Attachment #2144 for bug #1978

Lines 78-104 Link Here

(-)dns.c (-24 / +69 lines)
78	u_char *digest, u_int digest_len, Key *key)	78	u_char *digest, u_int digest_len, Key *key)
79	{	79	{
80	int success = 0;	80	int success = 0;
		81	enum fp_type dgst_type;
81		82
82	switch (key->type) {	83	switch (key->type) {
83	case KEY_RSA:	84	case KEY_RSA:
84	*algorithm = SSHFP_KEY_RSA;	85	*algorithm = SSHFP_KEY_RSA;
		86	if (!*digest_type)
		87	*digest_type = SSHFP_HASH_SHA1;
85	break;	88	break;
86	case KEY_DSA:	89	case KEY_DSA:
87	*algorithm = SSHFP_KEY_DSA;	90	*algorithm = SSHFP_KEY_DSA;
		91	if (!*digest_type)
		92	*digest_type = SSHFP_HASH_SHA1;
		93	break;
		94	case KEY_ECDSA:
		95	*algorithm = SSHFP_KEY_ECDSA;
		96	#ifdef HAVE_EVP_SHA256
		97	if (!*digest_type)
		98	*digest_type = SSHFP_HASH_SHA256;
		99	#endif
88	break;	100	break;
89	/* XXX KEY_ECDSA */
90	default:	101	default:
91	algorithm = SSHFP_KEY_RESERVED; / 0 */	102	algorithm = SSHFP_KEY_RESERVED; / 0 */
		103	digest_type = SSHFP_HASH_RESERVED; / 0 */
92	}	104	}
93		105
94	if (*algorithm) {	106	switch (*digest_type) {
95	*digest_type = SSHFP_HASH_SHA1;	107	case SSHFP_HASH_SHA1:
96	*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);	108	dgst_type = SSH_FP_SHA1;
		109	break;
		110	#ifdef HAVE_EVP_SHA256
		111	case SSHFP_HASH_SHA256:
		112	dgst_type = SSH_FP_SHA256;
		113	break;
		114	#endif
		115	default:
		116	digest_type = SSHFP_HASH_RESERVED; / 0 */
		117	}
		118
		119	if (algorithm && digest_type) {
		120	*digest = key_fingerprint_raw(key, dgst_type, digest_len);
97	if (*digest == NULL)	121	if (*digest == NULL)
98	fatal("dns_read_key: null from key_fingerprint_raw()");	122	fatal("dns_read_key: null from key_fingerprint_raw()");
99	success = 1;	123	success = 1;
100	} else {	124	} else {
101	*digest_type = SSHFP_HASH_RESERVED;
102	*digest = NULL;	125	*digest = NULL;
103	*digest_len = 0;	126	*digest_len = 0;
104	success = 0;	127	success = 0;
Lines 180-186 Link Here
180	struct rrsetinfo *fingerprints = NULL;	203	struct rrsetinfo *fingerprints = NULL;
181		204
182	u_int8_t hostkey_algorithm;	205	u_int8_t hostkey_algorithm;
183	u_int8_t hostkey_digest_type;	206	u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
184	u_char *hostkey_digest;	207	u_char *hostkey_digest;
185	u_int hostkey_digest_len;	208	u_int hostkey_digest_len;
186		209
Lines 216-222 Link Here
216	fingerprints->rri_nrdatas);	239	fingerprints->rri_nrdatas);
217	}	240	}
218		241
219	/* Initialize host key parameters */	242	/* Initialize default host key parameters */
220	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,	243	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
221	&hostkey_digest, &hostkey_digest_len, hostkey)) {	244	&hostkey_digest, &hostkey_digest_len, hostkey)) {
222	error("Error calculating host key fingerprint.");	245	error("Error calculating host key fingerprint.");
Lines 240-245 Link Here
240	continue;	263	continue;
241	}	264	}
242		265
		266	if (hostkey_digest_type != dnskey_digest_type) {
		267	hostkey_digest_type = dnskey_digest_type;
		268
		269	xfree(hostkey_digest);
		270	/* Initialize host key parameters */
		271	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
		272	&hostkey_digest, &hostkey_digest_len, hostkey)) {
		273	error("Error calculating host key fingerprint.");
		274	freerrset(fingerprints);
		275	return -1;
		276	}
		277	}
		278
243	/* Check if the current key is the same as the given key */	279	/* Check if the current key is the same as the given key */
244	if (hostkey_algorithm == dnskey_algorithm &&	280	if (hostkey_algorithm == dnskey_algorithm &&
245	hostkey_digest_type == dnskey_digest_type) {	281	hostkey_digest_type == dnskey_digest_type) {
Lines 275-305 Link Here
275	export_dns_rr(const char hostname, Key key, FILE *f, int generic)	311	export_dns_rr(const char hostname, Key key, FILE *f, int generic)
276	{	312	{
277	u_int8_t rdata_pubkey_algorithm = 0;	313	u_int8_t rdata_pubkey_algorithm = 0;
278	u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;	314	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
		315	u_int8_t digest_type;
279	u_char *rdata_digest;	316	u_char *rdata_digest;
280	u_int rdata_digest_len;	317	u_int rdata_digest_len;
281		318
282	u_int i;	319	u_int i;
283	int success = 0;	320	int success = 0;
284		321
285	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,	322	for (digest_type = SSHFP_HASH_SHA1; digest_type <= SSHFP_HASH_LAST; digest_type += 1) {
286	&rdata_digest, &rdata_digest_len, key)) {
287		323
288	if (generic)	324	rdata_digest_type = digest_type;
289	fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
290	DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
291	rdata_pubkey_algorithm, rdata_digest_type);
292	else
293	fprintf(f, "%s IN SSHFP %d %d ", hostname,
294	rdata_pubkey_algorithm, rdata_digest_type);
295		325
296	for (i = 0; i < rdata_digest_len; i++)	326	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
297	fprintf(f, "%02x", rdata_digest[i]);	327	&rdata_digest, &rdata_digest_len, key)) {
298	fprintf(f, "\n");	328
299	xfree(rdata_digest); /* from key_fingerprint_raw() */	329	if (generic)
300	success = 1;	330	fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
301	} else {	331	DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
302	error("export_dns_rr: unsupported algorithm");	332	rdata_pubkey_algorithm, rdata_digest_type);
		333	else
		334	fprintf(f, "%s IN SSHFP %d %d ", hostname,
		335	rdata_pubkey_algorithm, rdata_digest_type);
		336
		337	for (i = 0; i < rdata_digest_len; i++)
		338	fprintf(f, "%02x", rdata_digest[i]);
		339	fprintf(f, "\n");
		340	xfree(rdata_digest); /* from key_fingerprint_raw() */
		341	success = 1;
		342	}
		343	}
		344
		345	/* No SSHFP record was generated at all */
		346	if (success == 0) {
		347	error("export_dns_rr: unsupported algorithm and/or digest_type");
303	}	348	}
304		349
305	return success;	350	return success;




enum sshfp_types {
	SSHFP_KEY_RESERVED,
	SSHFP_KEY_RSA,
	SSHFP_KEY_DSA,
	SSHFP_KEY_ECDSA
};

enum sshfp_hashes {
	SSHFP_HASH_RESERVED,
	SSHFP_HASH_SHA1,
#ifdef HAVE_EVP_SHA256
	SSHFP_HASH_SHA256,
	SSHFP_HASH_LAST=SSHFP_HASH_SHA256
#else
	SSHFP_HASH_LAST=SSHFP_HASH_SHA1
#endif
};

#define DNS_RDATACLASS_IN	1

Lines 342-347 Link Here

(-)key.c (+5 lines)
342	case SSH_FP_SHA1:	342	case SSH_FP_SHA1:
343	md = EVP_sha1();	343	md = EVP_sha1();
344	break;	344	break;
		345	#ifdef HAVE_EVP_SHA256
		346	case SSH_FP_SHA256:
		347	md = EVP_sha256();
		348	break;
		349	#endif
345	default:	350	default:
346	fatal("key_fingerprint_raw: bad digest type %d",	351	fatal("key_fingerprint_raw: bad digest type %d",
347	dgst_type);	352	dgst_type);

Lines 48-54 Link Here

(-)key.h (-1 / +4 lines)
48	};	48	};
49	enum fp_type {	49	enum fp_type {
50	SSH_FP_SHA1,	50	SSH_FP_SHA1,
51	SSH_FP_MD5	51	SSH_FP_MD5,
		52	#ifdef HAVE_EVP_SHA256
		53	SSH_FP_SHA256
		54	#endif
52	};	55	};
53	enum fp_rep {	56	enum fp_rep {
54	SSH_FP_HEX,	57	SSH_FP_HEX,

Return to bug 1978

Lines 31-42 Link Here

(-)dns.h (-2 / +9 lines)
31	enum sshfp_types {	31	enum sshfp_types {
32	SSHFP_KEY_RESERVED,	32	SSHFP_KEY_RESERVED,
33	SSHFP_KEY_RSA,	33	SSHFP_KEY_RSA,
34	SSHFP_KEY_DSA	34	SSHFP_KEY_DSA,
		35	SSHFP_KEY_ECDSA
35	};	36	};
36		37
37	enum sshfp_hashes {	38	enum sshfp_hashes {
38	SSHFP_HASH_RESERVED,	39	SSHFP_HASH_RESERVED,
39	SSHFP_HASH_SHA1	40	SSHFP_HASH_SHA1,
		41	#ifdef HAVE_EVP_SHA256
		42	SSHFP_HASH_SHA256,
		43	SSHFP_HASH_LAST=SSHFP_HASH_SHA256
		44	#else
		45	SSHFP_HASH_LAST=SSHFP_HASH_SHA1
		46	#endif
40	};	47	};
41		48
42	#define DNS_RDATACLASS_IN 1	49	#define DNS_RDATACLASS_IN 1