1 files changed, 27 insertions, 4 deletions

diff --git a/hostfile.c b/hostfile.c
index cd28bf44..fc7f84c7 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.46 2009/10/11 23:03:15 djm Exp $ */
+/* $OpenBSD: hostfile.c,v 1.47 2010/02/26 20:29:54 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -199,7 +199,7 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
 {
 	FILE *f;
 	char line[8192];
-	int linenum = 0;
+	int linenum = 0, want_cert = key_is_cert(key);
 	u_int kbits;
 	char *cp, *cp2, *hashed_host;
 	HostStatus end_return;
@@ -229,6 +229,23 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
 		if (!*cp || *cp == '#' || *cp == '\n')
 			continue;
 
+		/*
+		 * Ignore CA keys when looking for raw keys.
+		 * Ignore raw keys when looking for CA keys.
+		 */
+		if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
+		    (cp[sizeof(CA_MARKER) - 1] == ' ' ||
+		    cp[sizeof(CA_MARKER) - 1] == '\t')) {
+			if (want_cert) {
+				/* Skip the marker and following whitespace */
+				cp += sizeof(CA_MARKER);
+				for (; *cp == ' ' || *cp == '\t'; cp++)
+					;
+			} else
+				continue;
+		} else if (want_cert)
+			continue;
+
 		/* Find the end of the host name portion. */
 		for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
 			;
@@ -273,8 +290,14 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
 			continue;
 
 		/* Check if the current key is the same as the given key. */
-		if (key_equal(key, found)) {
-			/* Ok, they match. */
+		if (want_cert && key_equal(key->cert->signature_key, found)) {
+			/* Found CA cert for key */
+			debug3("check_host_in_hostfile: CA match line %d",
+			    linenum);
+			fclose(f);
+			return HOST_OK;
+		} else if (!want_cert && key_equal(key, found)) {
+			/* Found identical key */
 			debug3("check_host_in_hostfile: match line %d", linenum);
 			fclose(f);
 			return HOST_OK;