From d103ed6ca97ca5a2669f6cf5fe4b3d2a9c945f26 Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Wed, 17 May 2017 16:51:25 -0400 Subject: Upgrading server dependancies (#6431) --- .../x/crypto/ssh/knownhosts/knownhosts.go | 23 +++++++++++----------- .../x/crypto/ssh/knownhosts/knownhosts_test.go | 22 +++++++++++++++++++++ 2 files changed, 33 insertions(+), 12 deletions(-) (limited to 'vendor/golang.org/x/crypto/ssh/knownhosts') diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go index d1f371868..ea92b2983 100644 --- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go +++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go @@ -144,11 +144,16 @@ func keyEq(a, b ssh.PublicKey) bool { return bytes.Equal(a.Marshal(), b.Marshal()) } -// IsAuthority can be used as a callback in ssh.CertChecker -func (db *hostKeyDB) IsAuthority(remote ssh.PublicKey) bool { +// IsAuthorityForHost can be used as a callback in ssh.CertChecker +func (db *hostKeyDB) IsHostAuthority(remote ssh.PublicKey, address string) bool { + h, p, err := net.SplitHostPort(address) + if err != nil { + return false + } + a := addr{host: h, port: p} + for _, l := range db.lines { - // TODO(hanwen): should we check the hostname against host pattern? - if l.cert && keyEq(l.knownKey.Key, remote) { + if l.cert && keyEq(l.knownKey.Key, remote) && l.match([]addr{a}) { return true } } @@ -409,9 +414,7 @@ func (db *hostKeyDB) Read(r io.Reader, filename string) error { // New creates a host key callback from the given OpenSSH host key // files. The returned callback is for use in -// ssh.ClientConfig.HostKeyCallback. Hostnames are ignored for -// certificates, ie. any certificate authority is assumed to be valid -// for all remote hosts. Hashed hostnames are not supported. +// ssh.ClientConfig.HostKeyCallback. Hashed hostnames are not supported. func New(files ...string) (ssh.HostKeyCallback, error) { db := newHostKeyDB() for _, fn := range files { @@ -425,12 +428,8 @@ func New(files ...string) (ssh.HostKeyCallback, error) { } } - // TODO(hanwen): properly supporting certificates requires an - // API change in the SSH library: IsAuthority should provide - // the address too? - var certChecker ssh.CertChecker - certChecker.IsAuthority = db.IsAuthority + certChecker.IsHostAuthority = db.IsHostAuthority certChecker.IsRevoked = db.IsRevoked certChecker.HostKeyFallback = db.check diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go index 63aff9927..be7cc0e80 100644 --- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go +++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go @@ -76,6 +76,28 @@ func TestRevoked(t *testing.T) { } } +func TestHostAuthority(t *testing.T) { + for _, m := range []struct { + authorityFor string + address string + + good bool + }{ + {authorityFor: "localhost", address: "localhost:22", good: true}, + {authorityFor: "localhost", address: "localhost", good: false}, + {authorityFor: "localhost", address: "localhost:1234", good: false}, + {authorityFor: "[localhost]:1234", address: "localhost:1234", good: true}, + {authorityFor: "[localhost]:1234", address: "localhost:22", good: false}, + {authorityFor: "[localhost]:1234", address: "localhost", good: false}, + } { + db := testDB(t, `@cert-authority `+m.authorityFor+` `+edKeyStr) + if ok := db.IsHostAuthority(db.lines[0].knownKey.Key, m.address); ok != m.good { + t.Errorf("IsHostAuthority: authority %s, address %s, wanted good = %v, got good = %v", + m.authorityFor, m.address, m.good, ok) + } + } +} + func TestBracket(t *testing.T) { db := testDB(t, `[git.eclipse.org]:29418,[198.41.30.196]:29418 `+edKeyStr) -- cgit v1.2.3-1-g7c22