diff options
author | Thomas Wolf <thomas.wolf@paranor.ch> | 2021-05-18 21:44:18 +0200 |
---|---|---|
committer | Thomas Wolf <thomas.wolf@paranor.ch> | 2021-07-16 08:45:24 +0200 |
commit | 13777a3a6265ee68966547e69de83410e0621dfc (patch) | |
tree | 69479b17d626e400f37c3f634e926d4636f257fe /org.eclipse.jgit.ssh.apache | |
parent | 4c5c3e9fb8e6f11cee3245a4b374a96b9a4f0ee4 (diff) | |
download | jgit-13777a3a6265ee68966547e69de83410e0621dfc.tar.gz jgit-13777a3a6265ee68966547e69de83410e0621dfc.zip |
[sshd] Ignore revoked keys in OpenSshServerKeyDatabase.lookup()
It makes no sense to return revoked keys.
Change-Id: I99eee1de3dba5c0c8d275b7c1a24053874b3cb03
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache')
2 files changed, 18 insertions, 11 deletions
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/OpenSshServerKeyDatabase.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/OpenSshServerKeyDatabase.java index 1a530b7743..85e406f422 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/OpenSshServerKeyDatabase.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/OpenSshServerKeyDatabase.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2018, 2019 Thomas Wolf <thomas.wolf@paranor.ch> and others + * Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Distribution License v. 1.0 which is available at @@ -182,10 +182,13 @@ public class OpenSshServerKeyDatabase for (HostKeyFile file : filesToUse) { for (HostEntryPair current : file.get()) { KnownHostEntry entry = current.getHostEntry(); - for (SshdSocketAddress host : candidates) { - if (entry.isHostMatch(host.getHostName(), host.getPort())) { - result.add(current.getServerKey()); - break; + if (!isRevoked(entry)) { + for (SshdSocketAddress host : candidates) { + if (entry.isHostMatch(host.getHostName(), + host.getPort())) { + result.add(current.getServerKey()); + break; + } } } } @@ -266,6 +269,10 @@ public class OpenSshServerKeyDatabase private static final long serialVersionUID = 1L; } + private boolean isRevoked(KnownHostEntry entry) { + return MARKER_REVOKED.equals(entry.getMarker()); + } + private boolean find(Collection<SshdSocketAddress> candidates, PublicKey serverKey, List<HostEntryPair> entries, HostEntryPair[] modified) throws RevokedKeyException { @@ -273,22 +280,22 @@ public class OpenSshServerKeyDatabase KnownHostEntry entry = current.getHostEntry(); for (SshdSocketAddress host : candidates) { if (entry.isHostMatch(host.getHostName(), host.getPort())) { - boolean isRevoked = MARKER_REVOKED - .equals(entry.getMarker()); + boolean revoked = isRevoked(entry); if (KeyUtils.compareKeys(serverKey, current.getServerKey())) { // Exact match - if (isRevoked) { + if (revoked) { throw new RevokedKeyException(); } modified[0] = null; return true; - } else if (!isRevoked) { + } else if (!revoked) { // Server sent a different key modified[0] = current; // Keep going -- maybe there's another entry for this // host } + break; } } } diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/ServerKeyDatabase.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/ServerKeyDatabase.java index b8e6cfd14d..b1b3c1808a 100644 --- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/ServerKeyDatabase.java +++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/ServerKeyDatabase.java @@ -30,7 +30,7 @@ import org.eclipse.jgit.transport.CredentialsProvider; public interface ServerKeyDatabase { /** - * Retrieves all known host keys for the given addresses. + * Retrieves all known and not revoked host keys for the given addresses. * * @param connectAddress * IP address the session tried to connect to @@ -39,7 +39,7 @@ public interface ServerKeyDatabase { * @param config * giving access to potentially interesting configuration * settings - * @return the list of known keys for the given addresses + * @return the list of known and not revoked keys for the given addresses */ @NonNull List<PublicKey> lookup(@NonNull String connectAddress, |