Attachment 3663 Details for Bug 3493 – Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan

[patch] Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan

bz3493.diff (text/plain), 6.34 KB, created by Damien Miller on 2023-02-10 14:11:51 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2023-02-10 14:11:51 AEDT

Size: 6.34 KB

patch

obsolete

>diff --git a/dns.c b/dns.c
>index 3218abc..09f1674 100644
>--- a/dns.c
>+++ b/dns.c
>@@ -299,7 +299,8 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
>  * Export the fingerprint of a key as a DNS resource record
>  */
> int
>-export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
>+export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic,
>+    int alg)
> {
> 	u_int8_t rdata_pubkey_algorithm = 0;
> 	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
>@@ -309,6 +310,8 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
> 	int success = 0;
> 
> 	for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
>+		if (alg != -1 && dtype != alg)
>+			continue;
> 		rdata_digest_type = dtype;
> 		if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
> 		    &rdata_digest, &rdata_digest_len, key)) {
>diff --git a/dns.h b/dns.h
>index c9b61c4..7f1af29 100644
>--- a/dns.h
>+++ b/dns.h
>@@ -54,6 +54,6 @@ enum sshfp_hashes {
> 
> int	verify_host_key_dns(const char *, struct sockaddr *,
>     struct sshkey *, int *);
>-int	export_dns_rr(const char *, struct sshkey *, FILE *, int);
>+int	export_dns_rr(const char *, struct sshkey *, FILE *, int, int);
> 
> #endif /* DNS_H */
>diff --git a/ssh-keygen.1 b/ssh-keygen.1
>index 8b1f617..983e674 100644
>--- a/ssh-keygen.1
>+++ b/ssh-keygen.1
>@@ -518,6 +518,21 @@ suffixed with a Z character, which causes them to be interpreted in the
> UTC time zone.
> .El
> .Pp
>+When generating SSHFP DNS records from public keys using the
>+.Fl r
>+flag, the following options are accepted:
>+.Bl -tag -width Ds
>+.It Cm hashalg Ns = Ns Ar algorithm
>+Selects a hash algorithm to use when printing SSHFP records using the
>+.Fl D
>+flag.
>+Valid algorithms are
>+.Dq sha1
>+and
>+.Dq sha256.
>+The default is to print both.
>+.El
>+.Pp
> The
> .Fl O
> option may be specified multiple times.
>diff --git a/ssh-keygen.c b/ssh-keygen.c
>index 869b675..3b5f867 100644
>--- a/ssh-keygen.c
>+++ b/ssh-keygen.c
>@@ -1456,13 +1456,23 @@ do_change_passphrase(struct passwd *pw)
>  */
> static int
> do_print_resource_record(struct passwd *pw, char *fname, char *hname,
>-    int print_generic)
>+    int print_generic, char * const *opts, size_t nopts)
> {
> 	struct sshkey *public;
> 	char *comment = NULL;
> 	struct stat st;
>-	int r;
>+	int r, hash = -1;
>+	size_t i;
> 
>+	for (i = 0; i < nopts; i++) {
>+		if (strncasecmp(opts[i], "hashalg=", 8) == 0) {
>+			if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1)
>+				fatal("Unsupported hash algorithm");
>+		} else {
>+			error("Invalid option \"%s\"", opts[i]);
>+			return SSH_ERR_INVALID_ARGUMENT;
>+		}
>+	}
> 	if (fname == NULL)
> 		fatal_f("no filename");
> 	if (stat(fname, &st) == -1) {
>@@ -1472,7 +1482,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname,
> 	}
> 	if ((r = sshkey_load_public(fname, &public, &comment)) != 0)
> 		fatal_r(r, "Failed to read v2 public key from \"%s\"", fname);
>-	export_dns_rr(hname, public, stdout, print_generic);
>+	export_dns_rr(hname, public, stdout, print_generic, hash);
> 	sshkey_free(public);
> 	free(comment);
> 	return 1;
>@@ -3699,7 +3709,7 @@ main(int argc, char **argv)
> 
> 		if (have_identity) {
> 			n = do_print_resource_record(pw, identity_file,
>-			    rr_hostname, print_generic);
>+			    rr_hostname, print_generic, opts, nopts);
> 			if (n == 0)
> 				fatal("%s: %s", identity_file, strerror(errno));
> 			exit(0);
>@@ -3707,19 +3717,19 @@ main(int argc, char **argv)
> 
> 			n += do_print_resource_record(pw,
> 			    _PATH_HOST_RSA_KEY_FILE, rr_hostname,
>-			    print_generic);
>+			    print_generic, opts, nopts);
> 			n += do_print_resource_record(pw,
> 			    _PATH_HOST_DSA_KEY_FILE, rr_hostname,
>-			    print_generic);
>+			    print_generic, opts, nopts);
> 			n += do_print_resource_record(pw,
> 			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
>-			    print_generic);
>+			    print_generic, opts, nopts);
> 			n += do_print_resource_record(pw,
> 			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname,
>-			    print_generic);
>+			    print_generic, opts, nopts);
> 			n += do_print_resource_record(pw,
> 			    _PATH_HOST_XMSS_KEY_FILE, rr_hostname,
>-			    print_generic);
>+			    print_generic, opts, nopts);
> 			if (n == 0)
> 				fatal("no keys found.");
> 			exit(0);
>diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
>index ca4feea..6fbc298 100644
>--- a/ssh-keyscan.1
>+++ b/ssh-keyscan.1
>@@ -16,6 +16,7 @@
> .Nm ssh-keyscan
> .Op Fl 46cDHv
> .Op Fl f Ar file
>+.Op Fl O Ar option
> .Op Fl p Ar port
> .Op Fl T Ar timeout
> .Op Fl t Ar type
>@@ -97,6 +98,20 @@ and
> .Xr sshd 8 ,
> but they do not reveal identifying information should the file's contents
> be disclosed.
>+.It Fl O Ar option
>+Specify a key/value option.
>+At present, only a single option is supported:
>+.Bl -tag -width Ds
>+.It Cm hashalg Ns = Ns Ar algorithm
>+Selects a hash algorithm to use when printing SSHFP records using the
>+.Fl D
>+flag.
>+Valid algorithms are
>+.Dq sha1
>+and
>+.Dq sha256.
>+The default is to print both.
>+.El
> .It Fl p Ar port
> Connect to
> .Ar port
>diff --git a/ssh-keyscan.c b/ssh-keyscan.c
>index e79851e..de3b80d 100644
>--- a/ssh-keyscan.c
>+++ b/ssh-keyscan.c
>@@ -32,6 +32,7 @@
> #include "sshbuf.h"
> #include "sshkey.h"
> #include "cipher.h"
>+#include "digest.h"
> #include "kex.h"
> #include "compat.h"
> #include "myproposal.h"
>@@ -72,6 +73,8 @@ int print_sshfp = 0;		/* Print SSHFP records instead of known_hosts */
> 
> int found_one = 0;		/* Successfully found a key */
> 
>+int hashalg = -1;		/* Hash for SSHFP records or -1 for all */
>+
> #define MAXMAXFD 256
> 
> /* The number of seconds after which to give up on a TCP connection */
>@@ -294,7 +297,7 @@ keyprint_one(const char *host, struct sshkey *key)
> 	found_one = 1;
> 
> 	if (print_sshfp) {
>-		export_dns_rr(host, key, stdout, 0);
>+		export_dns_rr(host, key, stdout, 0, hashalg);
> 		return;
> 	}
> 
>@@ -704,7 +707,7 @@ main(int argc, char **argv)
> 	if (argc <= 1)
> 		usage();
> 
>-	while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
>+	while ((opt = getopt(argc, argv, "cDHv46O:p:T:t:f:")) != -1) {
> 		switch (opt) {
> 		case 'H':
> 			hash_hosts = 1;
>@@ -744,6 +747,14 @@ main(int argc, char **argv)
> 				optarg = NULL;
> 			argv[fopt_count++] = optarg;
> 			break;
>+		case 'O':
>+			/* Maybe other misc options in the future too */
>+			if (strncmp(optarg, "hashalg=", 8) != 0)
>+				fatal("Unsupported -O option");
>+			if ((hashalg = ssh_digest_alg_by_name(
>+			    optarg + 8)) == -1)
>+				fatal("Unsupported hash algorithm");
>+			break;
> 		case 't':
> 			get_keytypes = 0;
> 			tname = strtok(optarg, ",");

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 3493: 3663