Attachment 2144 Details for Bug 1978 – Patch to add support to ssh-keygen -r and ssh for ECDSA/SHA-256 SSHPF records

[patch] Patch to add support to ssh-keygen -r and ssh for ECDSA/SHA-256 SSHPF records

ssh-sshfp-ecdsa.patch (text/plain), 5.32 KB, created by martian67 on 2012-04-11 12:37:53 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: martian67

Created: 2012-04-11 12:37:53 AEST

Size: 5.32 KB

patch

obsolete

>--- dns.c	31 Aug 2010 12:41:14 -0000	1.29
>+++ dns.c	27 Jan 2012 09:29:05 -0000
>@@ -78,27 +78,50 @@
>     u_char **digest, u_int *digest_len, Key *key)
> {
> 	int success = 0;
>+	enum fp_type dgst_type;
> 
> 	switch (key->type) {
> 	case KEY_RSA:
> 		*algorithm = SSHFP_KEY_RSA;
>+		if (!*digest_type)
>+			*digest_type = SSHFP_HASH_SHA1;
> 		break;
> 	case KEY_DSA:
> 		*algorithm = SSHFP_KEY_DSA;
>+		if (!*digest_type)
>+			*digest_type = SSHFP_HASH_SHA1;
>+		break;
>+	case KEY_ECDSA:
>+		*algorithm = SSHFP_KEY_ECDSA;
>+#ifdef HAVE_EVP_SHA256
>+		if (!*digest_type)
>+			*digest_type = SSHFP_HASH_SHA256;
>+#endif
> 		break;
>-	/* XXX KEY_ECDSA */
> 	default:
> 		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
>+		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
> 	}
> 
>-	if (*algorithm) {
>-		*digest_type = SSHFP_HASH_SHA1;
>-		*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
>+	switch (*digest_type) {
>+	case SSHFP_HASH_SHA1:
>+		dgst_type = SSH_FP_SHA1;
>+		break;
>+#ifdef HAVE_EVP_SHA256
>+	case SSHFP_HASH_SHA256:
>+		dgst_type = SSH_FP_SHA256;
>+		break;
>+#endif
>+	default:
>+		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
>+	}
>+
>+	if (*algorithm && *digest_type) {
>+		*digest = key_fingerprint_raw(key, dgst_type, digest_len);
> 		if (*digest == NULL)
> 			fatal("dns_read_key: null from key_fingerprint_raw()");
> 		success = 1;
> 	} else {
>-		*digest_type = SSHFP_HASH_RESERVED;
> 		*digest = NULL;
> 		*digest_len = 0;
> 		success = 0;
>@@ -180,7 +203,7 @@
> 	struct rrsetinfo *fingerprints = NULL;
> 
> 	u_int8_t hostkey_algorithm;
>-	u_int8_t hostkey_digest_type;
>+	u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
> 	u_char *hostkey_digest;
> 	u_int hostkey_digest_len;
> 
>@@ -216,7 +239,7 @@
> 		    fingerprints->rri_nrdatas);
> 	}
> 
>-	/* Initialize host key parameters */
>+	/* Initialize default host key parameters */
> 	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
> 	    &hostkey_digest, &hostkey_digest_len, hostkey)) {
> 		error("Error calculating host key fingerprint.");
>@@ -240,6 +263,19 @@
> 			continue;
> 		}
> 
>+		if (hostkey_digest_type != dnskey_digest_type) {
>+			hostkey_digest_type = dnskey_digest_type;
>+
>+			xfree(hostkey_digest);
>+			/* Initialize host key parameters */
>+			if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
>+					  &hostkey_digest, &hostkey_digest_len, hostkey)) {
>+				error("Error calculating host key fingerprint.");
>+				freerrset(fingerprints);
>+				return -1;
>+			}
>+		}
>+
> 		/* Check if the current key is the same as the given key */
> 		if (hostkey_algorithm == dnskey_algorithm &&
> 		    hostkey_digest_type == dnskey_digest_type) {
>@@ -275,31 +311,40 @@
> export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
> {
> 	u_int8_t rdata_pubkey_algorithm = 0;
>-	u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
>+	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
>+	u_int8_t digest_type;
> 	u_char *rdata_digest;
> 	u_int rdata_digest_len;
> 
> 	u_int i;
> 	int success = 0;
> 
>-	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
>-	    &rdata_digest, &rdata_digest_len, key)) {
>+	for (digest_type = SSHFP_HASH_SHA1; digest_type <= SSHFP_HASH_LAST; digest_type += 1) {
> 
>-		if (generic)
>-			fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
>-			    DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
>-			    rdata_pubkey_algorithm, rdata_digest_type);
>-		else
>-			fprintf(f, "%s IN SSHFP %d %d ", hostname,
>-			    rdata_pubkey_algorithm, rdata_digest_type);
>+		rdata_digest_type = digest_type;
> 
>-		for (i = 0; i < rdata_digest_len; i++)
>-			fprintf(f, "%02x", rdata_digest[i]);
>-		fprintf(f, "\n");
>-		xfree(rdata_digest); /* from key_fingerprint_raw() */
>-		success = 1;
>-	} else {
>-		error("export_dns_rr: unsupported algorithm");
>+		if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
>+				 &rdata_digest, &rdata_digest_len, key)) {
>+
>+			if (generic)
>+				fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
>+					DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
>+					rdata_pubkey_algorithm, rdata_digest_type);
>+			else
>+				fprintf(f, "%s IN SSHFP %d %d ", hostname,
>+					rdata_pubkey_algorithm, rdata_digest_type);
>+			
>+			for (i = 0; i < rdata_digest_len; i++)
>+				fprintf(f, "%02x", rdata_digest[i]);
>+			fprintf(f, "\n");
>+			xfree(rdata_digest); /* from key_fingerprint_raw() */
>+			success = 1;
>+		}
>+	}
>+
>+	/* No SSHFP record was generated at all */
>+	if (success == 0) {
>+		error("export_dns_rr: unsupported algorithm and/or digest_type");
> 	}
> 
> 	return success;
>--- dns.h	26 Feb 2010 20:55:05 -0000	1.9
>+++ dns.h	27 Jan 2012 09:29:05 -0000
>@@ -31,12 +31,19 @@
> enum sshfp_types {
> 	SSHFP_KEY_RESERVED,
> 	SSHFP_KEY_RSA,
>-	SSHFP_KEY_DSA
>+	SSHFP_KEY_DSA,
>+	SSHFP_KEY_ECDSA
> };
> 
> enum sshfp_hashes {
> 	SSHFP_HASH_RESERVED,
>-	SSHFP_HASH_SHA1
>+	SSHFP_HASH_SHA1,
>+#ifdef HAVE_EVP_SHA256
>+	SSHFP_HASH_SHA256,
>+	SSHFP_HASH_LAST=SSHFP_HASH_SHA256
>+#else
>+	SSHFP_HASH_LAST=SSHFP_HASH_SHA1
>+#endif
> };
> 
> #define DNS_RDATACLASS_IN	1
>--- key.c	18 Oct 2011 05:06:16 -0000	1.103
>+++ key.c	27 Jan 2012 09:29:06 -0000
>@@ -342,6 +342,11 @@
> 	case SSH_FP_SHA1:
> 		md = EVP_sha1();
> 		break;
>+#ifdef HAVE_EVP_SHA256
>+	case SSH_FP_SHA256:
>+		md = EVP_sha256();
>+		break;
>+#endif
> 	default:
> 		fatal("key_fingerprint_raw: bad digest type %d",
> 		    dgst_type);
>--- key.h	4 Nov 2010 23:19:49 -0000	1.36
>+++ key.h	27 Jan 2012 09:29:06 -0000
>@@ -48,7 +48,10 @@
> };
> enum fp_type {
> 	SSH_FP_SHA1,
>-	SSH_FP_MD5
>+	SSH_FP_MD5,
>+#ifdef HAVE_EVP_SHA256
>+	SSH_FP_SHA256
>+#endif
> };
> enum fp_rep {
> 	SSH_FP_HEX,

Actions: View | Diff

Attachments on bug 1978: 2144 | 2161