From d103ed6ca97ca5a2669f6cf5fe4b3d2a9c945f26 Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Wed, 17 May 2017 16:51:25 -0400 Subject: Upgrading server dependancies (#6431) --- .../x/crypto/ssh/knownhosts/knownhosts.go | 23 +++++++++++----------- 1 file changed, 11 insertions(+), 12 deletions(-) (limited to 'vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go') diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go index d1f371868..ea92b2983 100644 --- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go +++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go @@ -144,11 +144,16 @@ func keyEq(a, b ssh.PublicKey) bool { return bytes.Equal(a.Marshal(), b.Marshal()) } -// IsAuthority can be used as a callback in ssh.CertChecker -func (db *hostKeyDB) IsAuthority(remote ssh.PublicKey) bool { +// IsAuthorityForHost can be used as a callback in ssh.CertChecker +func (db *hostKeyDB) IsHostAuthority(remote ssh.PublicKey, address string) bool { + h, p, err := net.SplitHostPort(address) + if err != nil { + return false + } + a := addr{host: h, port: p} + for _, l := range db.lines { - // TODO(hanwen): should we check the hostname against host pattern? - if l.cert && keyEq(l.knownKey.Key, remote) { + if l.cert && keyEq(l.knownKey.Key, remote) && l.match([]addr{a}) { return true } } @@ -409,9 +414,7 @@ func (db *hostKeyDB) Read(r io.Reader, filename string) error { // New creates a host key callback from the given OpenSSH host key // files. The returned callback is for use in -// ssh.ClientConfig.HostKeyCallback. Hostnames are ignored for -// certificates, ie. any certificate authority is assumed to be valid -// for all remote hosts. Hashed hostnames are not supported. +// ssh.ClientConfig.HostKeyCallback. Hashed hostnames are not supported. func New(files ...string) (ssh.HostKeyCallback, error) { db := newHostKeyDB() for _, fn := range files { @@ -425,12 +428,8 @@ func New(files ...string) (ssh.HostKeyCallback, error) { } } - // TODO(hanwen): properly supporting certificates requires an - // API change in the SSH library: IsAuthority should provide - // the address too? - var certChecker ssh.CertChecker - certChecker.IsAuthority = db.IsAuthority + certChecker.IsHostAuthority = db.IsHostAuthority certChecker.IsRevoked = db.IsRevoked certChecker.HostKeyFallback = db.check -- cgit v1.2.3-1-g7c22