summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-05-13 09:52:41 +0000
committerDamien Miller <djm@mindrot.org>2020-05-27 10:09:18 +1000
commit05a651400da6fbe12296c34e3d3bcf09f034fbbf (patch)
tree6d32fe8e5a0d61d5016adae80c759734e8def3aa /sshconnect2.c
parent829451815ec207e14bd54ff5cf7e22046816f042 (diff)
upstream: when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 ok markus@ OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 1a6545edf..08b4f8550 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.321 2020/04/17 03:38:47 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.322 2020/05/13 09:52:41 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -135,11 +135,23 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
135 while ((alg = strsep(&avail, ",")) && *alg != '\0') { 135 while ((alg = strsep(&avail, ",")) && *alg != '\0') {
136 if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC) 136 if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
137 fatal("%s: unknown alg %s", __func__, alg); 137 fatal("%s: unknown alg %s", __func__, alg);
138 /*
139 * If we have a @cert-authority marker in known_hosts then
140 * prefer all certificate algorithms.
141 */
142 if (sshkey_type_is_cert(ktype) &&
143 lookup_marker_in_hostkeys(hostkeys, MRK_CA)) {
144 ALG_APPEND(first, alg);
145 continue;
146 }
147 /* If the key appears in known_hosts then prefer it */
138 if (lookup_key_in_hostkeys_by_type(hostkeys, 148 if (lookup_key_in_hostkeys_by_type(hostkeys,
139 sshkey_type_plain(ktype), NULL)) 149 sshkey_type_plain(ktype), NULL)) {
140 ALG_APPEND(first, alg); 150 ALG_APPEND(first, alg);
141 else 151 continue;
142 ALG_APPEND(last, alg); 152 }
153 /* Otherwise, put it last */
154 ALG_APPEND(last, alg);
143 } 155 }
144#undef ALG_APPEND 156#undef ALG_APPEND
145 xasprintf(&ret, "%s%s%s", first, 157 xasprintf(&ret, "%s%s%s", first,