|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/auth2-hostbased.c.fingerprint openssh-6.7p1/auth2-hostbased.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/auth2-hostbased.c.fingerprint 2014-07-18 06:11:25.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/auth2-hostbased.c 2014-12-22 13:10:57.961878113 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
|
Petr Lautrbach |
b457c9 |
*
|
|
Petr Lautrbach |
b457c9 |
@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw,
|
|
Petr Lautrbach |
b457c9 |
if (host_status == HOST_OK) {
|
|
Petr Lautrbach |
b457c9 |
if (key_is_cert(key)) {
|
|
Petr Lautrbach |
b457c9 |
fp = key_fingerprint(key->cert->signature_key,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
verbose("Accepted certificate ID \"%s\" signed by "
|
|
Petr Lautrbach |
b457c9 |
"%s CA %s from %s@%s", key->cert->key_id,
|
|
Petr Lautrbach |
b457c9 |
key_type(key->cert->signature_key), fp,
|
|
Petr Lautrbach |
b457c9 |
cuser, lookup);
|
|
Petr Lautrbach |
b457c9 |
} else {
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(key, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
verbose("Accepted %s public key %s from %s@%s",
|
|
Petr Lautrbach |
b457c9 |
key_type(key), fp, cuser, lookup);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/auth2-pubkey.c.fingerprint 2014-07-18 06:11:25.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/auth2-pubkey.c 2014-12-22 13:13:56.446258343 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, con
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
if (key_is_cert(key)) {
|
|
Petr Lautrbach |
b457c9 |
fp = key_fingerprint(key->cert->signature_key,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
|
|
Petr Lautrbach |
b457c9 |
key_type(key), key->cert->key_id,
|
|
Petr Lautrbach |
b457c9 |
(unsigned long long)key->cert->serial,
|
|
Petr Lautrbach |
b457c9 |
@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, con
|
|
Petr Lautrbach |
b457c9 |
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
} else {
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(key, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
|
|
Petr Lautrbach |
b457c9 |
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file,
|
|
Petr Lautrbach |
b457c9 |
continue;
|
|
Petr Lautrbach |
b457c9 |
if (!key_is_cert_authority)
|
|
Petr Lautrbach |
b457c9 |
continue;
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(found, SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(found, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
debug("matching CA found: file %s, line %lu, %s %s",
|
|
Petr Lautrbach |
b457c9 |
file, linenum, key_type(found), fp);
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file,
|
|
Petr Lautrbach |
b457c9 |
if (key_is_cert_authority)
|
|
Petr Lautrbach |
b457c9 |
continue;
|
|
Petr Lautrbach |
b457c9 |
found_key = 1;
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(found, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
debug("matching key found: file %s, line %lu %s %s",
|
|
Petr Lautrbach |
b457c9 |
file, linenum, key_type(found), fp);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw,
|
|
Petr Lautrbach |
b457c9 |
return 0;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
ca_fp = key_fingerprint(key->cert->signature_key,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
if (key_in_file(key->cert->signature_key,
|
|
Petr Lautrbach |
b457c9 |
options.trusted_user_ca_keys, 1) != 1) {
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/auth.c.fingerprint openssh-6.7p1/auth.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/auth.c.fingerprint 2014-12-22 13:10:57.961878113 +0100
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/auth.c 2014-12-22 13:27:18.105463774 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key)
|
|
Petr Lautrbach |
b457c9 |
case 1:
|
|
Petr Lautrbach |
b457c9 |
revoked:
|
|
Petr Lautrbach |
b457c9 |
/* Key revoked */
|
|
Petr Lautrbach |
b457c9 |
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
error("WARNING: authentication attempt with a revoked "
|
|
Petr Lautrbach |
b457c9 |
"%s key %s ", key_type(key), key_fp);
|
|
Petr Lautrbach |
b457c9 |
free(key_fp);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/auth-rsa.c.fingerprint openssh-6.7p1/auth-rsa.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/auth-rsa.c.fingerprint 2014-07-18 06:11:25.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/auth-rsa.c 2014-12-22 13:10:57.960878116 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
Petr Lautrbach |
b457c9 |
@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *p
|
|
Petr Lautrbach |
b457c9 |
"actual %d vs. announced %d.",
|
|
Petr Lautrbach |
b457c9 |
file, linenum, BN_num_bits(key->rsa->n), bits);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(key, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
debug("matching key found: file %s, line %lu %s %s",
|
|
Petr Lautrbach |
b457c9 |
file, linenum, key_type(key), fp);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/digest.h.fingerprint openssh-6.7p1/digest.h
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/digest.h.fingerprint 2014-07-03 13:25:04.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/digest.h 2014-12-22 13:10:57.961878113 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
|
Petr Lautrbach |
b457c9 |
*
|
|
Petr Lautrbach |
b457c9 |
@@ -33,6 +33,12 @@
|
|
Petr Lautrbach |
b457c9 |
struct sshbuf;
|
|
Petr Lautrbach |
b457c9 |
struct ssh_digest_ctx;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+/* Looks up a digest algorithm by name */
|
|
Petr Lautrbach |
b457c9 |
+int ssh_digest_alg_by_name(const char *name);
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+/* Returns the algorithm name for a digest identifier */
|
|
Petr Lautrbach |
b457c9 |
+const char *ssh_digest_alg_name(int alg);
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
|
|
Petr Lautrbach |
b457c9 |
size_t ssh_digest_bytes(int alg);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/digest-libc.c.fingerprint openssh-6.7p1/digest-libc.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/digest-libc.c.fingerprint 2014-07-02 07:28:03.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/digest-libc.c 2014-12-22 13:10:57.961878113 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: digest-libc.c,v 1.4 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2014 Markus Friedl. All rights reserved.
|
|
Petr Lautrbach |
b457c9 |
@@ -126,6 +126,26 @@ ssh_digest_by_alg(int alg)
|
|
Petr Lautrbach |
b457c9 |
return &(digests[alg]);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+int
|
|
Petr Lautrbach |
b457c9 |
+ssh_digest_alg_by_name(const char *name)
|
|
Petr Lautrbach |
b457c9 |
+{
|
|
Petr Lautrbach |
b457c9 |
+ int alg;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ for (alg = 0; alg < SSH_DIGEST_MAX; alg++) {
|
|
Petr Lautrbach |
b457c9 |
+ if (strcasecmp(name, digests[alg].name) == 0)
|
|
Petr Lautrbach |
b457c9 |
+ return digests[alg].id;
|
|
Petr Lautrbach |
b457c9 |
+ }
|
|
Petr Lautrbach |
b457c9 |
+ return -1;
|
|
Petr Lautrbach |
b457c9 |
+}
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+const char *
|
|
Petr Lautrbach |
b457c9 |
+ssh_digest_alg_name(int alg)
|
|
Petr Lautrbach |
b457c9 |
+{
|
|
Petr Lautrbach |
b457c9 |
+ const struct ssh_digest *digest = ssh_digest_by_alg(alg);
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ return digest == NULL ? NULL : digest->name;
|
|
Petr Lautrbach |
b457c9 |
+}
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
size_t
|
|
Petr Lautrbach |
b457c9 |
ssh_digest_bytes(int alg)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/digest-openssl.c.fingerprint openssh-6.7p1/digest-openssl.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/digest-openssl.c.fingerprint 2014-07-17 01:01:26.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/digest-openssl.c 2014-12-22 13:10:57.961878113 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
|
Petr Lautrbach |
b457c9 |
*
|
|
Petr Lautrbach |
b457c9 |
@@ -74,6 +74,26 @@ ssh_digest_by_alg(int alg)
|
|
Petr Lautrbach |
b457c9 |
return &(digests[alg]);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+int
|
|
Petr Lautrbach |
b457c9 |
+ssh_digest_alg_by_name(const char *name)
|
|
Petr Lautrbach |
b457c9 |
+{
|
|
Petr Lautrbach |
b457c9 |
+ int alg;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ for (alg = 0; digests[alg].id != -1; alg++) {
|
|
Petr Lautrbach |
b457c9 |
+ if (strcasecmp(name, digests[alg].name) == 0)
|
|
Petr Lautrbach |
b457c9 |
+ return digests[alg].id;
|
|
Petr Lautrbach |
b457c9 |
+ }
|
|
Petr Lautrbach |
b457c9 |
+ return -1;
|
|
Petr Lautrbach |
b457c9 |
+}
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+const char *
|
|
Petr Lautrbach |
b457c9 |
+ssh_digest_alg_name(int alg)
|
|
Petr Lautrbach |
b457c9 |
+{
|
|
Petr Lautrbach |
b457c9 |
+ const struct ssh_digest *digest = ssh_digest_by_alg(alg);
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ return digest == NULL ? NULL : digest->name;
|
|
Petr Lautrbach |
b457c9 |
+}
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
size_t
|
|
Petr Lautrbach |
b457c9 |
ssh_digest_bytes(int alg)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/dns.c.fingerprint 2014-07-02 07:28:03.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/dns.c 2014-12-22 13:10:57.962878109 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
|
|
Petr Lautrbach |
b457c9 |
@@ -41,6 +41,7 @@
|
|
Petr Lautrbach |
b457c9 |
#include "key.h"
|
|
Petr Lautrbach |
b457c9 |
#include "dns.h"
|
|
Petr Lautrbach |
b457c9 |
#include "log.h"
|
|
Petr Lautrbach |
b457c9 |
+#include "digest.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
static const char *errset_text[] = {
|
|
Petr Lautrbach |
b457c9 |
"success", /* 0 ERRSET_SUCCESS */
|
|
Petr Lautrbach |
b457c9 |
@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8
|
|
Petr Lautrbach |
b457c9 |
u_char **digest, u_int *digest_len, Key *key)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
int success = 0;
|
|
Petr Lautrbach |
b457c9 |
- enum fp_type fp_type = 0;
|
|
Petr Lautrbach |
b457c9 |
+ int fp_alg = -1;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
switch (key->type) {
|
|
Petr Lautrbach |
b457c9 |
case KEY_RSA:
|
|
Petr Lautrbach |
b457c9 |
@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
switch (*digest_type) {
|
|
Petr Lautrbach |
b457c9 |
case SSHFP_HASH_SHA1:
|
|
Petr Lautrbach |
b457c9 |
- fp_type = SSH_FP_SHA1;
|
|
Petr Lautrbach |
b457c9 |
+ fp_alg = SSH_DIGEST_SHA1;
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
case SSHFP_HASH_SHA256:
|
|
Petr Lautrbach |
b457c9 |
- fp_type = SSH_FP_SHA256;
|
|
Petr Lautrbach |
b457c9 |
+ fp_alg = SSH_DIGEST_SHA256;
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
default:
|
|
Petr Lautrbach |
b457c9 |
*digest_type = SSHFP_HASH_RESERVED; /* 0 */
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
if (*algorithm && *digest_type) {
|
|
Petr Lautrbach |
b457c9 |
- *digest = key_fingerprint_raw(key, fp_type, digest_len);
|
|
Petr Lautrbach |
b457c9 |
+ *digest = key_fingerprint_raw(key, fp_alg, digest_len);
|
|
Petr Lautrbach |
b457c9 |
if (*digest == NULL)
|
|
Petr Lautrbach |
b457c9 |
fatal("dns_read_key: null from key_fingerprint_raw()");
|
|
Petr Lautrbach |
b457c9 |
success = 1;
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/key.c.fingerprint 2014-07-23 01:40:47.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/key.c 2014-12-22 13:10:57.962878109 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -40,8 +40,7 @@ key_new_private(int type)
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
u_char*
|
|
Petr Lautrbach |
b457c9 |
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
|
|
Petr Lautrbach |
b457c9 |
- u_int *dgst_raw_length)
|
|
Petr Lautrbach |
b457c9 |
+key_fingerprint_raw(const Key *k, int dgst_alg, u_int *dgst_raw_length)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
u_char *ret = NULL;
|
|
Petr Lautrbach |
b457c9 |
size_t dlen;
|
|
Petr Lautrbach |
b457c9 |
@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum f
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
if (dgst_raw_length != NULL)
|
|
Petr Lautrbach |
b457c9 |
*dgst_raw_length = 0;
|
|
Petr Lautrbach |
b457c9 |
- if ((r = sshkey_fingerprint_raw(k, dgst_type, &ret, &dlen)) != 0)
|
|
Petr Lautrbach |
b457c9 |
+ if ((r = sshkey_fingerprint_raw(k, dgst_alg, &ret, &dlen)) != 0)
|
|
Petr Lautrbach |
b457c9 |
fatal("%s: %s", __func__, ssh_err(r));
|
|
Petr Lautrbach |
b457c9 |
if (dlen > INT_MAX)
|
|
Petr Lautrbach |
b457c9 |
fatal("%s: giant len %zu", __func__, dlen);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/key.h.fingerprint openssh-6.7p1/key.h
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/key.h.fingerprint 2014-08-21 02:48:41.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/key.h 2014-12-22 13:10:57.962878109 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -67,7 +67,7 @@ void key_add_private(Key *);
|
|
Petr Lautrbach |
b457c9 |
Key *key_new_private(int);
|
|
Petr Lautrbach |
b457c9 |
void key_free(Key *);
|
|
Petr Lautrbach |
b457c9 |
Key *key_demote(const Key *);
|
|
Petr Lautrbach |
b457c9 |
-u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
|
Petr Lautrbach |
b457c9 |
+u_char *key_fingerprint_raw(const Key *, int, u_int *);
|
|
Petr Lautrbach |
b457c9 |
int key_write(const Key *, FILE *);
|
|
Petr Lautrbach |
b457c9 |
int key_read(Key *, char **);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/krl.c.fingerprint 2014-12-22 13:10:57.962878109 +0100
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/krl.c 2014-12-22 13:24:45.969002948 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -36,6 +36,7 @@
|
|
Petr Lautrbach |
b457c9 |
#include "misc.h"
|
|
Petr Lautrbach |
b457c9 |
#include "log.h"
|
|
Petr Lautrbach |
b457c9 |
#include "xmalloc.h"
|
|
Petr Lautrbach |
b457c9 |
+#include "digest.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
#include "krl.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *
|
|
Petr Lautrbach |
b457c9 |
u_int len;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
debug3("%s: revoke type %s by sha1", __func__, key_type(key));
|
|
Petr Lautrbach |
b457c9 |
- if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
+ if ((blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &len)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
return -1;
|
|
Petr Lautrbach |
b457c9 |
return revoke_blob(&krl->revoked_sha1s, blob, len);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* Check explicitly revoked hashes first */
|
|
Petr Lautrbach |
b457c9 |
memset(&rb, 0, sizeof(rb));
|
|
Petr Lautrbach |
b457c9 |
- if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
+ if ((rb.blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &rb.len)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
return -1;
|
|
Petr Lautrbach |
b457c9 |
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
|
|
Petr Lautrbach |
b457c9 |
free(rb.blob);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/readconf.c.fingerprint 2014-07-18 06:11:26.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/readconf.c 2014-12-22 13:20:33.488879658 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -56,6 +56,7 @@
|
|
Petr Lautrbach |
b457c9 |
#include "kex.h"
|
|
Petr Lautrbach |
b457c9 |
#include "mac.h"
|
|
Petr Lautrbach |
b457c9 |
#include "uidswap.h"
|
|
Petr Lautrbach |
b457c9 |
+#include "digest.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* Format of the configuration file:
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -151,6 +152,7 @@ typedef enum {
|
|
Petr Lautrbach |
b457c9 |
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
Petr Lautrbach |
b457c9 |
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
|
Petr Lautrbach |
b457c9 |
oStreamLocalBindMask, oStreamLocalBindUnlink,
|
|
Petr Lautrbach |
b457c9 |
+ oFingerprintHash,
|
|
Petr Lautrbach |
b457c9 |
oIgnoredUnknownOption, oDeprecated, oUnsupported
|
|
Petr Lautrbach |
b457c9 |
} OpCodes;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -265,6 +267,7 @@ static struct {
|
|
Petr Lautrbach |
b457c9 |
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
|
Petr Lautrbach |
b457c9 |
{ "streamlocalbindmask", oStreamLocalBindMask },
|
|
Petr Lautrbach |
b457c9 |
{ "streamlocalbindunlink", oStreamLocalBindUnlink },
|
|
Petr Lautrbach |
b457c9 |
+ { "fingerprinthash", oFingerprintHash },
|
|
Petr Lautrbach |
b457c9 |
{ "ignoreunknown", oIgnoreUnknown },
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
{ NULL, oBadOption }
|
|
Petr Lautrbach |
b457c9 |
@@ -1097,6 +1100,9 @@ parse_int:
|
|
Petr Lautrbach |
b457c9 |
options->hostkeyalgorithms = xstrdup(arg);
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+ case oFingerprintHash:
|
|
Petr Lautrbach |
b457c9 |
+ return ssh_digest_alg_name(val);
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
case oProtocol:
|
|
Petr Lautrbach |
b457c9 |
intptr = &options->protocol;
|
|
Petr Lautrbach |
b457c9 |
arg = strdelim(&s);
|
|
Petr Lautrbach |
b457c9 |
@@ -1433,6 +1439,18 @@ parse_int:
|
|
Petr Lautrbach |
b457c9 |
intptr = &options->fwd_opts.streamlocal_bind_unlink;
|
|
Petr Lautrbach |
b457c9 |
goto parse_flag;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+ case oFingerprintHash:
|
|
Petr Lautrbach |
b457c9 |
+ arg = strdelim(&s);
|
|
Petr Lautrbach |
b457c9 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
b457c9 |
+ fatal("%.200s line %d: Missing argument.",
|
|
Petr Lautrbach |
b457c9 |
+ filename, linenum);
|
|
Petr Lautrbach |
b457c9 |
+ if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
|
Petr Lautrbach |
b457c9 |
+ filename, linenum, arg);
|
|
Petr Lautrbach |
b457c9 |
+ if (*activep)
|
|
Petr Lautrbach |
b457c9 |
+ options->fingerprint_hash = value;
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
case oDeprecated:
|
|
Petr Lautrbach |
b457c9 |
debug("%s line %d: Deprecated option \"%s\"",
|
|
Petr Lautrbach |
b457c9 |
filename, linenum, keyword);
|
|
Petr Lautrbach |
b457c9 |
@@ -1609,6 +1627,7 @@ initialize_options(Options * options)
|
|
Petr Lautrbach |
b457c9 |
options->canonicalize_max_dots = -1;
|
|
Petr Lautrbach |
b457c9 |
options->canonicalize_fallback_local = -1;
|
|
Petr Lautrbach |
b457c9 |
options->canonicalize_hostname = -1;
|
|
Petr Lautrbach |
b457c9 |
+ options->fingerprint_hash = -1;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
@@ -1786,6 +1805,9 @@ fill_default_options(Options * options)
|
|
Petr Lautrbach |
b457c9 |
options->canonicalize_fallback_local = 1;
|
|
Petr Lautrbach |
b457c9 |
if (options->canonicalize_hostname == -1)
|
|
Petr Lautrbach |
b457c9 |
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
|
Petr Lautrbach |
b457c9 |
+ if (options->fingerprint_hash == -1)
|
|
Petr Lautrbach |
b457c9 |
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
#define CLEAR_ON_NONE(v) \
|
|
Petr Lautrbach |
b457c9 |
do { \
|
|
Petr Lautrbach |
b457c9 |
if (option_clear_or_none(v)) { \
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/readconf.h.fingerprint openssh-6.7p1/readconf.h
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/readconf.h.fingerprint 2014-12-22 13:10:57.963878106 +0100
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/readconf.h 2014-12-22 13:14:24.075162395 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -144,6 +144,8 @@ typedef struct {
|
|
Petr Lautrbach |
b457c9 |
int num_permitted_cnames;
|
|
Petr Lautrbach |
b457c9 |
struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+ int fingerprint_hash;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
|
|
Petr Lautrbach |
b457c9 |
} Options;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/servconf.c.fingerprint 2014-07-18 06:11:26.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/servconf.c 2014-12-22 13:25:22.626875655 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -54,6 +54,7 @@
|
|
Petr Lautrbach |
b457c9 |
#include "packet.h"
|
|
Petr Lautrbach |
b457c9 |
#include "hostfile.h"
|
|
Petr Lautrbach |
b457c9 |
#include "auth.h"
|
|
Petr Lautrbach |
b457c9 |
+#include "digest.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
static void add_listen_addr(ServerOptions *, char *, int);
|
|
Petr Lautrbach |
b457c9 |
static void add_one_listen_addr(ServerOptions *, char *, int);
|
|
Petr Lautrbach |
b457c9 |
@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions
|
|
Petr Lautrbach |
b457c9 |
options->ip_qos_interactive = -1;
|
|
Petr Lautrbach |
b457c9 |
options->ip_qos_bulk = -1;
|
|
Petr Lautrbach |
b457c9 |
options->version_addendum = NULL;
|
|
Petr Lautrbach |
b457c9 |
+ options->fingerprint_hash = -1;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
void
|
|
Petr Lautrbach |
b457c9 |
@@ -312,6 +314,8 @@ fill_default_server_options(ServerOption
|
|
Petr Lautrbach |
b457c9 |
options->fwd_opts.streamlocal_bind_mask = 0177;
|
|
Petr Lautrbach |
b457c9 |
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
|
Petr Lautrbach |
b457c9 |
options->fwd_opts.streamlocal_bind_unlink = 0;
|
|
Petr Lautrbach |
b457c9 |
+ if (options->fingerprint_hash == -1)
|
|
Petr Lautrbach |
b457c9 |
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
/* Turn privilege separation on by default */
|
|
Petr Lautrbach |
b457c9 |
if (use_privsep == -1)
|
|
Petr Lautrbach |
b457c9 |
use_privsep = PRIVSEP_NOSANDBOX;
|
|
Petr Lautrbach |
b457c9 |
@@ -361,7 +365,7 @@ typedef enum {
|
|
Petr Lautrbach |
b457c9 |
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
Petr Lautrbach |
b457c9 |
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
|
Petr Lautrbach |
b457c9 |
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
|
Petr Lautrbach |
b457c9 |
- sAllowStreamLocalForwarding,
|
|
Petr Lautrbach |
b457c9 |
+ sAllowStreamLocalForwarding, sFingerprintHash,
|
|
Petr Lautrbach |
b457c9 |
sDeprecated, sUnsupported
|
|
Petr Lautrbach |
b457c9 |
} ServerOpCodes;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -492,6 +496,7 @@ static struct {
|
|
Petr Lautrbach |
b457c9 |
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
|
Petr Lautrbach |
b457c9 |
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
|
|
Petr Lautrbach |
b457c9 |
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
|
|
Petr Lautrbach |
b457c9 |
+ { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
|
Petr Lautrbach |
b457c9 |
{ NULL, sBadOption, 0 }
|
|
Petr Lautrbach |
b457c9 |
};
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions
|
|
Petr Lautrbach |
b457c9 |
intptr = &options->fwd_opts.streamlocal_bind_unlink;
|
|
Petr Lautrbach |
b457c9 |
goto parse_flag;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+ case sFingerprintHash:
|
|
Petr Lautrbach |
b457c9 |
+ arg = strdelim(&cp;;
|
|
Petr Lautrbach |
b457c9 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
b457c9 |
+ fatal("%.200s line %d: Missing argument.",
|
|
Petr Lautrbach |
b457c9 |
+ filename, linenum);
|
|
Petr Lautrbach |
b457c9 |
+ if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
|
Petr Lautrbach |
b457c9 |
+ filename, linenum, arg);
|
|
Petr Lautrbach |
b457c9 |
+ if (*activep)
|
|
Petr Lautrbach |
b457c9 |
+ options->fingerprint_hash = value;
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
case sDeprecated:
|
|
Petr Lautrbach |
b457c9 |
logit("%s line %d: Deprecated option %s",
|
|
Petr Lautrbach |
b457c9 |
filename, linenum, arg);
|
|
Petr Lautrbach |
b457c9 |
@@ -1905,6 +1922,8 @@ fmt_intarg(ServerOpCodes code, int val)
|
|
Petr Lautrbach |
b457c9 |
return fmt_multistate_int(val, multistate_tcpfwd);
|
|
Petr Lautrbach |
b457c9 |
case sAllowStreamLocalForwarding:
|
|
Petr Lautrbach |
b457c9 |
return fmt_multistate_int(val, multistate_tcpfwd);
|
|
Petr Lautrbach |
b457c9 |
+ case sFingerprintHash:
|
|
Petr Lautrbach |
b457c9 |
+ return ssh_digest_alg_name(val);
|
|
Petr Lautrbach |
b457c9 |
case sProtocol:
|
|
Petr Lautrbach |
b457c9 |
switch (val) {
|
|
Petr Lautrbach |
b457c9 |
case SSH_PROTO_1:
|
|
Petr Lautrbach |
b457c9 |
@@ -2066,6 +2085,7 @@ dump_config(ServerOptions *o)
|
|
Petr Lautrbach |
b457c9 |
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
|
Petr Lautrbach |
b457c9 |
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
|
Petr Lautrbach |
b457c9 |
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
|
Petr Lautrbach |
b457c9 |
+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* string arguments */
|
|
Petr Lautrbach |
b457c9 |
dump_cfg_string(sPidFile, o->pid_file);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/servconf.h.fingerprint openssh-6.7p1/servconf.h
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/servconf.h.fingerprint 2014-07-18 06:11:26.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/servconf.h 2014-12-22 13:10:57.964878102 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: servconf.h,v 1.115 2014/12/21 22:27:56 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
Petr Lautrbach |
b457c9 |
@@ -185,6 +185,8 @@ typedef struct {
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
u_int num_auth_methods;
|
|
Petr Lautrbach |
b457c9 |
char *auth_methods[MAX_AUTH_METHODS];
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ int fingerprint_hash;
|
|
Petr Lautrbach |
b457c9 |
} ServerOptions;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* Information about the incoming connection as used by Match */
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh.1.fingerprint openssh-6.7p1/ssh.1
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh.1.fingerprint 2014-07-30 04:32:28.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh.1 2014-12-22 13:10:57.967878092 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1083,7 +1083,7 @@ Fingerprints can be determined using
|
|
Petr Lautrbach |
b457c9 |
If the fingerprint is already known, it can be matched
|
|
Petr Lautrbach |
b457c9 |
and the key can be accepted or rejected.
|
|
Petr Lautrbach |
b457c9 |
Because of the difficulty of comparing host keys
|
|
Petr Lautrbach |
b457c9 |
-just by looking at hex strings,
|
|
Petr Lautrbach |
b457c9 |
+just by looking at fingerprint strings,
|
|
Petr Lautrbach |
b457c9 |
there is also support to compare host keys visually,
|
|
Petr Lautrbach |
b457c9 |
using
|
|
Petr Lautrbach |
b457c9 |
.Em random art .
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-add.1.fingerprint 2013-12-18 07:46:28.000000000 +0100
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-add.1 2014-12-22 13:10:57.964878102 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -44,6 +44,7 @@
|
|
Petr Lautrbach |
b457c9 |
.Sh SYNOPSIS
|
|
Petr Lautrbach |
b457c9 |
.Nm ssh-add
|
|
Petr Lautrbach |
b457c9 |
.Op Fl cDdkLlXx
|
|
Petr Lautrbach |
b457c9 |
+.Op Fl E Ar fingerprint_hash
|
|
Petr Lautrbach |
b457c9 |
.Op Fl t Ar life
|
|
Petr Lautrbach |
b457c9 |
.Op Ar
|
|
Petr Lautrbach |
b457c9 |
.Nm ssh-add
|
|
Petr Lautrbach |
b457c9 |
@@ -108,6 +109,14 @@ If no public key is found at a given pat
|
|
Petr Lautrbach |
b457c9 |
will append
|
|
Petr Lautrbach |
b457c9 |
.Pa .pub
|
|
Petr Lautrbach |
b457c9 |
and retry.
|
|
Petr Lautrbach |
b457c9 |
+.It Fl E Ar fingerprint_hash
|
|
Petr Lautrbach |
b457c9 |
+Specifies the hash algorithm used when displaying key fingerprints.
|
|
Petr Lautrbach |
b457c9 |
+Valid options are:
|
|
Petr Lautrbach |
b457c9 |
+.Dq md5
|
|
Petr Lautrbach |
b457c9 |
+and
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
+The default is
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
.It Fl e Ar pkcs11
|
|
Petr Lautrbach |
b457c9 |
Remove keys provided by the PKCS#11 shared library
|
|
Petr Lautrbach |
b457c9 |
.Ar pkcs11 .
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-add.c.fingerprint 2014-07-11 01:19:05.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-add.c 2014-12-22 13:10:57.965878099 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -63,6 +63,7 @@
|
|
Petr Lautrbach |
b457c9 |
#include "pathnames.h"
|
|
Petr Lautrbach |
b457c9 |
#include "misc.h"
|
|
Petr Lautrbach |
b457c9 |
#include "ssherr.h"
|
|
Petr Lautrbach |
b457c9 |
+#include "digest.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* argv0 */
|
|
Petr Lautrbach |
b457c9 |
extern char *__progname;
|
|
Petr Lautrbach |
b457c9 |
@@ -79,6 +80,8 @@ static char *default_files[] = {
|
|
Petr Lautrbach |
b457c9 |
NULL
|
|
Petr Lautrbach |
b457c9 |
};
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
/* Default lifetime (0 == forever) */
|
|
Petr Lautrbach |
b457c9 |
static int lifetime = 0;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection
|
|
Petr Lautrbach |
b457c9 |
key = ssh_get_next_identity(ac, &comment, version)) {
|
|
Petr Lautrbach |
b457c9 |
had_identities = 1;
|
|
Petr Lautrbach |
b457c9 |
if (do_fp) {
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(key, SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(key, fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
printf("%d %s %s (%s)\n",
|
|
Petr Lautrbach |
b457c9 |
key_size(key), fp, comment, key_type(key));
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
@@ -408,6 +411,7 @@ usage(void)
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr, "usage: %s [options] [file ...]\n", __progname);
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr, "Options:\n");
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr, " -l List fingerprints of all identities.\n");
|
|
Petr Lautrbach |
b457c9 |
+ fprintf(stderr, " -E hash Specify hash algorithm used for fingerprints.\n");
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr, " -L List public key parameters of all identities.\n");
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr, " -k Load only keys and not certificates.\n");
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr, " -c Require confirmation to sign using identities\n");
|
|
Petr Lautrbach |
b457c9 |
@@ -428,6 +432,7 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
AuthenticationConnection *ac = NULL;
|
|
Petr Lautrbach |
b457c9 |
char *pkcs11provider = NULL;
|
|
Petr Lautrbach |
b457c9 |
int i, ch, deleting = 0, ret = 0, key_only = 0;
|
|
Petr Lautrbach |
b457c9 |
+ int xflag = 0, lflag = 0, Dflag = 0;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
|
Petr Lautrbach |
b457c9 |
sanitise_stdfd();
|
|
Petr Lautrbach |
b457c9 |
@@ -446,21 +451,28 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
"Could not open a connection to your authentication agent.\n");
|
|
Petr Lautrbach |
b457c9 |
exit(2);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
- while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
|
|
Petr Lautrbach |
b457c9 |
+ while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) {
|
|
Petr Lautrbach |
b457c9 |
switch (ch) {
|
|
Petr Lautrbach |
b457c9 |
+ case 'E':
|
|
Petr Lautrbach |
b457c9 |
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
|
Petr Lautrbach |
b457c9 |
+ if (fingerprint_hash == -1)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("Invalid hash algorithm \"%s\"", optarg);
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case 'k':
|
|
Petr Lautrbach |
b457c9 |
key_only = 1;
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
case 'l':
|
|
Petr Lautrbach |
b457c9 |
case 'L':
|
|
Petr Lautrbach |
b457c9 |
- if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
|
|
Petr Lautrbach |
b457c9 |
- ret = 1;
|
|
Petr Lautrbach |
b457c9 |
- goto done;
|
|
Petr Lautrbach |
b457c9 |
+ if (lflag != 0)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("-%c flag already specified", lflag);
|
|
Petr Lautrbach |
b457c9 |
+ lflag = ch;
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case 'x':
|
|
Petr Lautrbach |
b457c9 |
case 'X':
|
|
Petr Lautrbach |
b457c9 |
- if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
|
|
Petr Lautrbach |
b457c9 |
- ret = 1;
|
|
Petr Lautrbach |
b457c9 |
- goto done;
|
|
Petr Lautrbach |
b457c9 |
+ if (xflag != 0)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("-%c flag already specified", xflag);
|
|
Petr Lautrbach |
b457c9 |
+ xflag = ch;
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case 'c':
|
|
Petr Lautrbach |
b457c9 |
confirm = 1;
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
@@ -468,9 +480,8 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
deleting = 1;
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
case 'D':
|
|
Petr Lautrbach |
b457c9 |
- if (delete_all(ac) == -1)
|
|
Petr Lautrbach |
b457c9 |
- ret = 1;
|
|
Petr Lautrbach |
b457c9 |
- goto done;
|
|
Petr Lautrbach |
b457c9 |
+ Dflag = 1;
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case 's':
|
|
Petr Lautrbach |
b457c9 |
pkcs11provider = optarg;
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
@@ -491,6 +502,23 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
goto done;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("Invalid combination of actions");
|
|
Petr Lautrbach |
b457c9 |
+ else if (xflag) {
|
|
Petr Lautrbach |
b457c9 |
+ if (lock_agent(ac, xflag == 'x' ? 1 : 0) == -1)
|
|
Petr Lautrbach |
b457c9 |
+ ret = 1;
|
|
Petr Lautrbach |
b457c9 |
+ goto done;
|
|
Petr Lautrbach |
b457c9 |
+ } else if (lflag) {
|
|
Petr Lautrbach |
b457c9 |
+ if (list_identities(ac, lflag == 'l' ? 1 : 0) == -1)
|
|
Petr Lautrbach |
b457c9 |
+ ret = 1;
|
|
Petr Lautrbach |
b457c9 |
+ goto done;
|
|
Petr Lautrbach |
b457c9 |
+ } else if (Dflag) {
|
|
Petr Lautrbach |
b457c9 |
+ if (delete_all(ac) == -1)
|
|
Petr Lautrbach |
b457c9 |
+ ret = 1;
|
|
Petr Lautrbach |
b457c9 |
+ goto done;
|
|
Petr Lautrbach |
b457c9 |
+ }
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
argc -= optind;
|
|
Petr Lautrbach |
b457c9 |
argv += optind;
|
|
Petr Lautrbach |
b457c9 |
if (pkcs11provider != NULL) {
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-agent.1.fingerprint openssh-6.7p1/ssh-agent.1
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-agent.1.fingerprint 2014-04-20 05:25:09.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-agent.1 2014-12-22 13:10:57.965878099 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -45,6 +45,7 @@
|
|
Petr Lautrbach |
b457c9 |
.Op Fl c | s
|
|
Petr Lautrbach |
b457c9 |
.Op Fl d
|
|
Petr Lautrbach |
b457c9 |
.Op Fl a Ar bind_address
|
|
Petr Lautrbach |
b457c9 |
+.Op Fl E Ar fingerprint_hash
|
|
Petr Lautrbach |
b457c9 |
.Op Fl t Ar life
|
|
Petr Lautrbach |
b457c9 |
.Op Ar command Op Ar arg ...
|
|
Petr Lautrbach |
b457c9 |
.Nm ssh-agent
|
|
Petr Lautrbach |
b457c9 |
@@ -96,6 +97,14 @@ Debug mode.
|
|
Petr Lautrbach |
b457c9 |
When this option is specified
|
|
Petr Lautrbach |
b457c9 |
.Nm
|
|
Petr Lautrbach |
b457c9 |
will not fork.
|
|
Petr Lautrbach |
b457c9 |
+.It Fl E Ar fingerprint_hash
|
|
Petr Lautrbach |
b457c9 |
+Specifies the hash algorithm used when displaying key fingerprints.
|
|
Petr Lautrbach |
b457c9 |
+Valid options are:
|
|
Petr Lautrbach |
b457c9 |
+.Dq md5
|
|
Petr Lautrbach |
b457c9 |
+and
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
+The default is
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
.It Fl k
|
|
Petr Lautrbach |
b457c9 |
Kill the current agent (given by the
|
|
Petr Lautrbach |
b457c9 |
.Ev SSH_AGENT_PID
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-agent.c.fingerprint openssh-6.7p1/ssh-agent.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-agent.c.fingerprint 2014-07-30 04:32:46.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-agent.c 2014-12-22 13:10:57.965878099 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -142,6 +142,8 @@ extern char *__progname;
|
|
Petr Lautrbach |
b457c9 |
/* Default lifetime in seconds (0 == forever) */
|
|
Petr Lautrbach |
b457c9 |
static long lifetime = 0;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
static void
|
|
Petr Lautrbach |
b457c9 |
close_socket(SocketEntry *e)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
@@ -203,7 +205,7 @@ confirm_key(Identity *id)
|
|
Petr Lautrbach |
b457c9 |
char *p;
|
|
Petr Lautrbach |
b457c9 |
int ret = -1;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ p = key_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
|
|
Petr Lautrbach |
b457c9 |
id->comment, p))
|
|
Petr Lautrbach |
b457c9 |
ret = 0;
|
|
Petr Lautrbach |
b457c9 |
@@ -1026,7 +1028,7 @@ usage(void)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr,
|
|
Petr Lautrbach |
b457c9 |
"usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
|
|
Petr Lautrbach |
b457c9 |
- " [command [arg ...]]\n"
|
|
Petr Lautrbach |
b457c9 |
+ " [-E fingerprint_hash] [command [arg ...]]\n"
|
|
Petr Lautrbach |
b457c9 |
" ssh-agent [-c | -s] -k\n");
|
|
Petr Lautrbach |
b457c9 |
exit(1);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
@@ -1069,8 +1071,13 @@ main(int ac, char **av)
|
|
Petr Lautrbach |
b457c9 |
__progname = ssh_get_progname(av[0]);
|
|
Petr Lautrbach |
b457c9 |
seed_rng();
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
|
|
Petr Lautrbach |
b457c9 |
+ while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) {
|
|
Petr Lautrbach |
b457c9 |
switch (ch) {
|
|
Petr Lautrbach |
b457c9 |
+ case 'E':
|
|
Petr Lautrbach |
b457c9 |
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
|
Petr Lautrbach |
b457c9 |
+ if (fingerprint_hash == -1)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("Invalid hash algorithm \"%s\"", optarg);
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case 'c':
|
|
Petr Lautrbach |
b457c9 |
if (s_flag)
|
|
Petr Lautrbach |
b457c9 |
usage();
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/sshconnect2.c.fingerprint openssh-6.7p1/sshconnect2.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/sshconnect2.c.fingerprint 2014-07-18 06:11:27.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/sshconnect2.c 2014-12-22 13:10:57.968878088 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t
|
|
Petr Lautrbach |
b457c9 |
key->type, pktype);
|
|
Petr Lautrbach |
b457c9 |
goto done;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
debug2("input_userauth_pk_ok: fp %s", fp);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
|
Petr Lautrbach |
b457c9 |
int have_sig = 1;
|
|
Petr Lautrbach |
b457c9 |
char *fp;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/sshconnect.c.fingerprint openssh-6.7p1/sshconnect.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/sshconnect.c.fingerprint 2014-07-18 06:11:26.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/sshconnect.c 2014-12-22 13:15:28.371939131 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct so
|
|
Petr Lautrbach |
b457c9 |
"key for IP address '%.128s' to the list "
|
|
Petr Lautrbach |
b457c9 |
"of known hosts.", type, ip);
|
|
Petr Lautrbach |
b457c9 |
} else if (options.visual_host_key) {
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(host_key,
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(host_key,
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
|
Petr Lautrbach |
b457c9 |
free(ra);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct so
|
|
Petr Lautrbach |
b457c9 |
else
|
|
Petr Lautrbach |
b457c9 |
snprintf(msg1, sizeof(msg1), ".");
|
|
Petr Lautrbach |
b457c9 |
/* The default */
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(host_key,
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(host_key,
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
msg2[0] = '\0';
|
|
Petr Lautrbach |
b457c9 |
if (options.verify_host_key_dns) {
|
|
Petr Lautrbach |
b457c9 |
if (matching_host_key_dns)
|
|
Petr Lautrbach |
b457c9 |
@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct socka
|
|
Petr Lautrbach |
b457c9 |
char *fp;
|
|
Petr Lautrbach |
b457c9 |
Key *plain = NULL;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
debug("Server host key: %s %s", key_type(host_key), fp);
|
|
Petr Lautrbach |
b457c9 |
free(fp);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkey
|
|
Petr Lautrbach |
b457c9 |
continue;
|
|
Petr Lautrbach |
b457c9 |
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
|
Petr Lautrbach |
b457c9 |
continue;
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(found->key,
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(found->key,
|
|
Petr Lautrbach |
b457c9 |
+ options.fingerprint_hash, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
logit("WARNING: %s key found for host %s\n"
|
|
Petr Lautrbach |
b457c9 |
"in %s:%lu\n"
|
|
Petr Lautrbach |
b457c9 |
"%s key fingerprint %s.",
|
|
Petr Lautrbach |
b457c9 |
@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
char *fp;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(host_key, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
|
Petr Lautrbach |
b457c9 |
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/sshd_config.5.fingerprint openssh-6.7p1/sshd_config.5
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/sshd_config.5.fingerprint 2014-10-03 01:24:57.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/sshd_config.5 2014-12-22 13:10:57.968878088 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -483,6 +483,15 @@ and finally
|
|
Petr Lautrbach |
b457c9 |
See PATTERNS in
|
|
Petr Lautrbach |
b457c9 |
.Xr ssh_config 5
|
|
Petr Lautrbach |
b457c9 |
for more information on patterns.
|
|
Petr Lautrbach |
b457c9 |
+.It Cm FingerprintHash
|
|
Petr Lautrbach |
b457c9 |
+Specifies the hash algorithm used when logging key fingerprints.
|
|
Petr Lautrbach |
b457c9 |
+Valid options are:
|
|
Petr Lautrbach |
b457c9 |
+.Dq md5
|
|
Petr Lautrbach |
b457c9 |
+and
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
+The default is
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
+.Pp
|
|
Petr Lautrbach |
b457c9 |
.It Cm ForceCommand
|
|
Petr Lautrbach |
b457c9 |
Forces the execution of the command specified by
|
|
Petr Lautrbach |
b457c9 |
.Cm ForceCommand ,
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/sshkey.c.fingerprint 2014-07-21 17:07:11.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/sshkey.c 2014-12-22 13:10:57.969878085 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -29,6 +29,7 @@
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
#include <sys/param.h>
|
|
Petr Lautrbach |
b457c9 |
#include <sys/types.h>
|
|
Petr Lautrbach |
b457c9 |
+#include <netinet/in.h>
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
#include <openssl/evp.h>
|
|
Petr Lautrbach |
b457c9 |
#include <openssl/err.h>
|
|
Petr Lautrbach |
b457c9 |
@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
int
|
|
Petr Lautrbach |
b457c9 |
-sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
|
|
Petr Lautrbach |
b457c9 |
+sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
|
|
Petr Lautrbach |
b457c9 |
u_char **retp, size_t *lenp)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
u_char *blob = NULL, *ret = NULL;
|
|
Petr Lautrbach |
b457c9 |
size_t blob_len = 0;
|
|
Petr Lautrbach |
b457c9 |
- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR;
|
|
Petr Lautrbach |
b457c9 |
+ int r = SSH_ERR_INTERNAL_ERROR;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
if (retp != NULL)
|
|
Petr Lautrbach |
b457c9 |
*retp = NULL;
|
|
Petr Lautrbach |
b457c9 |
if (lenp != NULL)
|
|
Petr Lautrbach |
b457c9 |
*lenp = 0;
|
|
Petr Lautrbach |
b457c9 |
-
|
|
Petr Lautrbach |
b457c9 |
- switch (dgst_type) {
|
|
Petr Lautrbach |
b457c9 |
- case SSH_FP_MD5:
|
|
Petr Lautrbach |
b457c9 |
- hash_alg = SSH_DIGEST_MD5;
|
|
Petr Lautrbach |
b457c9 |
- break;
|
|
Petr Lautrbach |
b457c9 |
- case SSH_FP_SHA1:
|
|
Petr Lautrbach |
b457c9 |
- hash_alg = SSH_DIGEST_SHA1;
|
|
Petr Lautrbach |
b457c9 |
- break;
|
|
Petr Lautrbach |
b457c9 |
- case SSH_FP_SHA256:
|
|
Petr Lautrbach |
b457c9 |
- hash_alg = SSH_DIGEST_SHA256;
|
|
Petr Lautrbach |
b457c9 |
- break;
|
|
Petr Lautrbach |
b457c9 |
- default:
|
|
Petr Lautrbach |
b457c9 |
+ if (ssh_digest_bytes(dgst_alg) == 0) {
|
|
Petr Lautrbach |
b457c9 |
r = SSH_ERR_INVALID_ARGUMENT;
|
|
Petr Lautrbach |
b457c9 |
goto out;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshk
|
|
Petr Lautrbach |
b457c9 |
r = SSH_ERR_ALLOC_FAIL;
|
|
Petr Lautrbach |
b457c9 |
goto out;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
- if ((r = ssh_digest_memory(hash_alg, blob, blob_len,
|
|
Petr Lautrbach |
b457c9 |
+ if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
|
|
Petr Lautrbach |
b457c9 |
ret, SSH_DIGEST_MAX_LENGTH)) != 0)
|
|
Petr Lautrbach |
b457c9 |
goto out;
|
|
Petr Lautrbach |
b457c9 |
/* success */
|
|
Petr Lautrbach |
b457c9 |
@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshk
|
|
Petr Lautrbach |
b457c9 |
ret = NULL;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
if (lenp != NULL)
|
|
Petr Lautrbach |
b457c9 |
- *lenp = ssh_digest_bytes(hash_alg);
|
|
Petr Lautrbach |
b457c9 |
+ *lenp = ssh_digest_bytes(dgst_alg);
|
|
Petr Lautrbach |
b457c9 |
r = 0;
|
|
Petr Lautrbach |
b457c9 |
out:
|
|
Petr Lautrbach |
b457c9 |
free(ret);
|
|
Petr Lautrbach |
b457c9 |
@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshk
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
static char *
|
|
Petr Lautrbach |
b457c9 |
-fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len)
|
|
Petr Lautrbach |
b457c9 |
+fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
- char *retval;
|
|
Petr Lautrbach |
b457c9 |
- size_t i;
|
|
Petr Lautrbach |
b457c9 |
+ char *ret;
|
|
Petr Lautrbach |
b457c9 |
+ size_t plen = strlen(alg) + 1;
|
|
Petr Lautrbach |
b457c9 |
+ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
|
|
Petr Lautrbach |
b457c9 |
+ int r;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
+ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
+ return NULL;
|
|
Petr Lautrbach |
b457c9 |
+ strlcpy(ret, alg, rlen);
|
|
Petr Lautrbach |
b457c9 |
+ strlcat(ret, ":", rlen);
|
|
Petr Lautrbach |
b457c9 |
+ if (dgst_raw_len == 0)
|
|
Petr Lautrbach |
b457c9 |
+ return ret;
|
|
Petr Lautrbach |
b457c9 |
+ if ((r = b64_ntop(dgst_raw, dgst_raw_len,
|
|
Petr Lautrbach |
b457c9 |
+ ret + plen, rlen - plen)) == -1) {
|
|
Petr Lautrbach |
b457c9 |
+ explicit_bzero(ret, rlen);
|
|
Petr Lautrbach |
b457c9 |
+ free(ret);
|
|
Petr Lautrbach |
b457c9 |
return NULL;
|
|
Petr Lautrbach |
b457c9 |
- for (i = 0; i < dgst_raw_len; i++) {
|
|
Petr Lautrbach |
b457c9 |
- char hex[4];
|
|
Petr Lautrbach |
b457c9 |
- snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
|
|
Petr Lautrbach |
b457c9 |
- strlcat(retval, hex, dgst_raw_len * 3 + 1);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
+ /* Trim padding characters from end */
|
|
Petr Lautrbach |
b457c9 |
+ ret[strcspn(ret, "=")] = '\0';
|
|
Petr Lautrbach |
b457c9 |
+ return ret;
|
|
Petr Lautrbach |
b457c9 |
+}
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+static char *
|
|
Petr Lautrbach |
b457c9 |
+fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
|
|
Petr Lautrbach |
b457c9 |
+{
|
|
Petr Lautrbach |
b457c9 |
+ char *retval, hex[5];
|
|
Petr Lautrbach |
b457c9 |
+ size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- /* Remove the trailing ':' character */
|
|
Petr Lautrbach |
b457c9 |
- retval[(dgst_raw_len * 3) - 1] = '\0';
|
|
Petr Lautrbach |
b457c9 |
+ if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
|
|
Petr Lautrbach |
b457c9 |
+ return NULL;
|
|
Petr Lautrbach |
b457c9 |
+ strlcpy(retval, alg, rlen);
|
|
Petr Lautrbach |
b457c9 |
+ strlcat(retval, ":", rlen);
|
|
Petr Lautrbach |
b457c9 |
+ for (i = 0; i < dgst_raw_len; i++) {
|
|
Petr Lautrbach |
b457c9 |
+ snprintf(hex, sizeof(hex), "%s%02x",
|
|
Petr Lautrbach |
b457c9 |
+ i > 0 ? ":" : "", dgst_raw[i]);
|
|
Petr Lautrbach |
b457c9 |
+ strlcat(retval, hex, rlen);
|
|
Petr Lautrbach |
b457c9 |
+ }
|
|
Petr Lautrbach |
b457c9 |
return retval;
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_ra
|
|
Petr Lautrbach |
b457c9 |
#define FLDSIZE_Y (FLDBASE + 1)
|
|
Petr Lautrbach |
b457c9 |
#define FLDSIZE_X (FLDBASE * 2 + 1)
|
|
Petr Lautrbach |
b457c9 |
static char *
|
|
Petr Lautrbach |
b457c9 |
-fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
|
|
Petr Lautrbach |
b457c9 |
+fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
|
|
Petr Lautrbach |
b457c9 |
const struct sshkey *k)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw,
|
|
Petr Lautrbach |
b457c9 |
* intersects with itself. Matter of taste.
|
|
Petr Lautrbach |
b457c9 |
*/
|
|
Petr Lautrbach |
b457c9 |
char *augmentation_string = " .o+=*BOX@%&#/^SE";
|
|
Petr Lautrbach |
b457c9 |
- char *retval, *p, title[FLDSIZE_X];
|
|
Petr Lautrbach |
b457c9 |
+ char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
|
|
Petr Lautrbach |
b457c9 |
u_char field[FLDSIZE_X][FLDSIZE_Y];
|
|
Petr Lautrbach |
b457c9 |
- size_t i, tlen;
|
|
Petr Lautrbach |
b457c9 |
+ size_t i, tlen, hlen;
|
|
Petr Lautrbach |
b457c9 |
u_int b;
|
|
Petr Lautrbach |
b457c9 |
int x, y, r;
|
|
Petr Lautrbach |
b457c9 |
size_t len = strlen(augmentation_string) - 1;
|
|
Petr Lautrbach |
b457c9 |
@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw,
|
|
Petr Lautrbach |
b457c9 |
sshkey_type(k), sshkey_size(k));
|
|
Petr Lautrbach |
b457c9 |
/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
|
|
Petr Lautrbach |
b457c9 |
if (r < 0 || r > (int)sizeof(title))
|
|
Petr Lautrbach |
b457c9 |
- snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
|
|
Petr Lautrbach |
b457c9 |
- tlen = strlen(title);
|
|
Petr Lautrbach |
b457c9 |
+ r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
|
|
Petr Lautrbach |
b457c9 |
+ tlen = (r <= 0) ? 0 : strlen(title);
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
+ /* assemble hash ID. */
|
|
Petr Lautrbach |
b457c9 |
+ r = snprintf(hash, sizeof(hash), "[%s]", alg);
|
|
Petr Lautrbach |
b457c9 |
+ hlen = (r <= 0) ? 0 : strlen(hash);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* output upper border */
|
|
Petr Lautrbach |
b457c9 |
p = retval;
|
|
Petr Lautrbach |
b457c9 |
@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw,
|
|
Petr Lautrbach |
b457c9 |
*p++ = '-';
|
|
Petr Lautrbach |
b457c9 |
memcpy(p, title, tlen);
|
|
Petr Lautrbach |
b457c9 |
p += tlen;
|
|
Petr Lautrbach |
b457c9 |
- for (i = p - retval - 1; i < FLDSIZE_X; i++)
|
|
Petr Lautrbach |
b457c9 |
+ for (i += tlen; i < FLDSIZE_X; i++)
|
|
Petr Lautrbach |
b457c9 |
*p++ = '-';
|
|
Petr Lautrbach |
b457c9 |
*p++ = '+';
|
|
Petr Lautrbach |
b457c9 |
*p++ = '\n';
|
|
Petr Lautrbach |
b457c9 |
@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw,
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* output lower border */
|
|
Petr Lautrbach |
b457c9 |
*p++ = '+';
|
|
Petr Lautrbach |
b457c9 |
- for (i = 0; i < FLDSIZE_X; i++)
|
|
Petr Lautrbach |
b457c9 |
+ for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
|
|
Petr Lautrbach |
b457c9 |
+ *p++ = '-';
|
|
Petr Lautrbach |
b457c9 |
+ memcpy(p, hash, hlen);
|
|
Petr Lautrbach |
b457c9 |
+ p += hlen;
|
|
Petr Lautrbach |
b457c9 |
+ for (i += hlen; i < FLDSIZE_X; i++)
|
|
Petr Lautrbach |
b457c9 |
*p++ = '-';
|
|
Petr Lautrbach |
b457c9 |
*p++ = '+';
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw,
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
char *
|
|
Petr Lautrbach |
b457c9 |
-sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type,
|
|
Petr Lautrbach |
b457c9 |
+sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
|
|
Petr Lautrbach |
b457c9 |
enum sshkey_fp_rep dgst_rep)
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
char *retval = NULL;
|
|
Petr Lautrbach |
b457c9 |
u_char *dgst_raw;
|
|
Petr Lautrbach |
b457c9 |
size_t dgst_raw_len;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0)
|
|
Petr Lautrbach |
b457c9 |
+ if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
|
|
Petr Lautrbach |
b457c9 |
return NULL;
|
|
Petr Lautrbach |
b457c9 |
switch (dgst_rep) {
|
|
Petr Lautrbach |
b457c9 |
+ case SSH_FP_DEFAULT:
|
|
Petr Lautrbach |
b457c9 |
+ if (dgst_alg == SSH_DIGEST_MD5) {
|
|
Petr Lautrbach |
b457c9 |
+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
|
|
Petr Lautrbach |
b457c9 |
+ dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
+ } else {
|
|
Petr Lautrbach |
b457c9 |
+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
|
|
Petr Lautrbach |
b457c9 |
+ dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
+ }
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case SSH_FP_HEX:
|
|
Petr Lautrbach |
b457c9 |
- retval = fingerprint_hex(dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
|
|
Petr Lautrbach |
b457c9 |
+ dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
+ case SSH_FP_BASE64:
|
|
Petr Lautrbach |
b457c9 |
+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
|
|
Petr Lautrbach |
b457c9 |
+ dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
case SSH_FP_BUBBLEBABBLE:
|
|
Petr Lautrbach |
b457c9 |
retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
case SSH_FP_RANDOMART:
|
|
Petr Lautrbach |
b457c9 |
- retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k);
|
|
Petr Lautrbach |
b457c9 |
+ retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
|
|
Petr Lautrbach |
b457c9 |
+ dgst_raw, dgst_raw_len, k);
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
default:
|
|
Petr Lautrbach |
b457c9 |
explicit_bzero(dgst_raw, dgst_raw_len);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-keygen.1.fingerprint openssh-6.7p1/ssh-keygen.1
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-keygen.1.fingerprint 2014-04-20 05:23:04.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-keygen.1 2014-12-22 13:10:57.966878095 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -73,6 +73,7 @@
|
|
Petr Lautrbach |
b457c9 |
.Op Fl f Ar keyfile
|
|
Petr Lautrbach |
b457c9 |
.Nm ssh-keygen
|
|
Petr Lautrbach |
b457c9 |
.Fl l
|
|
Petr Lautrbach |
b457c9 |
+.Op Fl E Ar fingerprint_hash
|
|
Petr Lautrbach |
b457c9 |
.Op Fl f Ar input_keyfile
|
|
Petr Lautrbach |
b457c9 |
.Nm ssh-keygen
|
|
Petr Lautrbach |
b457c9 |
.Fl B
|
|
Petr Lautrbach |
b457c9 |
@@ -269,6 +270,14 @@ When used in combination with
|
|
Petr Lautrbach |
b457c9 |
this option indicates that a CA key resides in a PKCS#11 token (see the
|
|
Petr Lautrbach |
b457c9 |
.Sx CERTIFICATES
|
|
Petr Lautrbach |
b457c9 |
section for details).
|
|
Petr Lautrbach |
b457c9 |
+.It Fl E Ar fingerprint_hash
|
|
Petr Lautrbach |
b457c9 |
+Specifies the hash algorithm used when displaying key fingerprints.
|
|
Petr Lautrbach |
b457c9 |
+Valid options are:
|
|
Petr Lautrbach |
b457c9 |
+.Dq md5
|
|
Petr Lautrbach |
b457c9 |
+and
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
+The default is
|
|
Petr Lautrbach |
b457c9 |
+.Dq sha256 .
|
|
Petr Lautrbach |
b457c9 |
.It Fl e
|
|
Petr Lautrbach |
b457c9 |
This option will read a private or public OpenSSH key file and
|
|
Petr Lautrbach |
b457c9 |
print to stdout the key in one of the formats specified by the
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-keygen.c.fingerprint openssh-6.7p1/ssh-keygen.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-keygen.c.fingerprint 2014-07-03 13:24:41.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-keygen.c 2014-12-22 13:10:57.966878095 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -53,6 +53,7 @@
|
|
Petr Lautrbach |
b457c9 |
#include "ssh-pkcs11.h"
|
|
Petr Lautrbach |
b457c9 |
#include "atomicio.h"
|
|
Petr Lautrbach |
b457c9 |
#include "krl.h"
|
|
Petr Lautrbach |
b457c9 |
+#include "digest.h"
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
|
|
Petr Lautrbach |
b457c9 |
#define DEFAULT_BITS 2048
|
|
Petr Lautrbach |
b457c9 |
@@ -90,6 +91,9 @@ int show_cert = 0;
|
|
Petr Lautrbach |
b457c9 |
int print_fingerprint = 0;
|
|
Petr Lautrbach |
b457c9 |
int print_bubblebabble = 0;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
+/* Hash algorithm to use for fingerprints. */
|
|
Petr Lautrbach |
b457c9 |
+int fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
+
|
|
Petr Lautrbach |
b457c9 |
/* The identity file name, given on the command line or entered by the user. */
|
|
Petr Lautrbach |
b457c9 |
char identity_file[1024];
|
|
Petr Lautrbach |
b457c9 |
int have_identity = 0;
|
|
Petr Lautrbach |
b457c9 |
@@ -749,11 +753,11 @@ do_download(struct passwd *pw)
|
|
Petr Lautrbach |
b457c9 |
Key **keys = NULL;
|
|
Petr Lautrbach |
b457c9 |
int i, nkeys;
|
|
Petr Lautrbach |
b457c9 |
enum fp_rep rep;
|
|
Petr Lautrbach |
b457c9 |
- enum fp_type fptype;
|
|
Petr Lautrbach |
b457c9 |
+ int fptype;
|
|
Petr Lautrbach |
b457c9 |
char *fp, *ra;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
|
Petr Lautrbach |
b457c9 |
- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
|
Petr Lautrbach |
b457c9 |
+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
|
|
Petr Lautrbach |
b457c9 |
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
pkcs11_init(0);
|
|
Petr Lautrbach |
b457c9 |
nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
|
|
Petr Lautrbach |
b457c9 |
@@ -762,7 +766,7 @@ do_download(struct passwd *pw)
|
|
Petr Lautrbach |
b457c9 |
for (i = 0; i < nkeys; i++) {
|
|
Petr Lautrbach |
b457c9 |
if (print_fingerprint) {
|
|
Petr Lautrbach |
b457c9 |
fp = key_fingerprint(keys[i], fptype, rep);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(keys[i], fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
|
|
Petr Lautrbach |
b457c9 |
fp, key_type(keys[i]));
|
|
Petr Lautrbach |
b457c9 |
@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw)
|
|
Petr Lautrbach |
b457c9 |
char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
|
|
Petr Lautrbach |
b457c9 |
int i, skip = 0, num = 0, invalid = 1;
|
|
Petr Lautrbach |
b457c9 |
enum fp_rep rep;
|
|
Petr Lautrbach |
b457c9 |
- enum fp_type fptype;
|
|
Petr Lautrbach |
b457c9 |
+ int fptype;
|
|
Petr Lautrbach |
b457c9 |
struct stat st;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
|
Petr Lautrbach |
b457c9 |
- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
|
Petr Lautrbach |
b457c9 |
-
|
|
Petr Lautrbach |
b457c9 |
+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
|
|
Petr Lautrbach |
b457c9 |
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
if (!have_identity)
|
|
Petr Lautrbach |
b457c9 |
ask_filename(pw, "Enter file in which the key is");
|
|
Petr Lautrbach |
b457c9 |
if (stat(identity_file, &st) < 0) {
|
|
Petr Lautrbach |
b457c9 |
@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw)
|
|
Petr Lautrbach |
b457c9 |
public = key_load_public(identity_file, &comment);
|
|
Petr Lautrbach |
b457c9 |
if (public != NULL) {
|
|
Petr Lautrbach |
b457c9 |
fp = key_fingerprint(public, fptype, rep);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(public, fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
printf("%u %s %s (%s)\n", key_size(public), fp, comment,
|
|
Petr Lautrbach |
b457c9 |
key_type(public));
|
|
Petr Lautrbach |
b457c9 |
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
|
Petr Lautrbach |
b457c9 |
@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw)
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
comment = *cp ? cp : comment;
|
|
Petr Lautrbach |
b457c9 |
fp = key_fingerprint(public, fptype, rep);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(public, fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
printf("%u %s %s (%s)\n", key_size(public), fp,
|
|
Petr Lautrbach |
b457c9 |
comment ? comment : "no comment", key_type(public));
|
|
Petr Lautrbach |
b457c9 |
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
|
Petr Lautrbach |
b457c9 |
@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key
|
|
Petr Lautrbach |
b457c9 |
{
|
|
Petr Lautrbach |
b457c9 |
if (print_fingerprint) {
|
|
Petr Lautrbach |
b457c9 |
enum fp_rep rep;
|
|
Petr Lautrbach |
b457c9 |
- enum fp_type fptype;
|
|
Petr Lautrbach |
b457c9 |
+ int fptype;
|
|
Petr Lautrbach |
b457c9 |
char *fp, *ra;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
|
Petr Lautrbach |
b457c9 |
- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
|
Petr Lautrbach |
b457c9 |
+ fptype = print_bubblebabble ?
|
|
Petr Lautrbach |
b457c9 |
+ SSH_DIGEST_SHA1 : fingerprint_hash;
|
|
Petr Lautrbach |
b457c9 |
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
|
|
Petr Lautrbach |
b457c9 |
fp = key_fingerprint(public, fptype, rep);
|
|
Petr Lautrbach |
b457c9 |
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
+ ra = key_fingerprint(public, fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
printf("%u %s %s (%s)\n", key_size(public), fp, name,
|
|
Petr Lautrbach |
b457c9 |
key_type(public));
|
|
Petr Lautrbach |
b457c9 |
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
|
Petr Lautrbach |
b457c9 |
@@ -1906,9 +1913,9 @@ do_show_cert(struct passwd *pw)
|
|
Petr Lautrbach |
b457c9 |
fatal("%s is not a certificate", identity_file);
|
|
Petr Lautrbach |
b457c9 |
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
ca_fp = key_fingerprint(key->cert->signature_key,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fingerprint_hash, SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
printf("%s:\n", identity_file);
|
|
Petr Lautrbach |
b457c9 |
printf(" Type: %s %s certificate\n", key_ssh_name(key),
|
|
Petr Lautrbach |
b457c9 |
@@ -2187,7 +2194,7 @@ usage(void)
|
|
Petr Lautrbach |
b457c9 |
" ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
|
|
Petr Lautrbach |
b457c9 |
" ssh-keygen -y [-f input_keyfile]\n"
|
|
Petr Lautrbach |
b457c9 |
" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
|
|
Petr Lautrbach |
b457c9 |
- " ssh-keygen -l [-f input_keyfile]\n"
|
|
Petr Lautrbach |
b457c9 |
+ " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"
|
|
Petr Lautrbach |
b457c9 |
" ssh-keygen -B [-f input_keyfile]\n");
|
|
Petr Lautrbach |
b457c9 |
#ifdef ENABLE_PKCS11
|
|
Petr Lautrbach |
b457c9 |
fprintf(stderr,
|
|
Petr Lautrbach |
b457c9 |
@@ -2256,9 +2263,10 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
exit(1);
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
- /* Remaining characters: EUYdw */
|
|
Petr Lautrbach |
b457c9 |
+ /* Remaining characters: UYdw */
|
|
Petr Lautrbach |
b457c9 |
while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"
|
|
Petr Lautrbach |
b457c9 |
- "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
|
|
Petr Lautrbach |
b457c9 |
+ "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
|
|
Petr Lautrbach |
b457c9 |
+ "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
|
|
Petr Lautrbach |
b457c9 |
switch (opt) {
|
|
Petr Lautrbach |
b457c9 |
case 'A':
|
|
Petr Lautrbach |
b457c9 |
gen_all_hostkeys = 1;
|
|
Petr Lautrbach |
b457c9 |
@@ -2269,6 +2277,11 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
fatal("Bits has bad value %s (%s)",
|
|
Petr Lautrbach |
b457c9 |
optarg, errstr);
|
|
Petr Lautrbach |
b457c9 |
break;
|
|
Petr Lautrbach |
b457c9 |
+ case 'E':
|
|
Petr Lautrbach |
b457c9 |
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
|
Petr Lautrbach |
b457c9 |
+ if (fingerprint_hash == -1)
|
|
Petr Lautrbach |
b457c9 |
+ fatal("Invalid hash algorithm \"%s\"", optarg);
|
|
Petr Lautrbach |
b457c9 |
+ break;
|
|
Petr Lautrbach |
b457c9 |
case 'F':
|
|
Petr Lautrbach |
b457c9 |
find_host = 1;
|
|
Petr Lautrbach |
b457c9 |
rr_hostname = optarg;
|
|
Petr Lautrbach |
b457c9 |
@@ -2700,8 +2713,9 @@ passphrase_again:
|
|
Petr Lautrbach |
b457c9 |
fclose(f);
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
if (!quiet) {
|
|
Petr Lautrbach |
b457c9 |
- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
- char *ra = key_fingerprint(public, SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
+ char *fp = key_fingerprint(public, fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
+ char *ra = key_fingerprint(public, fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
SSH_FP_RANDOMART);
|
|
Petr Lautrbach |
b457c9 |
printf("Your public key has been saved in %s.\n",
|
|
Petr Lautrbach |
b457c9 |
identity_file);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/sshkey.h.fingerprint 2014-08-20 03:06:51.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/sshkey.h 2014-12-22 13:10:57.969878085 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -1,4 +1,4 @@
|
|
Petr Lautrbach |
b457c9 |
-/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
+/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/*
|
|
Petr Lautrbach |
b457c9 |
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
|
Petr Lautrbach |
b457c9 |
@@ -67,16 +67,14 @@ enum sshkey_types {
|
|
Petr Lautrbach |
b457c9 |
KEY_UNSPEC
|
|
Petr Lautrbach |
b457c9 |
};
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
-/* Fingerprint hash algorithms */
|
|
Petr Lautrbach |
b457c9 |
-enum sshkey_fp_type {
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_SHA1,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_MD5,
|
|
Petr Lautrbach |
b457c9 |
- SSH_FP_SHA256
|
|
Petr Lautrbach |
b457c9 |
-};
|
|
Petr Lautrbach |
b457c9 |
+/* Default fingerprint hash */
|
|
Petr Lautrbach |
b457c9 |
+#define SSH_FP_HASH_DEFAULT SSH_DIGEST_SHA256
|
|
Petr Lautrbach |
b457c9 |
|
|
Petr Lautrbach |
b457c9 |
/* Fingerprint representation formats */
|
|
Petr Lautrbach |
b457c9 |
enum sshkey_fp_rep {
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT = 0,
|
|
Petr Lautrbach |
b457c9 |
SSH_FP_HEX,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_BASE64,
|
|
Petr Lautrbach |
b457c9 |
SSH_FP_BUBBLEBABBLE,
|
|
Petr Lautrbach |
b457c9 |
SSH_FP_RANDOMART
|
|
Petr Lautrbach |
b457c9 |
};
|
|
Petr Lautrbach |
b457c9 |
@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct s
|
|
Petr Lautrbach |
b457c9 |
const struct sshkey *);
|
|
Petr Lautrbach |
b457c9 |
int sshkey_equal(const struct sshkey *, const struct sshkey *);
|
|
Petr Lautrbach |
b457c9 |
char *sshkey_fingerprint(const struct sshkey *,
|
|
Petr Lautrbach |
b457c9 |
- enum sshkey_fp_type, enum sshkey_fp_rep);
|
|
Petr Lautrbach |
b457c9 |
+ int, enum sshkey_fp_rep);
|
|
Petr Lautrbach |
b457c9 |
int sshkey_fingerprint_raw(const struct sshkey *k,
|
|
Petr Lautrbach |
b457c9 |
- enum sshkey_fp_type dgst_type, u_char **retp, size_t *lenp);
|
|
Petr Lautrbach |
b457c9 |
+ int, u_char **retp, size_t *lenp);
|
|
Petr Lautrbach |
b457c9 |
const char *sshkey_type(const struct sshkey *);
|
|
Petr Lautrbach |
b457c9 |
const char *sshkey_cert_type(const struct sshkey *);
|
|
Petr Lautrbach |
b457c9 |
int sshkey_write(const struct sshkey *, FILE *);
|
|
Petr Lautrbach |
b457c9 |
diff -up openssh-6.7p1/ssh-keysign.c.fingerprint openssh-6.7p1/ssh-keysign.c
|
|
Petr Lautrbach |
b457c9 |
--- openssh-6.7p1/ssh-keysign.c.fingerprint 2014-05-15 06:24:10.000000000 +0200
|
|
Petr Lautrbach |
b457c9 |
+++ openssh-6.7p1/ssh-keysign.c 2014-12-22 13:10:57.967878092 +0100
|
|
Petr Lautrbach |
b457c9 |
@@ -246,7 +246,8 @@ main(int argc, char **argv)
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
}
|
|
Petr Lautrbach |
b457c9 |
if (!found) {
|
|
Petr Lautrbach |
b457c9 |
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
|
Petr Lautrbach |
b457c9 |
+ fp = key_fingerprint(key, options.fingerprint_hash,
|
|
Petr Lautrbach |
b457c9 |
+ SSH_FP_DEFAULT);
|
|
Petr Lautrbach |
b457c9 |
fatal("no matching hostkey found for key %s %s",
|
|
Petr Lautrbach |
b457c9 |
key_type(key), fp);
|
|
Petr Lautrbach |
b457c9 |
}
|