Bugzilla – Attachment 2800 Details for
Bug 2555
[patch] Add FingerprintHashEncoding keyword
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch
0001-Add-FingerprintHashEncoding-keyword.patch (text/plain), 22.18 KB, created by
Gleb Fotengauer-Malinovskiy
on 2016-03-18 04:38:00 AEDT
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Gleb Fotengauer-Malinovskiy
Created:
2016-03-18 04:38:00 AEDT
Size:
22.18 KB
patch
obsolete
>From 07e879abbc1297fae1784f28431a14e47bb8fdc2 Mon Sep 17 00:00:00 2001 >From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org> >Date: Wed, 16 Mar 2016 20:36:50 +0300 >Subject: [PATCH] Add FingerprintHashEncoding keyword > >--- > auth-rsa.c | 2 +- > auth.c | 2 +- > auth2-hostbased.c | 6 ++++-- > auth2-pubkey.c | 19 ++++++++++++------- > clientloop.c | 11 +++++++---- > hostfile.c | 5 +++-- > hostfile.h | 2 +- > readconf.c | 22 +++++++++++++++++++++- > readconf.h | 1 + > servconf.c | 20 ++++++++++++++++++++ > servconf.h | 1 + > ssh-keysign.c | 2 +- > ssh_config.5 | 16 ++++++++++++++++ > sshconnect.c | 15 +++++++++------ > sshconnect2.c | 6 +++--- > sshd_config.5 | 16 ++++++++++++++++ > sshkey.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ > sshkey.h | 9 ++++++++- > 18 files changed, 171 insertions(+), 30 deletions(-) > >diff --git a/auth-rsa.c b/auth-rsa.c >index cbd971b..afa0504 100644 >--- a/auth-rsa.c >+++ b/auth-rsa.c >@@ -239,7 +239,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, > file, linenum, BN_num_bits(key->rsa->n), bits); > > if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash_encoding)) == NULL) > continue; > debug("matching key found: file %s, line %lu %s %s", > file, linenum, key_type(key), fp); >diff --git a/auth.c b/auth.c >index 55629b3..821df31 100644 >--- a/auth.c >+++ b/auth.c >@@ -693,7 +693,7 @@ auth_key_is_revoked(Key *key) > if (options.revoked_keys_file == NULL) > return 0; > if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) { >+ options.fingerprint_hash_encoding)) == NULL) { > r = SSH_ERR_ALLOC_FAIL; > error("%s: fingerprint key: %s", __func__, ssh_err(r)); > goto out; >diff --git a/auth2-hostbased.c b/auth2-hostbased.c >index 1b3c3b2..5d2be01 100644 >--- a/auth2-hostbased.c >+++ b/auth2-hostbased.c >@@ -225,7 +225,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, > if (host_status == HOST_OK) { > if (key_is_cert(key)) { > if ((fp = sshkey_fingerprint(key->cert->signature_key, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) > fatal("%s: sshkey_fingerprint fail", __func__); > verbose("Accepted certificate ID \"%s\" signed by " > "%s CA %s from %s@%s", key->cert->key_id, >@@ -233,7 +234,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, > cuser, lookup); > } else { > if ((fp = sshkey_fingerprint(key, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) > fatal("%s: sshkey_fingerprint fail", __func__); > verbose("Accepted %s public key %s from %s@%s", > key_type(key), fp, cuser, lookup); >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index 41b34ae..98456d6 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -126,7 +126,8 @@ userauth_pubkey(Authctxt *authctxt) > "signature scheme"); > goto done; > } >- fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); >+ fp = sshkey_fingerprint(key, options.fingerprint_hash, >+ options.fingerprint_hash_encoding); > if (auth2_userkey_already_used(authctxt, key)) { > logit("refusing previously-used %s key", key_type(key)); > goto done; >@@ -237,7 +238,8 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) > > if (key_is_cert(key)) { > fp = sshkey_fingerprint(key->cert->signature_key, >- options.fingerprint_hash, SSH_FP_DEFAULT); >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding); > auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", > key_type(key), key->cert->key_id, > (unsigned long long)key->cert->serial, >@@ -247,7 +249,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) > free(fp); > } else { > fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT); >+ options.fingerprint_hash_encoding); > auth_info(authctxt, "%s %s%s%s", key_type(key), > fp == NULL ? "(null)" : fp, > extra == NULL ? "" : ", ", extra == NULL ? "" : extra); >@@ -773,7 +775,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > if (!key_is_cert_authority) > continue; > if ((fp = sshkey_fingerprint(found, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) > continue; > debug("matching CA found: file %s, line %lu, %s %s", > file, linenum, key_type(found), fp); >@@ -815,7 +818,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > if (key_is_cert_authority) > continue; > if ((fp = sshkey_fingerprint(found, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) > continue; > debug("matching key found: file %s, line %lu %s %s", > file, linenum, key_type(found), fp); >@@ -843,7 +847,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) > return 0; > > if ((ca_fp = sshkey_fingerprint(key->cert->signature_key, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) > return 0; > > if (sshkey_in_file(key->cert->signature_key, >@@ -958,7 +963,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > > /* Prepare AuthorizedKeysCommand */ > if ((key_fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) { >+ options.fingerprint_hash_encoding)) == NULL) { > error("%s: sshkey_fingerprint failed", __func__); > goto out; > } >diff --git a/clientloop.c b/clientloop.c >index 9820455..654af18 100644 >--- a/clientloop.c >+++ b/clientloop.c >@@ -2231,7 +2231,8 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) > if (ctx->keys_seen[i] != 2) > continue; > if ((fp = sshkey_fingerprint(ctx->keys[i], >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) > fatal("%s: sshkey_fingerprint failed", __func__); > do_log2(loglevel, "Learned new hostkey: %s %s", > sshkey_type(ctx->keys[i]), fp); >@@ -2239,7 +2240,8 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) > } > for (i = 0; i < ctx->nold; i++) { > if ((fp = sshkey_fingerprint(ctx->old_keys[i], >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash, >+ options.fingerprint_hash)) == NULL) > fatal("%s: sshkey_fingerprint failed", __func__); > do_log2(loglevel, "Deprecating obsolete hostkey: %s %s", > sshkey_type(ctx->old_keys[i]), fp); >@@ -2282,7 +2284,8 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) > (r = hostfile_replace_entries(options.user_hostfiles[0], > ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys, > options.hash_known_hosts, 0, >- options.fingerprint_hash)) != 0) >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) != 0) > error("%s: hostfile_replace_entries failed: %s", > __func__, ssh_err(r)); > } >@@ -2396,7 +2399,7 @@ client_input_hostkeys(void) > goto out; > } > fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT); >+ options.fingerprint_hash_encoding); > debug3("%s: received %s key %s", __func__, > sshkey_type(key), fp); > free(fp); >diff --git a/hostfile.c b/hostfile.c >index 2850a47..07ed345 100644 >--- a/hostfile.c >+++ b/hostfile.c >@@ -530,7 +530,8 @@ host_delete(struct hostkey_foreach_line *l, void *_ctx) > > int > hostfile_replace_entries(const char *filename, const char *host, const char *ip, >- struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg) >+ struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg, >+ int hash_encoding_alg) > { > int r, fd, oerrno = 0; > int loglevel = quiet ? SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_VERBOSE; >@@ -585,7 +586,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip, > if (ctx.skip_keys[i]) > continue; > if ((fp = sshkey_fingerprint(keys[i], hash_alg, >- SSH_FP_DEFAULT)) == NULL) { >+ hash_encoding_alg)) == NULL) { > r = SSH_ERR_ALLOC_FAIL; > goto fail; > } >diff --git a/hostfile.h b/hostfile.h >index bd21043..2fbf0fa 100644 >--- a/hostfile.h >+++ b/hostfile.h >@@ -46,7 +46,7 @@ int add_host_to_hostfile(const char *, const char *, > > int hostfile_replace_entries(const char *filename, > const char *host, const char *ip, struct sshkey **keys, size_t nkeys, >- int store_hash, int quiet, int hash_alg); >+ int store_hash, int quiet, int hash_alg, int hash_encoding_alg); > > #define HASH_MAGIC "|1|" > #define HASH_DELIM '|' >diff --git a/readconf.c b/readconf.c >index 69d4553..9a53acc 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -158,7 +158,7 @@ typedef enum { > oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, > oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, > oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, >- oPubkeyAcceptedKeyTypes, >+ oPubkeyAcceptedKeyTypes, oFingerprintHashEncoding, > oIgnoredUnknownOption, oDeprecated, oUnsupported > } OpCodes; > >@@ -277,6 +277,7 @@ static struct { > { "streamlocalbindunlink", oStreamLocalBindUnlink }, > { "revokedhostkeys", oRevokedHostKeys }, > { "fingerprinthash", oFingerprintHash }, >+ { "fingerprinthashencoding", oFingerprintHashEncoding }, > { "updatehostkeys", oUpdateHostkeys }, > { "hostbasedkeytypes", oHostbasedKeyTypes }, > { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, >@@ -1525,6 +1526,19 @@ parse_keytypes: > *intptr = value; > break; > >+ case oFingerprintHashEncoding: >+ intptr = &options->fingerprint_hash_encoding; >+ arg = strdelim(&s); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if ((value = sshkey_digest_encoding_alg_by_name(arg)) == -1) >+ fatal("%.200s line %d: Invalid hash encoding algorithm \"%s\".", >+ filename, linenum, arg); >+ if (*activep && *intptr == -1) >+ *intptr = value; >+ break; >+ > case oUpdateHostkeys: > intptr = &options->update_hostkeys; > multistate_ptr = multistate_yesnoask; >@@ -1722,6 +1736,7 @@ initialize_options(Options * options) > options->canonicalize_hostname = -1; > options->revoked_host_keys = NULL; > options->fingerprint_hash = -1; >+ options->fingerprint_hash_encoding = -1; > options->update_hostkeys = -1; > options->hostbased_key_types = NULL; > options->pubkey_key_types = NULL; >@@ -1901,6 +1916,8 @@ fill_default_options(Options * options) > options->canonicalize_hostname = SSH_CANONICALISE_NO; > if (options->fingerprint_hash == -1) > options->fingerprint_hash = SSH_FP_HASH_DEFAULT; >+ if (options->fingerprint_hash_encoding == -1) >+ options->fingerprint_hash_encoding = SSH_FP_DEFAULT; > if (options->update_hostkeys == -1) > options->update_hostkeys = 0; > if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || >@@ -2173,6 +2190,8 @@ fmt_intarg(OpCodes code, int val) > return fmt_multistate_int(val, multistate_canonicalizehostname); > case oFingerprintHash: > return ssh_digest_alg_name(val); >+ case oFingerprintHashEncoding: >+ return sshkey_digest_encoding_alg_name(val); > case oProtocol: > switch (val) { > case SSH_PROTO_1: >@@ -2312,6 +2331,7 @@ dump_client_config(Options *o, const char *host) > dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign); > dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); > dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); >+ dump_cfg_fmtint(oFingerprintHashEncoding, o->fingerprint_hash_encoding); > dump_cfg_fmtint(oForwardAgent, o->forward_agent); > dump_cfg_fmtint(oForwardX11, o->forward_x11); > dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); >diff --git a/readconf.h b/readconf.h >index c84d068..1940388 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -152,6 +152,7 @@ typedef struct { > char *revoked_host_keys; > > int fingerprint_hash; >+ int fingerprint_hash_encoding; > > int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ > >diff --git a/servconf.c b/servconf.c >index ba39dce..73fbd99 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options) > options->ip_qos_bulk = -1; > options->version_addendum = NULL; > options->fingerprint_hash = -1; >+ options->fingerprint_hash_encoding = -1; > } > > /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ >@@ -353,6 +354,8 @@ fill_default_server_options(ServerOptions *options) > options->fwd_opts.streamlocal_bind_unlink = 0; > if (options->fingerprint_hash == -1) > options->fingerprint_hash = SSH_FP_HASH_DEFAULT; >+ if (options->fingerprint_hash_encoding == -1) >+ options->fingerprint_hash_encoding = SSH_FP_DEFAULT; > > assemble_algorithms(options); > >@@ -430,6 +433,7 @@ typedef enum { > sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, > sStreamLocalBindMask, sStreamLocalBindUnlink, > sAllowStreamLocalForwarding, sFingerprintHash, >+ sFingerprintHashEncoding, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -572,6 +576,7 @@ static struct { > { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, > { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, > { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, >+ { "fingerprinthashencoding", sFingerprintHashEncoding, SSHCFG_GLOBAL }, > { NULL, sBadOption, 0 } > }; > >@@ -1851,6 +1856,18 @@ process_server_config_line(ServerOptions *options, char *line, > options->fingerprint_hash = value; > break; > >+ case sFingerprintHashEncoding: >+ arg = strdelim(&cp); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if ((value = sshkey_digest_encoding_alg_by_name(arg)) == -1) >+ fatal("%.200s line %d: Invalid hash encoding algorithm \"%s\".", >+ filename, linenum, arg); >+ if (*activep) >+ options->fingerprint_hash_encoding = value; >+ break; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -2108,6 +2125,8 @@ fmt_intarg(ServerOpCodes code, int val) > return fmt_multistate_int(val, multistate_tcpfwd); > case sFingerprintHash: > return ssh_digest_alg_name(val); >+ case sFingerprintHashEncoding: >+ return sshkey_digest_encoding_alg_name(val); > case sProtocol: > switch (val) { > case SSH_PROTO_1: >@@ -2294,6 +2313,7 @@ dump_config(ServerOptions *o) > dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); > dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); > dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); >+ dump_cfg_fmtint(sFingerprintHashEncoding, o->fingerprint_hash_encoding); > > /* string arguments */ > dump_cfg_string(sPidFile, o->pid_file); >diff --git a/servconf.h b/servconf.h >index f4137af..39009ad 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -195,6 +195,7 @@ typedef struct { > char *auth_methods[MAX_AUTH_METHODS]; > > int fingerprint_hash; >+ int fingerprint_hash_encoding; > } ServerOptions; > > /* Information about the incoming connection as used by Match */ >diff --git a/ssh-keysign.c b/ssh-keysign.c >index ac5034d..3e82830 100644 >--- a/ssh-keysign.c >+++ b/ssh-keysign.c >@@ -286,7 +286,7 @@ main(int argc, char **argv) > } > if (!found) { > if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash_encoding)) == NULL) > fatal("%s: sshkey_fingerprint failed", __progname); > fatal("no matching hostkey found for key %s %s", > sshkey_type(key), fp ? fp : ""); >diff --git a/ssh_config.5 b/ssh_config.5 >index caf13a6..1405c91 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -732,6 +732,22 @@ and > .Dq sha256 . > The default is > .Dq sha256 . >+.It Cm FingerprintHashEncoding >+Specifies the hash encoding algorithm used when displaying key fingerprints. >+Valid options are: >+.Dq default , >+.Dq hex , >+.Dq base64 , >+and >+.Dq bubblebabble . >+If this option is set to >+.Dq default , >+it means >+.Dq hex >+for MD5 and >+.Dq base64 >+for other digests. The default is >+.Dq default . > .It Cm ForwardAgent > Specifies whether the connection to the authentication agent (if any) > will be forwarded to the remote machine. >diff --git a/sshconnect.c b/sshconnect.c >index 356ec79..e03937b 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -923,7 +923,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > "of known hosts.", type, ip); > } else if (options.visual_host_key) { > fp = sshkey_fingerprint(host_key, >- options.fingerprint_hash, SSH_FP_DEFAULT); >+ options.fingerprint_hash, options.fingerprint_hash_encoding); > ra = sshkey_fingerprint(host_key, > options.fingerprint_hash, SSH_FP_RANDOMART); > if (fp == NULL || ra == NULL) >@@ -968,7 +968,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > snprintf(msg1, sizeof(msg1), "."); > /* The default */ > fp = sshkey_fingerprint(host_key, >- options.fingerprint_hash, SSH_FP_DEFAULT); >+ options.fingerprint_hash, options.fingerprint_hash_encoding); > ra = sshkey_fingerprint(host_key, > options.fingerprint_hash, SSH_FP_RANDOMART); > if (fp == NULL || ra == NULL) >@@ -1245,7 +1245,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) > struct sshkey *plain = NULL; > > if ((fp = sshkey_fingerprint(host_key, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) { > error("%s: fingerprint host key: %s", __func__, ssh_err(r)); > r = -1; > goto out; >@@ -1253,7 +1254,8 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) > > if (sshkey_is_cert(host_key)) { > if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, >- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding)) == NULL) { > error("%s: fingerprint CA key: %s", > __func__, ssh_err(r)); > r = -1; >@@ -1433,7 +1435,8 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) > if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) > continue; > fp = sshkey_fingerprint(found->key, >- options.fingerprint_hash, SSH_FP_DEFAULT); >+ options.fingerprint_hash, >+ options.fingerprint_hash_encoding); > ra = sshkey_fingerprint(found->key, > options.fingerprint_hash, SSH_FP_RANDOMART); > if (fp == NULL || ra == NULL) >@@ -1459,7 +1462,7 @@ warn_changed_key(Key *host_key) > char *fp; > > fp = sshkey_fingerprint(host_key, options.fingerprint_hash, >- SSH_FP_DEFAULT); >+ options.fingerprint_hash_encoding); > if (fp == NULL) > fatal("%s: sshkey_fingerprint fail", __func__); > >diff --git a/sshconnect2.c b/sshconnect2.c >index 1cf48a2..3a6cf15 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -619,7 +619,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) > goto done; > } > if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash_encoding)) == NULL) > goto done; > debug2("input_userauth_pk_ok: fp %s", fp); > free(fp); >@@ -1057,7 +1057,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) > char *fp; > > if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) >+ options.fingerprint_hash_encoding)) == NULL) > return 0; > debug3("%s: %s %s", __func__, key_type(id->key), fp); > free(fp); >@@ -1739,7 +1739,7 @@ userauth_hostbased(Authctxt *authctxt) > } > > if ((fp = sshkey_fingerprint(private, options.fingerprint_hash, >- SSH_FP_DEFAULT)) == NULL) { >+ options.fingerprint_hash_encoding)) == NULL) { > error("%s: sshkey_fingerprint failed", __func__); > goto out; > } >diff --git a/sshd_config.5 b/sshd_config.5 >index a37a3ac..049ff02 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -578,6 +578,22 @@ and > .Dq sha256 . > The default is > .Dq sha256 . >+.It Cm FingerprintHashEncoding >+Specifies the hash encoding algorithm used when displaying key fingerprints. >+Valid options are: >+.Dq default , >+.Dq hex , >+.Dq base64 , >+and >+.Dq bubblebabble . >+If this option is set to >+.Dq default , >+it means >+.Dq hex >+for MD5 and >+.Dq base64 >+for other digests. The default is >+.Dq default . > .It Cm ForceCommand > Forces the execution of the command specified by > .Cm ForceCommand , >diff --git a/sshkey.c b/sshkey.c >index 87b093e..d1931ab 100644 >--- a/sshkey.c >+++ b/sshkey.c >@@ -118,6 +118,52 @@ static const struct keytype keytypes[] = { > { NULL, NULL, -1, -1, 0, 0 } > }; > >+struct ssh_digest_encoding { >+ int id; >+ const char *name; >+}; >+ >+ >+static const struct ssh_digest_encoding encodings[SSH_FP_MAX] = { >+ { SSH_FP_DEFAULT, "default" }, >+ { SSH_FP_HEX, "hex" }, >+ { SSH_FP_BASE64, "base64"}, >+ { SSH_FP_BUBBLEBABBLE, "bubblebabble"}, >+ { SSH_FP_RANDOMART, NULL} >+}; >+ >+static const struct ssh_digest_encoding * >+sshkey_digest_encoding_by_alg(int alg) >+{ >+ if (alg < 0 || alg >= SSH_FP_MAX) >+ return NULL; >+ if (encodings[alg].id != alg) /* sanity */ >+ return NULL; >+ return &(encodings[alg]); >+} >+ >+int >+sshkey_digest_encoding_alg_by_name(const char *name) >+{ >+ int alg; >+ >+ for (alg = 0; alg < SSH_FP_MAX; alg++) { >+ if (encodings[alg].name == NULL) >+ continue; >+ if (strcasecmp(name, encodings[alg].name) == 0) >+ return encodings[alg].id; >+ } >+ return -1; >+} >+ >+const char * >+sshkey_digest_encoding_alg_name(int alg) >+{ >+ const struct ssh_digest_encoding *encoding = sshkey_digest_encoding_by_alg(alg); >+ >+ return encoding == NULL ? NULL : encoding->name; >+} >+ > const char * > sshkey_type(const struct sshkey *k) > { >diff --git a/sshkey.h b/sshkey.h >index a20a14f..c46ad7e 100644 >--- a/sshkey.h >+++ b/sshkey.h >@@ -74,7 +74,8 @@ enum sshkey_fp_rep { > SSH_FP_HEX, > SSH_FP_BASE64, > SSH_FP_BUBBLEBABBLE, >- SSH_FP_RANDOMART >+ SSH_FP_RANDOMART, >+ SSH_FP_MAX > }; > > /* key is stored in external hardware */ >@@ -111,6 +112,12 @@ struct sshkey { > #define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES > #define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES > >+/* Looks up a digest encoding algorithm by name. */ >+int sshkey_digest_encoding_alg_by_name(const char *name); >+ >+/* Returns the algorithm name for a digest encoding identifier. */ >+const char *sshkey_digest_encoding_alg_name(int alg); >+ > struct sshkey *sshkey_new(int); > int sshkey_add_private(struct sshkey *); > struct sshkey *sshkey_new_private(int); >-- >2.6.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2555
: 2800