pki: Check if the key is allowed against right list
Previously when generating the signature in server side the key was checked against the wrong list, potentially making the server to select the wrong algorithm to sign (e.g. rsa-sha2-512 instead of rsa-sha2-256). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Этот коммит содержится в:
Anderson Toshiyuki Sasaki
Andreas Schneider
родитель
d013a94f37
Коммит
b0ff64bf1b
21
src/pki.c
21
src/pki.c
@ -320,9 +320,24 @@ int ssh_key_algorithm_allowed(ssh_session session, const char *type)
|
||||
{
|
||||
const char *allowed_list;
|
||||
|
||||
allowed_list = session->opts.pubkey_accepted_types;
|
||||
if (allowed_list == NULL) {
|
||||
allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS);
|
||||
if (session->client) {
|
||||
allowed_list = session->opts.pubkey_accepted_types;
|
||||
if (allowed_list == NULL) {
|
||||
allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS);
|
||||
}
|
||||
}
|
||||
#ifdef WITH_SERVER
|
||||
else if (session->server) {
|
||||
allowed_list = session->opts.wanted_methods[SSH_HOSTKEYS];
|
||||
if (allowed_list == NULL) {
|
||||
SSH_LOG(SSH_LOG_WARN, "Session invalid: no host key available");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
else {
|
||||
SSH_LOG(SSH_LOG_WARN, "Session invalid: not set as client nor server");
|
||||
return 0;
|
||||
}
|
||||
|
||||
SSH_LOG(SSH_LOG_DEBUG, "Checking %s with list <%s>", type, allowed_list);
|
||||
|
||||
@ -36,6 +36,8 @@ static int setup(void **state)
|
||||
verbosity = torture_libssh_verbosity();
|
||||
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
||||
|
||||
session->client = 1;
|
||||
|
||||
*state = session;
|
||||
|
||||
return 0;
|
||||
|
||||
Загрузка…
x
Ссылка в новой задаче
Block a user