-/* $OpenBSD: clientloop.c,v 1.290 2017/01/29 21:35:23 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.291 2017/03/10 05:01:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
hostkeys_update_ctx_free(ctx);
}
+/*
+ * Returns non-zero if the key is accepted by HostkeyAlgorithms.
+ * Made slightly less trivial by the multiple RSA signature algorithm names.
+ */
+static int
+key_accepted_by_hostkeyalgs(const struct sshkey *key)
+{
+ const char *ktype = sshkey_ssh_name(key);
+ const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
+ options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
+
+ if (key == NULL || key->type == KEY_UNSPEC)
+ return 0;
+ if (key->type == KEY_RSA &&
+ (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
+ return 1;
+ return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
+}
+
/*
* Handle hostkeys-00@openssh.com global request to inform the client of all
* the server's hostkeys. The keys are checked against the user's
sshkey_type(key), fp);
free(fp);
- /* Check that the key is accepted in HostkeyAlgorithms */
- if (match_pattern_list(sshkey_ssh_name(key),
- options.hostkeyalgorithms ? options.hostkeyalgorithms :
- KEX_DEFAULT_PK_ALG, 0) != 1) {
+ if (!key_accepted_by_hostkeyalgs(key)) {
debug3("%s: %s key not permitted by HostkeyAlgorithms",
__func__, sshkey_ssh_name(key));
continue;
projects / thirdparty / openssh-portable.git / commitdiff
