diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-05-13 09:52:41 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-05-27 10:09:18 +1000 |
commit | 05a651400da6fbe12296c34e3d3bcf09f034fbbf (patch) | |
tree | 6d32fe8e5a0d61d5016adae80c759734e8def3aa /sshconnect2.c | |
parent | 829451815ec207e14bd54ff5cf7e22046816f042 (diff) |
upstream: when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157 ok markus@
OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 1a6545edf..08b4f8550 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.321 2020/04/17 03:38:47 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.322 2020/05/13 09:52:41 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -135,11 +135,23 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | |||
135 | while ((alg = strsep(&avail, ",")) && *alg != '\0') { | 135 | while ((alg = strsep(&avail, ",")) && *alg != '\0') { |
136 | if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC) | 136 | if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC) |
137 | fatal("%s: unknown alg %s", __func__, alg); | 137 | fatal("%s: unknown alg %s", __func__, alg); |
138 | /* | ||
139 | * If we have a @cert-authority marker in known_hosts then | ||
140 | * prefer all certificate algorithms. | ||
141 | */ | ||
142 | if (sshkey_type_is_cert(ktype) && | ||
143 | lookup_marker_in_hostkeys(hostkeys, MRK_CA)) { | ||
144 | ALG_APPEND(first, alg); | ||
145 | continue; | ||
146 | } | ||
147 | /* If the key appears in known_hosts then prefer it */ | ||
138 | if (lookup_key_in_hostkeys_by_type(hostkeys, | 148 | if (lookup_key_in_hostkeys_by_type(hostkeys, |
139 | sshkey_type_plain(ktype), NULL)) | 149 | sshkey_type_plain(ktype), NULL)) { |
140 | ALG_APPEND(first, alg); | 150 | ALG_APPEND(first, alg); |
141 | else | 151 | continue; |
142 | ALG_APPEND(last, alg); | 152 | } |
153 | /* Otherwise, put it last */ | ||
154 | ALG_APPEND(last, alg); | ||
143 | } | 155 | } |
144 | #undef ALG_APPEND | 156 | #undef ALG_APPEND |
145 | xasprintf(&ret, "%s%s%s", first, | 157 | xasprintf(&ret, "%s%s%s", first, |