[openssh-commits] [openssh] 02/07: upstream: check public host key matches private; ok markus@ (as

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 7775819c6de3e9547ac57b87c7dd2bfd28cefcc5
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Jun 18 23:34:19 2020 +0000

    upstream: check public host key matches private; ok markus@ (as
    
    part of previous diff)
    
    OpenBSD-Commit-ID: 65a4f66436028748b59fb88b264cb8c94ce2ba63
---
 sshd.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/sshd.c b/sshd.c
index 71f743a0..44cc3ac9 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.556 2020/06/05 06:18:07 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.557 2020/06/18 23:34:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1849,10 +1849,19 @@ main(int ac, char **av)
 		    &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
 			do_log2(ll, "Unable to load host key \"%s\": %s",
 			    options.host_key_files[i], ssh_err(r));
-		if (pubkey == NULL && key != NULL)
+		if (pubkey != NULL && key != NULL) {
+			if (!sshkey_equal(pubkey, key)) {
+				error("Public key for %s does not match "
+				    "private key", options.host_key_files[i]);
+				sshkey_free(pubkey);
+				pubkey = NULL;
+			}
+		}
+		if (pubkey == NULL && key != NULL) {
 			if ((r = sshkey_from_private(key, &pubkey)) != 0)
 				fatal("Could not demote key: \"%s\": %s",
 				    options.host_key_files[i], ssh_err(r));
+		}
 		sensitive_data.host_keys[i] = key;
 		sensitive_data.host_pubkeys[i] = pubkey;
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.