Attachment #2800 for bug #2555

View | Details | Raw Unified | Return to bug 2555
Collapse All | Expand All

Lines 239-245 rsa_key_allowed_in_file(struct passwd pw, char file, Link Here

(-)a/auth-rsa.c (-1 / +1 lines)
239	file, linenum, BN_num_bits(key->rsa->n), bits);	239	file, linenum, BN_num_bits(key->rsa->n), bits);
240		240
241	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,	241	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
242	SSH_FP_DEFAULT)) == NULL)	242	options.fingerprint_hash_encoding)) == NULL)
243	continue;	243	continue;
244	debug("matching key found: file %s, line %lu %s %s",	244	debug("matching key found: file %s, line %lu %s %s",
245	file, linenum, key_type(key), fp);	245	file, linenum, key_type(key), fp);

Lines 693-699 auth_key_is_revoked(Key *key) Link Here

(-)a/auth.c (-1 / +1 lines)
693	if (options.revoked_keys_file == NULL)	693	if (options.revoked_keys_file == NULL)
694	return 0;	694	return 0;
695	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,	695	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
696	SSH_FP_DEFAULT)) == NULL) {	696	options.fingerprint_hash_encoding)) == NULL) {
697	r = SSH_ERR_ALLOC_FAIL;	697	r = SSH_ERR_ALLOC_FAIL;
698	error("%s: fingerprint key: %s", __func__, ssh_err(r));	698	error("%s: fingerprint key: %s", __func__, ssh_err(r));
699	goto out;	699	goto out;




	if (host_status == HOST_OK) {
		if (key_is_cert(key)) {
			if ((fp = sshkey_fingerprint(key->cert->signature_key,
			    options.fingerprint_hash,
			    options.fingerprint_hash_encoding)) == NULL)
				fatal("%s: sshkey_fingerprint fail", __func__);
			verbose("Accepted certificate ID \"%s\" signed by "
			    "%s CA %s from %s@%s", key->cert->key_id,

			    cuser, lookup);
		} else {
			if ((fp = sshkey_fingerprint(key,
			    options.fingerprint_hash,
			    options.fingerprint_hash_encoding)) == NULL)
				fatal("%s: sshkey_fingerprint fail", __func__);
			verbose("Accepted %s public key %s from %s@%s",
			    key_type(key), fp, cuser, lookup);




		    "signature scheme");
		goto done;
	}
	fp = sshkey_fingerprint(key, options.fingerprint_hash,
	    options.fingerprint_hash_encoding);
	if (auth2_userkey_already_used(authctxt, key)) {
		logit("refusing previously-used %s key", key_type(key));
		goto done;


	if (key_is_cert(key)) {
		fp = sshkey_fingerprint(key->cert->signature_key,
		    options.fingerprint_hash,
		    options.fingerprint_hash_encoding);
		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
		    key_type(key), key->cert->key_id,
		    (unsigned long long)key->cert->serial,

		free(fp);
	} else {
		fp = sshkey_fingerprint(key, options.fingerprint_hash,
		    options.fingerprint_hash_encoding);
		auth_info(authctxt, "%s %s%s%s", key_type(key),
		    fp == NULL ? "(null)" : fp,
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);

			if (!key_is_cert_authority)
				continue;
			if ((fp = sshkey_fingerprint(found,
			    options.fingerprint_hash,
			    options.fingerprint_hash_encoding)) == NULL)
				continue;
			debug("matching CA found: file %s, line %lu, %s %s",
			    file, linenum, key_type(found), fp);

			if (key_is_cert_authority)
				continue;
			if ((fp = sshkey_fingerprint(found,
			    options.fingerprint_hash,
			    options.fingerprint_hash_encoding)) == NULL)
				continue;
			debug("matching key found: file %s, line %lu %s %s",
			    file, linenum, key_type(found), fp);

		return 0;

	if ((ca_fp = sshkey_fingerprint(key->cert->signature_key,
	    options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) == NULL)
		return 0;

	if (sshkey_in_file(key->cert->signature_key,


	/* Prepare AuthorizedKeysCommand */
	if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) == NULL) {
		error("%s: sshkey_fingerprint failed", __func__);
		goto out;
	}




		if (ctx->keys_seen[i] != 2)
			continue;
		if ((fp = sshkey_fingerprint(ctx->keys[i],
		    options.fingerprint_hash,
		    options.fingerprint_hash_encoding)) == NULL)
			fatal("%s: sshkey_fingerprint failed", __func__);
		do_log2(loglevel, "Learned new hostkey: %s %s",
		    sshkey_type(ctx->keys[i]), fp);

	}
	for (i = 0; i < ctx->nold; i++) {
		if ((fp = sshkey_fingerprint(ctx->old_keys[i],
		    options.fingerprint_hash,
		    options.fingerprint_hash)) == NULL)
			fatal("%s: sshkey_fingerprint failed", __func__);
		do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
		    sshkey_type(ctx->old_keys[i]), fp);

	    (r = hostfile_replace_entries(options.user_hostfiles[0],
	    ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
	    options.hash_known_hosts, 0,
	    options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) != 0)
		error("%s: hostfile_replace_entries failed: %s",
		    __func__, ssh_err(r));
}

			goto out;
		}
		fp = sshkey_fingerprint(key, options.fingerprint_hash,
		    options.fingerprint_hash_encoding);
		debug3("%s: received %s key %s", __func__,
		    sshkey_type(key), fp);
		free(fp);

Lines 530-536 host_delete(struct hostkey_foreach_line l, void _ctx) Link Here

(-)a/hostfile.c (-2 / +3 lines)
530		530
531	int	531	int
532	hostfile_replace_entries(const char filename, const char host, const char *ip,	532	hostfile_replace_entries(const char filename, const char host, const char *ip,
533	struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg)	533	struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg,
		534	int hash_encoding_alg)
534	{	535	{
535	int r, fd, oerrno = 0;	536	int r, fd, oerrno = 0;
536	int loglevel = quiet ? SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_VERBOSE;	537	int loglevel = quiet ? SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_VERBOSE;
Lines 585-591 hostfile_replace_entries(const char filename, const char host, const char *ip, Link Here
585	if (ctx.skip_keys[i])	586	if (ctx.skip_keys[i])
586	continue;	587	continue;
587	if ((fp = sshkey_fingerprint(keys[i], hash_alg,	588	if ((fp = sshkey_fingerprint(keys[i], hash_alg,
588	SSH_FP_DEFAULT)) == NULL) {	589	hash_encoding_alg)) == NULL) {
589	r = SSH_ERR_ALLOC_FAIL;	590	r = SSH_ERR_ALLOC_FAIL;
590	goto fail;	591	goto fail;
591	}	592	}

Lines 46-52 int add_host_to_hostfile(const char , const char , Link Here

(-)a/hostfile.h (-1 / +1 lines)
46		46
47	int hostfile_replace_entries(const char *filename,	47	int hostfile_replace_entries(const char *filename,
48	const char host, const char ip, struct sshkey **keys, size_t nkeys,	48	const char host, const char ip, struct sshkey **keys, size_t nkeys,
49	int store_hash, int quiet, int hash_alg);	49	int store_hash, int quiet, int hash_alg, int hash_encoding_alg);
50		50
51	#define HASH_MAGIC "\|1\|"	51	#define HASH_MAGIC "\|1\|"
52	#define HASH_DELIM '\|'	52	#define HASH_DELIM '\|'




	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
	oPubkeyAcceptedKeyTypes, oFingerprintHashEncoding,
	oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;


	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
	{ "revokedhostkeys", oRevokedHostKeys },
	{ "fingerprinthash", oFingerprintHash },
	{ "fingerprinthashencoding", oFingerprintHashEncoding },
	{ "updatehostkeys", oUpdateHostkeys },
	{ "hostbasedkeytypes", oHostbasedKeyTypes },
	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },

			*intptr = value;
		break;

	case oFingerprintHashEncoding:
		intptr = &options->fingerprint_hash_encoding;
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.",
			    filename, linenum);
		if ((value = sshkey_digest_encoding_alg_by_name(arg)) == -1)
			fatal("%.200s line %d: Invalid hash encoding algorithm \"%s\".",
			    filename, linenum, arg);
		if (*activep && *intptr == -1)
			*intptr = value;
		break;

	case oUpdateHostkeys:
		intptr = &options->update_hostkeys;
		multistate_ptr = multistate_yesnoask;

	options->canonicalize_hostname = -1;
	options->revoked_host_keys = NULL;
	options->fingerprint_hash = -1;
	options->fingerprint_hash_encoding = -1;
	options->update_hostkeys = -1;
	options->hostbased_key_types = NULL;
	options->pubkey_key_types = NULL;

		options->canonicalize_hostname = SSH_CANONICALISE_NO;
	if (options->fingerprint_hash == -1)
		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
	if (options->fingerprint_hash_encoding == -1)
		options->fingerprint_hash_encoding = SSH_FP_DEFAULT;
	if (options->update_hostkeys == -1)
		options->update_hostkeys = 0;
	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||

		return fmt_multistate_int(val, multistate_canonicalizehostname);
	case oFingerprintHash:
		return ssh_digest_alg_name(val);
	case oFingerprintHashEncoding:
		return sshkey_digest_encoding_alg_name(val);
	case oProtocol:
		switch (val) {
		case SSH_PROTO_1:

	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
	dump_cfg_fmtint(oFingerprintHashEncoding, o->fingerprint_hash_encoding);
	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
	dump_cfg_fmtint(oForwardX11, o->forward_x11);
	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);

Lines 152-157 typedef struct { Link Here

(-)a/readconf.h (+1 lines)
152	char *revoked_host_keys;	152	char *revoked_host_keys;
153		153
154	int fingerprint_hash;	154	int fingerprint_hash;
		155	int fingerprint_hash_encoding;
155		156
156	int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */	157	int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
157		158

Lines 169-174 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (+20 lines)
169	options->ip_qos_bulk = -1;	169	options->ip_qos_bulk = -1;
170	options->version_addendum = NULL;	170	options->version_addendum = NULL;
171	options->fingerprint_hash = -1;	171	options->fingerprint_hash = -1;
		172	options->fingerprint_hash_encoding = -1;
172	}	173	}
173		174
174	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */	175	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Lines 353-358 fill_default_server_options(ServerOptions *options) Link Here
353	options->fwd_opts.streamlocal_bind_unlink = 0;	354	options->fwd_opts.streamlocal_bind_unlink = 0;
354	if (options->fingerprint_hash == -1)	355	if (options->fingerprint_hash == -1)
355	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	356	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
		357	if (options->fingerprint_hash_encoding == -1)
		358	options->fingerprint_hash_encoding = SSH_FP_DEFAULT;
356		359
357	assemble_algorithms(options);	360	assemble_algorithms(options);
358		361
Lines 430-435 typedef enum { Link Here
430	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,	433	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
431	sStreamLocalBindMask, sStreamLocalBindUnlink,	434	sStreamLocalBindMask, sStreamLocalBindUnlink,
432	sAllowStreamLocalForwarding, sFingerprintHash,	435	sAllowStreamLocalForwarding, sFingerprintHash,
		436	sFingerprintHashEncoding,
433	sDeprecated, sUnsupported	437	sDeprecated, sUnsupported
434	} ServerOpCodes;	438	} ServerOpCodes;
435		439
Lines 572-577 static struct { Link Here
572	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },	576	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
573	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },	577	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
574	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },	578	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
		579	{ "fingerprinthashencoding", sFingerprintHashEncoding, SSHCFG_GLOBAL },
575	{ NULL, sBadOption, 0 }	580	{ NULL, sBadOption, 0 }
576	};	581	};
577		582
Lines 1851-1856 process_server_config_line(ServerOptions options, char line, Link Here
1851	options->fingerprint_hash = value;	1856	options->fingerprint_hash = value;
1852	break;	1857	break;
1853		1858
		1859	case sFingerprintHashEncoding:
		1860	arg = strdelim(&cp);
		1861	if (!arg \|\| *arg == '\0')
		1862	fatal("%.200s line %d: Missing argument.",
		1863	filename, linenum);
		1864	if ((value = sshkey_digest_encoding_alg_by_name(arg)) == -1)
		1865	fatal("%.200s line %d: Invalid hash encoding algorithm \"%s\".",
		1866	filename, linenum, arg);
		1867	if (*activep)
		1868	options->fingerprint_hash_encoding = value;
		1869	break;
		1870
1854	case sDeprecated:	1871	case sDeprecated:
1855	logit("%s line %d: Deprecated option %s",	1872	logit("%s line %d: Deprecated option %s",
1856	filename, linenum, arg);	1873	filename, linenum, arg);
Lines 2108-2113 fmt_intarg(ServerOpCodes code, int val) Link Here
2108	return fmt_multistate_int(val, multistate_tcpfwd);	2125	return fmt_multistate_int(val, multistate_tcpfwd);
2109	case sFingerprintHash:	2126	case sFingerprintHash:
2110	return ssh_digest_alg_name(val);	2127	return ssh_digest_alg_name(val);
		2128	case sFingerprintHashEncoding:
		2129	return sshkey_digest_encoding_alg_name(val);
2111	case sProtocol:	2130	case sProtocol:
2112	switch (val) {	2131	switch (val) {
2113	case SSH_PROTO_1:	2132	case SSH_PROTO_1:
Lines 2294-2299 dump_config(ServerOptions *o) Link Here
2294	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);	2313	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2295	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);	2314	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2296	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);	2315	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
		2316	dump_cfg_fmtint(sFingerprintHashEncoding, o->fingerprint_hash_encoding);
2297		2317
2298	/* string arguments */	2318	/* string arguments */
2299	dump_cfg_string(sPidFile, o->pid_file);	2319	dump_cfg_string(sPidFile, o->pid_file);

Lines 195-200 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
195	char *auth_methods[MAX_AUTH_METHODS];	195	char *auth_methods[MAX_AUTH_METHODS];
196		196
197	int fingerprint_hash;	197	int fingerprint_hash;
		198	int fingerprint_hash_encoding;
198	} ServerOptions;	199	} ServerOptions;
199		200
200	/* Information about the incoming connection as used by Match */	201	/* Information about the incoming connection as used by Match */

Lines 286-292 main(int argc, char **argv) Link Here

(-)a/ssh-keysign.c (-1 / +1 lines)
286	}	286	}
287	if (!found) {	287	if (!found) {
288	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,	288	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
289	SSH_FP_DEFAULT)) == NULL)	289	options.fingerprint_hash_encoding)) == NULL)
290	fatal("%s: sshkey_fingerprint failed", __progname);	290	fatal("%s: sshkey_fingerprint failed", __progname);
291	fatal("no matching hostkey found for key %s %s",	291	fatal("no matching hostkey found for key %s %s",
292	sshkey_type(key), fp ? fp : "");	292	sshkey_type(key), fp ? fp : "");




.Dq sha256 .
The default is
.Dq sha256 .
.It Cm FingerprintHashEncoding
Specifies the hash encoding algorithm used when displaying key fingerprints.
Valid options are:
.Dq default ,
.Dq hex ,
.Dq base64 ,
and
.Dq bubblebabble .
If this option is set to
.Dq default ,
it means
.Dq hex
for MD5 and
.Dq base64
for other digests. The default is
.Dq default .
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.




				    "of known hosts.", type, ip);
		} else if (options.visual_host_key) {
			fp = sshkey_fingerprint(host_key,
			    options.fingerprint_hash, options.fingerprint_hash_encoding);
			ra = sshkey_fingerprint(host_key,
			    options.fingerprint_hash, SSH_FP_RANDOMART);
			if (fp == NULL || ra == NULL)

				snprintf(msg1, sizeof(msg1), ".");
			/* The default */
			fp = sshkey_fingerprint(host_key,
			    options.fingerprint_hash, options.fingerprint_hash_encoding);
			ra = sshkey_fingerprint(host_key,
			    options.fingerprint_hash, SSH_FP_RANDOMART);
			if (fp == NULL || ra == NULL)

	struct sshkey *plain = NULL;

	if ((fp = sshkey_fingerprint(host_key,
	    options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) == NULL) {
		error("%s: fingerprint host key: %s", __func__, ssh_err(r));
		r = -1;
		goto out;


	if (sshkey_is_cert(host_key)) {
		if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
		    options.fingerprint_hash,
		    options.fingerprint_hash_encoding)) == NULL) {
			error("%s: fingerprint CA key: %s",
			    __func__, ssh_err(r));
			r = -1;

		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
			continue;
		fp = sshkey_fingerprint(found->key,
		    options.fingerprint_hash,
		    options.fingerprint_hash_encoding);
		ra = sshkey_fingerprint(found->key,
		    options.fingerprint_hash, SSH_FP_RANDOMART);
		if (fp == NULL || ra == NULL)

	char *fp;

	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
	    options.fingerprint_hash_encoding);
	if (fp == NULL)
		fatal("%s: sshkey_fingerprint fail", __func__);





		goto done;
	}
	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) == NULL)
		goto done;
	debug2("input_userauth_pk_ok: fp %s", fp);
	free(fp);

	char *fp;

	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) == NULL)
		return 0;
	debug3("%s: %s %s", __func__, key_type(id->key), fp);
	free(fp);

	}

	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
	    options.fingerprint_hash_encoding)) == NULL) {
		error("%s: sshkey_fingerprint failed", __func__);
		goto out;
	}




.Dq sha256 .
The default is
.Dq sha256 .
.It Cm FingerprintHashEncoding
Specifies the hash encoding algorithm used when displaying key fingerprints.
Valid options are:
.Dq default ,
.Dq hex ,
.Dq base64 ,
and
.Dq bubblebabble .
If this option is set to
.Dq default ,
it means
.Dq hex
for MD5 and
.Dq base64
for other digests. The default is
.Dq default .
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,




	{ NULL, NULL, -1, -1, 0, 0 }
};

struct ssh_digest_encoding {
	int id;
	const char *name;
};


static const struct ssh_digest_encoding encodings[SSH_FP_MAX] = {
	{ SSH_FP_DEFAULT, "default" },
	{ SSH_FP_HEX, "hex" },
	{ SSH_FP_BASE64, "base64"},
	{ SSH_FP_BUBBLEBABBLE, "bubblebabble"},
	{ SSH_FP_RANDOMART, NULL}
};

static const struct ssh_digest_encoding *
sshkey_digest_encoding_by_alg(int alg)
{
	if (alg < 0 || alg >= SSH_FP_MAX)
		return NULL;
	if (encodings[alg].id != alg) /* sanity */
		return NULL;
	return &(encodings[alg]);
}

int
sshkey_digest_encoding_alg_by_name(const char *name)
{
	int alg;

	for (alg = 0; alg < SSH_FP_MAX; alg++) {
		if (encodings[alg].name == NULL)
			continue;
		if (strcasecmp(name, encodings[alg].name) == 0)
			return encodings[alg].id;
	}
	return -1;
}

const char *
sshkey_digest_encoding_alg_name(int alg)
{
	const struct ssh_digest_encoding *encoding = sshkey_digest_encoding_by_alg(alg);

	return encoding == NULL ? NULL : encoding->name;
}

const char *
sshkey_type(const struct sshkey *k)
{

Lines 74-80 enum sshkey_fp_rep { Link Here

(-)a/sshkey.h (-2 / +8 lines)
74	SSH_FP_HEX,	74	SSH_FP_HEX,
75	SSH_FP_BASE64,	75	SSH_FP_BASE64,
76	SSH_FP_BUBBLEBABBLE,	76	SSH_FP_BUBBLEBABBLE,
77	SSH_FP_RANDOMART	77	SSH_FP_RANDOMART,
		78	SSH_FP_MAX
78	};	79	};
79		80
80	/* key is stored in external hardware */	81	/* key is stored in external hardware */
Lines 111-116 struct sshkey { Link Here
111	#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES	112	#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES
112	#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES	113	#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES
113		114
		115	/* Looks up a digest encoding algorithm by name. */
		116	int sshkey_digest_encoding_alg_by_name(const char *name);
		117
		118	/* Returns the algorithm name for a digest encoding identifier. */
		119	const char *sshkey_digest_encoding_alg_name(int alg);
		120
114	struct sshkey *sshkey_new(int);	121	struct sshkey *sshkey_new(int);
115	int sshkey_add_private(struct sshkey *);	122	int sshkey_add_private(struct sshkey *);
116	struct sshkey *sshkey_new_private(int);	123	struct sshkey *sshkey_new_private(int);
117	-

Return to bug 2555

Lines 2231-2237 update_known_hosts(struct hostkeys_update_ctx *ctx) Link Here

(-)a/clientloop.c (-4 / +7 lines)
2231	if (ctx->keys_seen[i] != 2)	2231	if (ctx->keys_seen[i] != 2)
2232	continue;	2232	continue;
2233	if ((fp = sshkey_fingerprint(ctx->keys[i],	2233	if ((fp = sshkey_fingerprint(ctx->keys[i],
2234	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	2234	options.fingerprint_hash,
		2235	options.fingerprint_hash_encoding)) == NULL)
2235	fatal("%s: sshkey_fingerprint failed", __func__);	2236	fatal("%s: sshkey_fingerprint failed", __func__);
2236	do_log2(loglevel, "Learned new hostkey: %s %s",	2237	do_log2(loglevel, "Learned new hostkey: %s %s",
2237	sshkey_type(ctx->keys[i]), fp);	2238	sshkey_type(ctx->keys[i]), fp);
Lines 2239-2245 update_known_hosts(struct hostkeys_update_ctx *ctx) Link Here
2239	}	2240	}
2240	for (i = 0; i < ctx->nold; i++) {	2241	for (i = 0; i < ctx->nold; i++) {
2241	if ((fp = sshkey_fingerprint(ctx->old_keys[i],	2242	if ((fp = sshkey_fingerprint(ctx->old_keys[i],
2242	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	2243	options.fingerprint_hash,
		2244	options.fingerprint_hash)) == NULL)
2243	fatal("%s: sshkey_fingerprint failed", __func__);	2245	fatal("%s: sshkey_fingerprint failed", __func__);
2244	do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",	2246	do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
2245	sshkey_type(ctx->old_keys[i]), fp);	2247	sshkey_type(ctx->old_keys[i]), fp);
Lines 2282-2288 update_known_hosts(struct hostkeys_update_ctx *ctx) Link Here
2282	(r = hostfile_replace_entries(options.user_hostfiles[0],	2284	(r = hostfile_replace_entries(options.user_hostfiles[0],
2283	ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,	2285	ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
2284	options.hash_known_hosts, 0,	2286	options.hash_known_hosts, 0,
2285	options.fingerprint_hash)) != 0)	2287	options.fingerprint_hash,
		2288	options.fingerprint_hash_encoding)) != 0)
2286	error("%s: hostfile_replace_entries failed: %s",	2289	error("%s: hostfile_replace_entries failed: %s",
2287	__func__, ssh_err(r));	2290	__func__, ssh_err(r));
2288	}	2291	}
Lines 2396-2402 client_input_hostkeys(void) Link Here
2396	goto out;	2399	goto out;
2397	}	2400	}
2398	fp = sshkey_fingerprint(key, options.fingerprint_hash,	2401	fp = sshkey_fingerprint(key, options.fingerprint_hash,
2399	SSH_FP_DEFAULT);	2402	options.fingerprint_hash_encoding);
2400	debug3("%s: received %s key %s", __func__,	2403	debug3("%s: received %s key %s", __func__,
2401	sshkey_type(key), fp);	2404	sshkey_type(key), fp);
2402	free(fp);	2405	free(fp);

Lines 732-737 and Link Here

(-)a/ssh_config.5 (+16 lines)
732	.Dq sha256 .	732	.Dq sha256 .
733	The default is	733	The default is
734	.Dq sha256 .	734	.Dq sha256 .
		735	.It Cm FingerprintHashEncoding
		736	Specifies the hash encoding algorithm used when displaying key fingerprints.
		737	Valid options are:
		738	.Dq default ,
		739	.Dq hex ,
		740	.Dq base64 ,
		741	and
		742	.Dq bubblebabble .
		743	If this option is set to
		744	.Dq default ,
		745	it means
		746	.Dq hex
		747	for MD5 and
		748	.Dq base64
		749	for other digests. The default is
		750	.Dq default .
735	.It Cm ForwardAgent	751	.It Cm ForwardAgent
736	Specifies whether the connection to the authentication agent (if any)	752	Specifies whether the connection to the authentication agent (if any)
737	will be forwarded to the remote machine.	753	will be forwarded to the remote machine.

Lines 923-929 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here

(-)a/sshconnect.c (-6 / +9 lines)
923	"of known hosts.", type, ip);	923	"of known hosts.", type, ip);
924	} else if (options.visual_host_key) {	924	} else if (options.visual_host_key) {
925	fp = sshkey_fingerprint(host_key,	925	fp = sshkey_fingerprint(host_key,
926	options.fingerprint_hash, SSH_FP_DEFAULT);	926	options.fingerprint_hash, options.fingerprint_hash_encoding);
927	ra = sshkey_fingerprint(host_key,	927	ra = sshkey_fingerprint(host_key,
928	options.fingerprint_hash, SSH_FP_RANDOMART);	928	options.fingerprint_hash, SSH_FP_RANDOMART);
929	if (fp == NULL \|\| ra == NULL)	929	if (fp == NULL \|\| ra == NULL)
Lines 968-974 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
968	snprintf(msg1, sizeof(msg1), ".");	968	snprintf(msg1, sizeof(msg1), ".");
969	/* The default */	969	/* The default */
970	fp = sshkey_fingerprint(host_key,	970	fp = sshkey_fingerprint(host_key,
971	options.fingerprint_hash, SSH_FP_DEFAULT);	971	options.fingerprint_hash, options.fingerprint_hash_encoding);
972	ra = sshkey_fingerprint(host_key,	972	ra = sshkey_fingerprint(host_key,
973	options.fingerprint_hash, SSH_FP_RANDOMART);	973	options.fingerprint_hash, SSH_FP_RANDOMART);
974	if (fp == NULL \|\| ra == NULL)	974	if (fp == NULL \|\| ra == NULL)
Lines 1245-1251 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1245	struct sshkey *plain = NULL;	1245	struct sshkey *plain = NULL;
1246		1246
1247	if ((fp = sshkey_fingerprint(host_key,	1247	if ((fp = sshkey_fingerprint(host_key,
1248	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {	1248	options.fingerprint_hash,
		1249	options.fingerprint_hash_encoding)) == NULL) {
1249	error("%s: fingerprint host key: %s", __func__, ssh_err(r));	1250	error("%s: fingerprint host key: %s", __func__, ssh_err(r));
1250	r = -1;	1251	r = -1;
1251	goto out;	1252	goto out;
Lines 1253-1259 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1253		1254
1254	if (sshkey_is_cert(host_key)) {	1255	if (sshkey_is_cert(host_key)) {
1255	if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,	1256	if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
1256	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {	1257	options.fingerprint_hash,
		1258	options.fingerprint_hash_encoding)) == NULL) {
1257	error("%s: fingerprint CA key: %s",	1259	error("%s: fingerprint CA key: %s",
1258	__func__, ssh_err(r));	1260	__func__, ssh_err(r));
1259	r = -1;	1261	r = -1;
Lines 1433-1439 show_other_keys(struct hostkeys hostkeys, Key key) Link Here
1433	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))	1435	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
1434	continue;	1436	continue;
1435	fp = sshkey_fingerprint(found->key,	1437	fp = sshkey_fingerprint(found->key,
1436	options.fingerprint_hash, SSH_FP_DEFAULT);	1438	options.fingerprint_hash,
		1439	options.fingerprint_hash_encoding);
1437	ra = sshkey_fingerprint(found->key,	1440	ra = sshkey_fingerprint(found->key,
1438	options.fingerprint_hash, SSH_FP_RANDOMART);	1441	options.fingerprint_hash, SSH_FP_RANDOMART);
1439	if (fp == NULL \|\| ra == NULL)	1442	if (fp == NULL \|\| ra == NULL)
Lines 1459-1465 warn_changed_key(Key *host_key) Link Here
1459	char *fp;	1462	char *fp;
1460		1463
1461	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,	1464	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
1462	SSH_FP_DEFAULT);	1465	options.fingerprint_hash_encoding);
1463	if (fp == NULL)	1466	if (fp == NULL)
1464	fatal("%s: sshkey_fingerprint fail", __func__);	1467	fatal("%s: sshkey_fingerprint fail", __func__);
1465		1468

Lines 619-625 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/sshconnect2.c (-3 / +3 lines)
619	goto done;	619	goto done;
620	}	620	}
621	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,	621	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
622	SSH_FP_DEFAULT)) == NULL)	622	options.fingerprint_hash_encoding)) == NULL)
623	goto done;	623	goto done;
624	debug2("input_userauth_pk_ok: fp %s", fp);	624	debug2("input_userauth_pk_ok: fp %s", fp);
625	free(fp);	625	free(fp);
Lines 1057-1063 sign_and_send_pubkey(Authctxt authctxt, Identity id) Link Here
1057	char *fp;	1057	char *fp;
1058		1058
1059	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,	1059	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
1060	SSH_FP_DEFAULT)) == NULL)	1060	options.fingerprint_hash_encoding)) == NULL)
1061	return 0;	1061	return 0;
1062	debug3("%s: %s %s", __func__, key_type(id->key), fp);	1062	debug3("%s: %s %s", __func__, key_type(id->key), fp);
1063	free(fp);	1063	free(fp);
Lines 1739-1745 userauth_hostbased(Authctxt *authctxt) Link Here
1739	}	1739	}
1740		1740
1741	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,	1741	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
1742	SSH_FP_DEFAULT)) == NULL) {	1742	options.fingerprint_hash_encoding)) == NULL) {
1743	error("%s: sshkey_fingerprint failed", __func__);	1743	error("%s: sshkey_fingerprint failed", __func__);
1744	goto out;	1744	goto out;
1745	}	1745	}

Lines 225-231 hostbased_key_allowed(struct passwd pw, const char cuser, char *chost, Link Here

(-)a/auth2-hostbased.c (-2 / +4 lines)
225	if (host_status == HOST_OK) {	225	if (host_status == HOST_OK) {
226	if (key_is_cert(key)) {	226	if (key_is_cert(key)) {
227	if ((fp = sshkey_fingerprint(key->cert->signature_key,	227	if ((fp = sshkey_fingerprint(key->cert->signature_key,
228	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	228	options.fingerprint_hash,
		229	options.fingerprint_hash_encoding)) == NULL)
229	fatal("%s: sshkey_fingerprint fail", __func__);	230	fatal("%s: sshkey_fingerprint fail", __func__);
230	verbose("Accepted certificate ID \"%s\" signed by "	231	verbose("Accepted certificate ID \"%s\" signed by "
231	"%s CA %s from %s@%s", key->cert->key_id,	232	"%s CA %s from %s@%s", key->cert->key_id,
Lines 233-239 hostbased_key_allowed(struct passwd pw, const char cuser, char *chost, Link Here
233	cuser, lookup);	234	cuser, lookup);
234	} else {	235	} else {
235	if ((fp = sshkey_fingerprint(key,	236	if ((fp = sshkey_fingerprint(key,
236	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	237	options.fingerprint_hash,
		238	options.fingerprint_hash_encoding)) == NULL)
237	fatal("%s: sshkey_fingerprint fail", __func__);	239	fatal("%s: sshkey_fingerprint fail", __func__);
238	verbose("Accepted %s public key %s from %s@%s",	240	verbose("Accepted %s public key %s from %s@%s",
239	key_type(key), fp, cuser, lookup);	241	key_type(key), fp, cuser, lookup);

Lines 126-132 userauth_pubkey(Authctxt *authctxt) Link Here

(-)a/auth2-pubkey.c (-7 / +12 lines)
126	"signature scheme");	126	"signature scheme");
127	goto done;	127	goto done;
128	}	128	}
129	fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);	129	fp = sshkey_fingerprint(key, options.fingerprint_hash,
		130	options.fingerprint_hash_encoding);
130	if (auth2_userkey_already_used(authctxt, key)) {	131	if (auth2_userkey_already_used(authctxt, key)) {
131	logit("refusing previously-used %s key", key_type(key));	132	logit("refusing previously-used %s key", key_type(key));
132	goto done;	133	goto done;
Lines 237-243 pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...) Link Here
237		238
238	if (key_is_cert(key)) {	239	if (key_is_cert(key)) {
239	fp = sshkey_fingerprint(key->cert->signature_key,	240	fp = sshkey_fingerprint(key->cert->signature_key,
240	options.fingerprint_hash, SSH_FP_DEFAULT);	241	options.fingerprint_hash,
		242	options.fingerprint_hash_encoding);
241	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",	243	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
242	key_type(key), key->cert->key_id,	244	key_type(key), key->cert->key_id,
243	(unsigned long long)key->cert->serial,	245	(unsigned long long)key->cert->serial,
Lines 247-253 pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...) Link Here
247	free(fp);	249	free(fp);
248	} else {	250	} else {
249	fp = sshkey_fingerprint(key, options.fingerprint_hash,	251	fp = sshkey_fingerprint(key, options.fingerprint_hash,
250	SSH_FP_DEFAULT);	252	options.fingerprint_hash_encoding);
251	auth_info(authctxt, "%s %s%s%s", key_type(key),	253	auth_info(authctxt, "%s %s%s%s", key_type(key),
252	fp == NULL ? "(null)" : fp,	254	fp == NULL ? "(null)" : fp,
253	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);	255	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
Lines 773-779 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
773	if (!key_is_cert_authority)	775	if (!key_is_cert_authority)
774	continue;	776	continue;
775	if ((fp = sshkey_fingerprint(found,	777	if ((fp = sshkey_fingerprint(found,
776	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	778	options.fingerprint_hash,
		779	options.fingerprint_hash_encoding)) == NULL)
777	continue;	780	continue;
778	debug("matching CA found: file %s, line %lu, %s %s",	781	debug("matching CA found: file %s, line %lu, %s %s",
779	file, linenum, key_type(found), fp);	782	file, linenum, key_type(found), fp);
Lines 815-821 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
815	if (key_is_cert_authority)	818	if (key_is_cert_authority)
816	continue;	819	continue;
817	if ((fp = sshkey_fingerprint(found,	820	if ((fp = sshkey_fingerprint(found,
818	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	821	options.fingerprint_hash,
		822	options.fingerprint_hash_encoding)) == NULL)
819	continue;	823	continue;
820	debug("matching key found: file %s, line %lu %s %s",	824	debug("matching key found: file %s, line %lu %s %s",
821	file, linenum, key_type(found), fp);	825	file, linenum, key_type(found), fp);
Lines 843-849 user_cert_trusted_ca(struct passwd pw, Key key) Link Here
843	return 0;	847	return 0;
844		848
845	if ((ca_fp = sshkey_fingerprint(key->cert->signature_key,	849	if ((ca_fp = sshkey_fingerprint(key->cert->signature_key,
846	options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)	850	options.fingerprint_hash,
		851	options.fingerprint_hash_encoding)) == NULL)
847	return 0;	852	return 0;
848		853
849	if (sshkey_in_file(key->cert->signature_key,	854	if (sshkey_in_file(key->cert->signature_key,
Lines 958-964 user_key_command_allowed2(struct passwd user_pw, Key key) Link Here
958		963
959	/* Prepare AuthorizedKeysCommand */	964	/* Prepare AuthorizedKeysCommand */
960	if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash,	965	if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash,
961	SSH_FP_DEFAULT)) == NULL) {	966	options.fingerprint_hash_encoding)) == NULL) {
962	error("%s: sshkey_fingerprint failed", __func__);	967	error("%s: sshkey_fingerprint failed", __func__);
963	goto out;	968	goto out;
964	}	969	}

Lines 158-164 typedef enum { Link Here

(-)a/readconf.c (-1 / +21 lines)
158	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	158	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
159	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,	159	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
160	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,	160	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
161	oPubkeyAcceptedKeyTypes,	161	oPubkeyAcceptedKeyTypes, oFingerprintHashEncoding,
162	oIgnoredUnknownOption, oDeprecated, oUnsupported	162	oIgnoredUnknownOption, oDeprecated, oUnsupported
163	} OpCodes;	163	} OpCodes;
164		164
Lines 277-282 static struct { Link Here
277	{ "streamlocalbindunlink", oStreamLocalBindUnlink },	277	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
278	{ "revokedhostkeys", oRevokedHostKeys },	278	{ "revokedhostkeys", oRevokedHostKeys },
279	{ "fingerprinthash", oFingerprintHash },	279	{ "fingerprinthash", oFingerprintHash },
		280	{ "fingerprinthashencoding", oFingerprintHashEncoding },
280	{ "updatehostkeys", oUpdateHostkeys },	281	{ "updatehostkeys", oUpdateHostkeys },
281	{ "hostbasedkeytypes", oHostbasedKeyTypes },	282	{ "hostbasedkeytypes", oHostbasedKeyTypes },
282	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },	283	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
Lines 1525-1530 parse_keytypes: Link Here
1525	*intptr = value;	1526	*intptr = value;
1526	break;	1527	break;
1527		1528
		1529	case oFingerprintHashEncoding:
		1530	intptr = &options->fingerprint_hash_encoding;
		1531	arg = strdelim(&s);
		1532	if (!arg \|\| *arg == '\0')
		1533	fatal("%.200s line %d: Missing argument.",
		1534	filename, linenum);
		1535	if ((value = sshkey_digest_encoding_alg_by_name(arg)) == -1)
		1536	fatal("%.200s line %d: Invalid hash encoding algorithm \"%s\".",
		1537	filename, linenum, arg);
		1538	if (activep && intptr == -1)
		1539	*intptr = value;
		1540	break;
		1541
1528	case oUpdateHostkeys:	1542	case oUpdateHostkeys:
1529	intptr = &options->update_hostkeys;	1543	intptr = &options->update_hostkeys;
1530	multistate_ptr = multistate_yesnoask;	1544	multistate_ptr = multistate_yesnoask;
Lines 1722-1727 initialize_options(Options * options) Link Here
1722	options->canonicalize_hostname = -1;	1736	options->canonicalize_hostname = -1;
1723	options->revoked_host_keys = NULL;	1737	options->revoked_host_keys = NULL;
1724	options->fingerprint_hash = -1;	1738	options->fingerprint_hash = -1;
		1739	options->fingerprint_hash_encoding = -1;
1725	options->update_hostkeys = -1;	1740	options->update_hostkeys = -1;
1726	options->hostbased_key_types = NULL;	1741	options->hostbased_key_types = NULL;
1727	options->pubkey_key_types = NULL;	1742	options->pubkey_key_types = NULL;
Lines 1901-1906 fill_default_options(Options * options) Link Here
1901	options->canonicalize_hostname = SSH_CANONICALISE_NO;	1916	options->canonicalize_hostname = SSH_CANONICALISE_NO;
1902	if (options->fingerprint_hash == -1)	1917	if (options->fingerprint_hash == -1)
1903	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	1918	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
		1919	if (options->fingerprint_hash_encoding == -1)
		1920	options->fingerprint_hash_encoding = SSH_FP_DEFAULT;
1904	if (options->update_hostkeys == -1)	1921	if (options->update_hostkeys == -1)
1905	options->update_hostkeys = 0;	1922	options->update_hostkeys = 0;
1906	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 \|\|	1923	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 \|\|
Lines 2173-2178 fmt_intarg(OpCodes code, int val) Link Here
2173	return fmt_multistate_int(val, multistate_canonicalizehostname);	2190	return fmt_multistate_int(val, multistate_canonicalizehostname);
2174	case oFingerprintHash:	2191	case oFingerprintHash:
2175	return ssh_digest_alg_name(val);	2192	return ssh_digest_alg_name(val);
		2193	case oFingerprintHashEncoding:
		2194	return sshkey_digest_encoding_alg_name(val);
2176	case oProtocol:	2195	case oProtocol:
2177	switch (val) {	2196	switch (val) {
2178	case SSH_PROTO_1:	2197	case SSH_PROTO_1:
Lines 2312-2317 dump_client_config(Options o, const char host) Link Here
2312	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);	2331	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
2313	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);	2332	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
2314	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);	2333	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
		2334	dump_cfg_fmtint(oFingerprintHashEncoding, o->fingerprint_hash_encoding);
2315	dump_cfg_fmtint(oForwardAgent, o->forward_agent);	2335	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
2316	dump_cfg_fmtint(oForwardX11, o->forward_x11);	2336	dump_cfg_fmtint(oForwardX11, o->forward_x11);
2317	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);	2337	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);

Lines 578-583 and Link Here

(-)a/sshd_config.5 (+16 lines)
578	.Dq sha256 .	578	.Dq sha256 .
579	The default is	579	The default is
580	.Dq sha256 .	580	.Dq sha256 .
		581	.It Cm FingerprintHashEncoding
		582	Specifies the hash encoding algorithm used when displaying key fingerprints.
		583	Valid options are:
		584	.Dq default ,
		585	.Dq hex ,
		586	.Dq base64 ,
		587	and
		588	.Dq bubblebabble .
		589	If this option is set to
		590	.Dq default ,
		591	it means
		592	.Dq hex
		593	for MD5 and
		594	.Dq base64
		595	for other digests. The default is
		596	.Dq default .
581	.It Cm ForceCommand	597	.It Cm ForceCommand
582	Forces the execution of the command specified by	598	Forces the execution of the command specified by
583	.Cm ForceCommand ,	599	.Cm ForceCommand ,

Lines 118-123 static const struct keytype keytypes[] = { Link Here

(-)a/sshkey.c (+46 lines)
118	{ NULL, NULL, -1, -1, 0, 0 }	118	{ NULL, NULL, -1, -1, 0, 0 }
119	};	119	};
120		120
		121	struct ssh_digest_encoding {
		122	int id;
		123	const char *name;
		124	};
		125
		126
		127	static const struct ssh_digest_encoding encodings[SSH_FP_MAX] = {
		128	{ SSH_FP_DEFAULT, "default" },
		129	{ SSH_FP_HEX, "hex" },
		130	{ SSH_FP_BASE64, "base64"},
		131	{ SSH_FP_BUBBLEBABBLE, "bubblebabble"},
		132	{ SSH_FP_RANDOMART, NULL}
		133	};
		134
		135	static const struct ssh_digest_encoding *
		136	sshkey_digest_encoding_by_alg(int alg)
		137	{
		138	if (alg < 0 \|\| alg >= SSH_FP_MAX)
		139	return NULL;
		140	if (encodings[alg].id != alg) /* sanity */
		141	return NULL;
		142	return &(encodings[alg]);
		143	}
		144
		145	int
		146	sshkey_digest_encoding_alg_by_name(const char *name)
		147	{
		148	int alg;
		149
		150	for (alg = 0; alg < SSH_FP_MAX; alg++) {
		151	if (encodings[alg].name == NULL)
		152	continue;
		153	if (strcasecmp(name, encodings[alg].name) == 0)
		154	return encodings[alg].id;
		155	}
		156	return -1;
		157	}
		158
		159	const char *
		160	sshkey_digest_encoding_alg_name(int alg)
		161	{
		162	const struct ssh_digest_encoding *encoding = sshkey_digest_encoding_by_alg(alg);
		163
		164	return encoding == NULL ? NULL : encoding->name;
		165	}
		166
121	const char *	167	const char *
122	sshkey_type(const struct sshkey *k)	168	sshkey_type(const struct sshkey *k)
123	{	169	{