From 13cee44ef907824083d89cb9395adbbd552e46c1 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 3 Oct 2020 08:11:28 +0000
Subject: upstream: record when the host key checking code downgrades a

certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@

OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
---
 kex.h | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'kex.h')

diff --git a/kex.h b/kex.h
index a5ae6ac0..07cec477 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.109 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.110 2020/10/03 08:11:28 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -105,8 +105,10 @@ enum kex_exchange {
 	KEX_MAX
 };
 
-#define KEX_INIT_SENT	0x0001
-#define KEX_INITIAL	0x0002
+/* kex->flags values */
+#define KEX_INIT_SENT		0x0001 /* KEXINIT sent */
+#define KEX_INITIAL		0x0002 /* Initial KEX, not rekey */
+#define KEX_HOSTCERT_CONVERT	0x0004 /* Client downgraded hostcert->plain */
 
 struct sshenc {
 	char	*name;
-- 
cgit v1.2.1