| version 1.341, 2021/01/08 02:57:24 |
version 1.342, 2021/01/22 02:44:58 |
|
|
| (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { |
(key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { |
| /* Filter base key signature alg against our configuration */ |
/* Filter base key signature alg against our configuration */ |
| return match_list(sshkey_ssh_name(key), |
return match_list(sshkey_ssh_name(key), |
| options.pubkey_key_types, NULL); |
options.pubkey_accepted_algos, NULL); |
| } |
} |
| |
|
| /* |
/* |
| * For RSA keys/certs, since these might have a different sig type: |
* For RSA keys/certs, since these might have a different sig type: |
| * find the first entry in PubkeyAcceptedKeyTypes of the right type |
* find the first entry in PubkeyAcceptedAlgorithms of the right type |
| * that also appears in the supported signature algorithms list from |
* that also appears in the supported signature algorithms list from |
| * the server. |
* the server. |
| */ |
*/ |
| oallowed = allowed = xstrdup(options.pubkey_key_types); |
oallowed = allowed = xstrdup(options.pubkey_accepted_algos); |
| while ((cp = strsep(&allowed, ",")) != NULL) { |
while ((cp = strsep(&allowed, ",")) != NULL) { |
| if (sshkey_type_from_name(cp) != key->type) |
if (sshkey_type_from_name(cp) != key->type) |
| continue; |
continue; |
|
|
| key_type_allowed_by_config(struct sshkey *key) |
key_type_allowed_by_config(struct sshkey *key) |
| { |
{ |
| if (match_pattern_list(sshkey_ssh_name(key), |
if (match_pattern_list(sshkey_ssh_name(key), |
| options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
| return 1; |
return 1; |
| |
|
| /* RSA keys/certs might be allowed by alternate signature types */ |
/* RSA keys/certs might be allowed by alternate signature types */ |
| switch (key->type) { |
switch (key->type) { |
| case KEY_RSA: |
case KEY_RSA: |
| if (match_pattern_list("rsa-sha2-512", |
if (match_pattern_list("rsa-sha2-512", |
| options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
| return 1; |
return 1; |
| if (match_pattern_list("rsa-sha2-256", |
if (match_pattern_list("rsa-sha2-256", |
| options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
| return 1; |
return 1; |
| break; |
break; |
| case KEY_RSA_CERT: |
case KEY_RSA_CERT: |
| if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
| options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
| return 1; |
return 1; |
| if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
| options.pubkey_key_types, 0) == 1) |
options.pubkey_accepted_algos, 0) == 1) |
| return 1; |
return 1; |
| break; |
break; |
| } |
} |
|
|
| } |
} |
| /* append remaining keys from the config file */ |
/* append remaining keys from the config file */ |
| TAILQ_CONCAT(preferred, &files, next); |
TAILQ_CONCAT(preferred, &files, next); |
| /* finally, filter by PubkeyAcceptedKeyTypes */ |
/* finally, filter by PubkeyAcceptedAlgorithms */ |
| TAILQ_FOREACH_SAFE(id, preferred, next, id2) { |
TAILQ_FOREACH_SAFE(id, preferred, next, id2) { |
| if (id->key != NULL && !key_type_allowed_by_config(id->key)) { |
if (id->key != NULL && !key_type_allowed_by_config(id->key)) { |
| debug("Skipping %s key %s - " |
debug("Skipping %s key %s - " |
| "not in PubkeyAcceptedKeyTypes", |
"corresponding algo not in PubkeyAcceptedAlgorithms", |
| sshkey_ssh_name(id->key), id->filename); |
sshkey_ssh_name(id->key), id->filename); |
| TAILQ_REMOVE(preferred, id, next); |
TAILQ_REMOVE(preferred, id, next); |
| sshkey_free(id->key); |
sshkey_free(id->key); |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshconnect2.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh