Resolves: #1824926 - SSH: use new ECDSA key types to check known hosts

2020-04-20 11:21:23 +02:00 · 2020-04-20 11:21:23 +02:00 · 6a752013d0
parent 53c8c93125
commit 6a752013d0
2 changed files with 55 additions and 1 deletions
--- a/0001-curl-7.69.1-ssh-ecdsa-keys.patch
+++ b/0001-curl-7.69.1-ssh-ecdsa-keys.patch
@ -0,0 +1,47 @@
+From e7bd08d289e55c9080590c1147df6584ec881523 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Thu, 16 Apr 2020 19:26:06 +0200
+Subject: [PATCH] libssh: Use new ECDSA key types to check known hosts
+
+From libssh 0.9.0, ssh_key_type() returns different key types for ECDSA
+keys depending on the curve.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Fixes #5252
+Closes #5253
+
+Upstream-commit: 14bf7eb6e526f7ce0c60c1c972b4d935c1c5132d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vssh/libssh.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 08d9f9e0f..54bc5e019 100644
+--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
+@@ -403,6 +403,9 @@ static int myssh_is_known(struct connectdata *conn)
+           knownkey.keytype = CURLKHTYPE_RSA1;
+           break;
+         case SSH_KEYTYPE_ECDSA:
+        case SSH_KEYTYPE_ECDSA_P256:
+        case SSH_KEYTYPE_ECDSA_P384:
+        case SSH_KEYTYPE_ECDSA_P521:
+           knownkey.keytype = CURLKHTYPE_ECDSA;
+           break;
+         case SSH_KEYTYPE_ED25519:
+@@ -470,6 +473,11 @@ static int myssh_is_known(struct connectdata *conn)
+         foundkey.keytype = CURLKHTYPE_RSA1;
+         break;
+       case SSH_KEYTYPE_ECDSA:
+#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0)
+      case SSH_KEYTYPE_ECDSA_P256:
+      case SSH_KEYTYPE_ECDSA_P384:
+      case SSH_KEYTYPE_ECDSA_P521:
+#endif
+         foundkey.keytype = CURLKHTYPE_ECDSA;
+         break;
+ #if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,7,0)
+-- 
+2.21.1
+
--- a/curl.spec
+++ b/curl.spec
@ -1,10 +1,13 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.69.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

+# SSH: use new ECDSA key types to check known hosts (#1824926)
+Patch1:   0001-curl-7.69.1-ssh-ecdsa-keys.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -169,6 +172,7 @@ be installed.

 %prep
 %setup -q
+%patch1 -p1

 # upstream patches

@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3
+- SSH: use new ECDSA key types to check known hosts (#1824926)
+
 * Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2
 - Prevent discarding of -g when compiling with clang