Bugzilla – Attachment 3390 Details for
Bug 3157
known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Prefer certificate algorithm if @cert-authority line appears in hostkeys
bz3157.diff (text/plain), 2.04 KB, created by
Damien Miller
on 2020-05-06 15:02:58 AEST
(
hide
)
Description:
Prefer certificate algorithm if @cert-authority line appears in hostkeys
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2020-05-06 15:02:58 AEST
Size:
2.04 KB
patch
obsolete
>diff --git a/hostfile.c b/hostfile.c >index c661b88..d2847a8 100644 >--- a/hostfile.c >+++ b/hostfile.c >@@ -404,6 +404,18 @@ lookup_key_in_hostkeys_by_type(struct hostkeys *hostkeys, int keytype, > found) == HOST_FOUND); > } > >+int >+lookup_marker_in_hostkeys(struct hostkeys *hostkeys, int want_marker) >+{ >+ u_int i; >+ >+ for (i = 0; i < hostkeys->num_entries; i++) { >+ if (hostkeys->entries[i].marker == (HostkeyMarker)want_marker) >+ return 1; >+ } >+ return 0; >+} >+ > static int > write_host_entry(FILE *f, const char *host, const char *ip, > const struct sshkey *key, int store_hash) >diff --git a/hostfile.h b/hostfile.h >index bd21043..a4822f0 100644 >--- a/hostfile.h >+++ b/hostfile.h >@@ -39,6 +39,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, struct sshkey *, > const struct hostkey_entry **); > int lookup_key_in_hostkeys_by_type(struct hostkeys *, int, > const struct hostkey_entry **); >+int lookup_marker_in_hostkeys(struct hostkeys *, int); > > int hostfile_read_key(char **, u_int *, struct sshkey *); > int add_host_to_hostfile(const char *, const char *, >diff --git a/sshconnect2.c b/sshconnect2.c >index ad45598..4b5c88b 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -130,11 +130,23 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) > while ((alg = strsep(&avail, ",")) && *alg != '\0') { > if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC) > fatal("%s: unknown alg %s", __func__, alg); >+ /* >+ * If we have a @cert-authority marker in known_hosts then >+ * prefer all certificate algorithms. >+ */ >+ if (sshkey_type_is_cert(ktype) && >+ lookup_marker_in_hostkeys(hostkeys, MRK_CA)) { >+ ALG_APPEND(first, alg); >+ continue; >+ } >+ /* If the key appears in known_hosts then prefer it */ > if (lookup_key_in_hostkeys_by_type(hostkeys, >- sshkey_type_plain(ktype), NULL)) >+ sshkey_type_plain(ktype), NULL)) { > ALG_APPEND(first, alg); >- else >- ALG_APPEND(last, alg); >+ continue; >+ } >+ /* Otherwise, put it last */ >+ ALG_APPEND(last, alg); > } > #undef ALG_APPEND > xasprintf(&ret, "%s%s%s", first,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3390">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3157
:
3389
| 3390