMENT; 101 r = SSH_ERR_INVALID_ARGUMENT;
102 goto out; 102 goto out;
103 } 103 }
104 server_host_public = kex->load_host_public_key(kex->hostkey_type, ssh); 104 server_host_public = kex->load_host_public_key(kex->hostkey_type,
105 server_host_private = kex->load_host_private_key(kex->hostkey_type, ssh); 105 kex->hostkey_nid, ssh);
106 server_host_private = kex->load_host_private_key(kex->hostkey_type,
107 kex->hostkey_nid, ssh);
106 if (server_host_public == NULL) { 108 if (server_host_public == NULL) {
107 r = SSH_ERR_NO_HOSTKEY_LOADED; 109 r = SSH_ERR_NO_HOSTKEY_LOADED;
108 goto out; 110 goto out;
diff --git a/kexecdhc.c b/kexecdhc.c
index 3f362c5b1..90220ce82 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdhc.c,v 1.9 2015/01/19 20:16:15 markus Exp $ */ 1/* $OpenBSD: kexecdhc.c,v 1.10 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -124,7 +124,9 @@ input_kex_ecdh_reply(int type, u_int32_t seq, void *ctxt)
124 (r = sshkey_from_blob(server_host_key_blob, sbloblen, 124 (r = sshkey_from_blob(server_host_key_blob, sbloblen,
125 &server_host_key)) != 0) 125 &server_host_key)) != 0)
126 goto out; 126 goto out;
127 if (server_host_key->type != kex->hostkey_type) { 127 if (server_host_key->type != kex->hostkey_type ||
128 (kex->hostkey_type == KEY_ECDSA &&
129 server_host_key->ecdsa_nid != kex->hostkey_nid)) {
128 r = SSH_ERR_KEY_TYPE_MISMATCH; 130 r = SSH_ERR_KEY_TYPE_MISMATCH;
129 goto out; 131 goto out;
130 } 132 }
diff --git a/kexecdhs.c b/kexecdhs.c
index f47a7b207..0adb80e6a 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdhs.c,v 1.13 2015/01/20 07:55:33 djm Exp $ */ 1/* $OpenBSD: kexecdhs.c,v 1.14 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -95,8 +95,10 @@ input_kex_ecdh_init(int type, u_int32_t seq, void *ctxt)
95 r = SSH_ERR_INVALID_ARGUMENT; 95 r = SSH_ERR_INVALID_ARGUMENT;
96 goto out; 96 goto out;
97 } 97 }
98 server_host_public = kex->load_host_public_key(kex->hostkey_type, ssh); 98 server_host_public = kex->load_host_public_key(kex->hostkey_type,
99 server_host_private = kex->load_host_private_key(kex->hostkey_type, ssh); 99 kex->hostkey_nid, ssh);
100 server_host_private = kex->load_host_private_key(kex->hostkey_type,
101 kex->hostkey_nid, ssh);
100 if (server_host_public == NULL) { 102 if (server_host_public == NULL) {
101 r = SSH_ERR_NO_HOSTKEY_LOADED; 103 r = SSH_ERR_NO_HOSTKEY_LOADED;
102 goto out; 104 goto out;
diff --git a/kexgexc.c b/kexgexc.c
index 0898824f3..e8e059a88 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexgexc.c,v 1.19 2015/01/19 20:16:15 markus Exp $ */ 1/* $OpenBSD: kexgexc.c,v 1.20 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -176,6 +176,12 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, void *ctxt)
176 r = SSH_ERR_KEY_TYPE_MISMATCH; 176 r = SSH_ERR_KEY_TYPE_MISMATCH;
177 goto out; 177 goto out;
178 } 178 }
179 if (server_host_key->type != kex->hostkey_type ||
180 (kex->hostkey_type == KEY_ECDSA &&
181 server_host_key->ecdsa_nid != kex->hostkey_nid)) {
182 r = SSH_ERR_KEY_TYPE_MISMATCH;
183 goto out;
184 }
179 if (kex->verify_host_key(server_host_key, ssh) == -1) { 185 if (kex->verify_host_key(server_host_key, ssh) == -1) {
180 r = SSH_ERR_SIGNATURE_INVALID; 186 r = SSH_ERR_SIGNATURE_INVALID;
181 goto out; 187 goto out;
diff --git a/kexgexs.c b/kexgexs.c
index ca5ee13e9..9c281d288 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexgexs.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ 1/* $OpenBSD: kexgexs.c,v 1.24 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -160,8 +160,10 @@ input_kex_dh_gex_init(int type, u_int32_t seq, void *ctxt)
160 r = SSH_ERR_INVALID_ARGUMENT; 160 r = SSH_ERR_INVALID_ARGUMENT;
161 goto out; 161 goto out;
162 } 162 }
163 server_host_public = kex->load_host_public_key(kex->hostkey_type, ssh); 163 server_host_public = kex->load_host_public_key(kex->hostkey_type,
164 server_host_private = kex->load_host_private_key(kex->hostkey_type, ssh); 164 kex->hostkey_nid, ssh);
165 server_host_private = kex->load_host_private_key(kex->hostkey_type,
166 kex->hostkey_nid, ssh);
165 if (server_host_public == NULL) { 167 if (server_host_public == NULL) {
166 r = SSH_ERR_NO_HOSTKEY_LOADED; 168 r = SSH_ERR_NO_HOSTKEY_LOADED;
167 goto out; 169 goto out;
diff --git a/ssh_api.c b/ssh_api.c
index 1df995c94..9794e0e57 100644
--- a/ssh_api.c
+++ b/ssh_api.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh_api.c,v 1.1 2015/01/19 20:30:23 markus Exp $ */ 1/* $OpenBSD: ssh_api.c,v 1.2 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2012 Markus Friedl. All rights reserved. 3 * Copyright (c) 2012 Markus Friedl. All rights reserved.
4 * 4 *
@@ -38,8 +38,8 @@ int _ssh_send_banner(struct ssh *, char **);
38int _ssh_read_banner(struct ssh *, char **); 38int _ssh_read_banner(struct ssh *, char **);
39int _ssh_order_hostkeyalgs(struct ssh *); 39int _ssh_order_hostkeyalgs(struct ssh *);
40int _ssh_verify_host_key(struct sshkey *, struct ssh *); 40int _ssh_verify_host_key(struct sshkey *, struct ssh *);
41struct sshkey *_ssh_host_public_key(int, struct ssh *); 41struct sshkey *_ssh_host_public_key(int, int, struct ssh *);
42struct sshkey *_ssh_host_private_key(int, struct ssh *); 42struct sshkey *_ssh_host_private_key(int, int, struct ssh *);
43int _ssh_host_key_sign(struct sshkey *, struct sshkey *, u_char **, 43int _ssh_host_key_sign(struct sshkey *, struct sshkey *, u_char **,
44 size_t *, u_char *, size_t, u_int); 44 size_t *, u_char *, size_t, u_int);
45 45
@@ -425,28 +425,30 @@ _ssh_exchange_banner(struct ssh *ssh)
425} 425}
426 426
427struct sshkey * 427struct sshkey *
428_ssh_host_public_key(int type, struct ssh *ssh) 428_ssh_host_public_key(int type, int nid, struct ssh *ssh)
429{ 429{
430 struct key_entry *k; 430 struct key_entry *k;
431 431
432 debug3("%s: need %d", __func__, type); 432 debug3("%s: need %d", __func__, type);
433 TAILQ_FOREACH(k, &ssh->public_keys, next) { 433 TAILQ_FOREACH(k, &ssh->public_keys, next) {
434 debug3("%s: check %s", __func__, sshkey_type(k->key)); 434 debug3("%s: check %s", __func__, sshkey_type(k->key));
435 if (k->key->type == type) 435 if (k->key->type == type &&
436 (type != KEY_ECDSA || k->key->ecdsa_nid == nid))
436 return (k->key); 437 return (k->key);
437 } 438 }
438 return (NULL); 439 return (NULL);
439} 440}
440 441
441struct sshkey * 442struct sshkey *
442_ssh_host_private_key(int type, struct ssh *ssh) 443_ssh_host_private_key(int type, int nid, struct ssh *ssh)
443{ 444{
444 struct key_entry *k; 445 struct key_entry *k;
445 446
446 debug3("%s: need %d", __func__, type); 447 debug3("%s: need %d", __func__, type);
447 TAILQ_FOREACH(k, &ssh->private_keys, next) { 448 TAILQ_FOREACH(k, &ssh->private_keys, next) {
448 debug3("%s: check %s", __func__, sshkey_type(k->key)); 449 debug3("%s: check %s", __func__, sshkey_type(k->key));
449 if (k->key->type == type) 450 if (k->key->type == type &&
451 (type != KEY_ECDSA || k->key->ecdsa_nid == nid))
450 return (k->key); 452 return (k->key);
451 } 453 }
452 return (NULL); 454 return (NULL);
diff --git a/sshconnect.c b/sshconnect.c
index ae3b642cb..df921bec1 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.257 2015/01/26 03:04:46 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.258 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1243,7 +1243,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1243 goto out; 1243 goto out;
1244 } 1244 }
1245 1245
1246 debug("Server host key: %s %s", sshkey_type(host_key), fp); 1246 debug("Server host key: %s %s",
1247 compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
1247 1248
1248 if (sshkey_equal(previous_host_key, host_key)) { 1249 if (sshkey_equal(previous_host_key, host_key)) {
1249 debug2("%s: server host key %s %s matches cached key", 1250 debug2("%s: server host key %s %s matches cached key",
diff --git a/sshd.c b/sshd.c
index f2ee10d2c..004ddd4a5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.439 2015/01/26 03:04:46 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.440 2015/01/26 06:10:03 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -836,7 +836,7 @@ list_hostkey_types(void)
836} 836}
837 837
838static Key * 838static Key *
839get_hostkey_by_type(int type, int need_private, struct ssh *ssh) 839get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
840{ 840{
841 int i; 841 int i;
842 Key *key; 842 Key *key;
@@ -857,7 +857,8 @@ get_hostkey_by_type(int type, int need_private, struct ssh *ssh)
857 key = sensitive_data.host_pubkeys[i]; 857 key = sensitive_data.host_pubkeys[i];
858 break; 858 break;
859 } 859 }
860 if (key != NULL && key->type == type) 860 if (key != NULL && key->type == type &&
861 (key->type != KEY_ECDSA || key->ecdsa_nid == nid))
861 return need_private ? 862 return need_private ?
862 sensitive_data.host_keys[i] : key; 863 sensitive_data.host_keys[i] : key;
863 } 864 }
@@ -865,15 +866,15 @@ get_hostkey_by_type(int type, int need_private, struct ssh *ssh)
865} 866}
866 867
867Key * 868Key *
868get_hostkey_public_by_type(int type, struct ssh *ssh) 869get_hostkey_public_by_type(int type, int nid, struct ssh *ssh)
869{ 870{
870 return get_hostkey_by_type(type, 0, ssh); 871 return get_hostkey_by_type(type, nid, 0, ssh);
871} 872}
872 873
873Key * 874Key *
874get_hostkey_private_by_type(int type, struct ssh *ssh) 875get_hostkey_private_by_type(int type, int nid, struct ssh *ssh)
875{ 876{
876 return get_hostkey_by_type(type, 1, ssh); 877 return get_hostkey_by_type(type, nid, 1, ssh);
877} 878}
878 879
879Key * 880Key *