[openssh-commits] [openssh] 01/01: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Mar 10 16:03:13 AEDT 2017 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 894221a63fa061e52e414ca58d47edc5fe645968
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Mar 10 05:01:13 2017 +0000

    upstream commit
    
    When updating hostkeys, accept RSA keys if
    HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
    keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
    nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
    dtucker@
    
    Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
---
 clientloop.c | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/clientloop.c b/clientloop.c
index c6a4138..0648162 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.290 2017/01/29 21:35:23 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.291 2017/03/10 05:01:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2391,6 +2391,26 @@ client_global_hostkeys_private_confirm(int type, u_int32_t seq, void *_ctx)
 }
 
 /*
+ * Returns non-zero if the key is accepted by HostkeyAlgorithms.
+ * Made slightly less trivial by the multiple RSA signature algorithm names.
+ */
+static int
+key_accepted_by_hostkeyalgs(const struct sshkey *key)
+{
+	const char *ktype = sshkey_ssh_name(key);
+	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
+	    options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
+
+	if (key == NULL || key->type == KEY_UNSPEC)
+		return 0;
+	if (key->type == KEY_RSA &&
+	    (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
+	    match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
+		return 1;
+	return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
+}
+
+/*
  * Handle hostkeys-00 at openssh.com global request to inform the client of all
  * the server's hostkeys. The keys are checked against the user's
  * HostkeyAlgorithms preference before they are accepted.
@@ -2436,10 +2456,7 @@ client_input_hostkeys(void)
 		    sshkey_type(key), fp);
 		free(fp);
 
-		/* Check that the key is accepted in HostkeyAlgorithms */
-		if (match_pattern_list(sshkey_ssh_name(key),
-		    options.hostkeyalgorithms ? options.hostkeyalgorithms :
-		    KEX_DEFAULT_PK_ALG, 0) != 1) {
+		if (!key_accepted_by_hostkeyalgs(key)) {
 			debug3("%s: %s key not permitted by HostkeyAlgorithms",
 			    __func__, sshkey_ssh_name(key));
 			continue;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list