[git] GnuPG - branch, master, updated. gnupg-2.1.21-15-g525f2c4
by Justus Winter
cvs at cvs.gnupg.org
Wed May 24 18:12:11 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 525f2c482abb6bc2002eb878b03558fb43e6b004 (commit)
via a5f046d99a084b6a95268f03c1b588e8b78083cb (commit)
via 3a07a69dfc87b4fff610740d3dde8e23f0d2f8bc (commit)
via 3ac1a9d3a018816233a855faff059b4e0657a0f1 (commit)
from 0c628321a18c0d898b3db988fd44df2780803d11 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 525f2c482abb6bc2002eb878b03558fb43e6b004
Author: Justus Winter <justus at g10code.com>
Date: Wed May 24 17:48:42 2017 +0200
agent: Make digest algorithms for ssh fingerprints configurable.
* agent/agent.h (opt): New field 'ssh_fingerprint_digest'.
* agent/command-ssh.c (data_sign, ssh_identity_register): Honor the
option for strings used to communicate with the user.
* agent/findkey.c (agent_modify_description): Likewise.
* agent/gpg-agent.c (cmd_and_opt_values): New value.
(opts): New option '--ssh-fingerprint-digest'.
(parse_rereadable_options): Set the default to MD5 for now.
(main): Handle the new option.
* doc/gpg-agent.texi: Document the new option.
--
OpenSSH has transitioned from using MD5 to compute key fingerprints to
SHA256. This patch makes the digest used when communicating key
fingerprints to the user (e.g. in pinentry dialogs) configurable.
For now this patch conservatively defaults to MD5.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus at g10code.com>
diff --git a/agent/agent.h b/agent/agent.h
index 01e675b..b95df57 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -167,6 +167,10 @@ struct
gpg-agent.c: If the value is less than 2 the name has not yet
been malloced. */
int browser_socket;
+
+ /* The digest algorithm to use for ssh fingerprints when
+ * communicating with the user. */
+ int ssh_fingerprint_digest;
} opt;
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index b8edd1a..e450aed 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -2774,7 +2774,7 @@ data_sign (ctrl_t ctrl, ssh_key_type_spec_t *spec,
err = agent_raw_key_from_file (ctrl, ctrl->keygrip, &key);
if (err)
goto out;
- err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr);
+ err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &fpr);
if (!err)
{
gcry_sexp_t tmpsxp = gcry_sexp_find_token (key, "comment", 0);
@@ -3052,7 +3052,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
bin2hex (key_grip_raw, 20, key_grip);
- err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &key_fpr);
+ err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &key_fpr);
if (err)
goto out;
diff --git a/agent/findkey.c b/agent/findkey.c
index 1f547b0..cff0a7d 100644
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -412,7 +412,8 @@ agent_modify_description (const char *in, const char *comment,
case 'F': /* SSH style fingerprint. */
if (!ssh_fpr && key)
- ssh_get_fingerprint_string (key, GCRY_MD_MD5, &ssh_fpr);
+ ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest,
+ &ssh_fpr);
if (ssh_fpr)
{
if (out)
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 6ec9b67..77b811c 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -129,6 +129,7 @@ enum cmd_and_opt_values
oKeepTTY,
oKeepDISPLAY,
oSSHSupport,
+ oSSHFingerprintDigest,
oPuttySupport,
oDisableScdaemon,
oDisableCheckOwnSocket,
@@ -232,6 +233,8 @@ static ARGPARSE_OPTS opts[] = {
/* */ N_("allow passphrase to be prompted through Emacs")),
ARGPARSE_s_n (oSSHSupport, "enable-ssh-support", N_("enable ssh support")),
+ ARGPARSE_s_s (oSSHFingerprintDigest, "ssh-fingerprint-digest",
+ N_("digest to use when communicating ssh fingerprints")),
ARGPARSE_s_n (oPuttySupport, "enable-putty-support",
#ifdef HAVE_W32_SYSTEM
/* */ N_("enable putty support")
@@ -800,6 +803,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
opt.allow_emacs_pinentry = 0;
opt.disable_scdaemon = 0;
disable_check_own_socket = 0;
+ opt.ssh_fingerprint_digest = GCRY_MD_MD5;
return 1;
}
@@ -1176,6 +1180,11 @@ main (int argc, char **argv )
case oSSHSupport:
ssh_support = 1;
break;
+ case oSSHFingerprintDigest:
+ opt.ssh_fingerprint_digest = gcry_md_map_name (pargs.r.ret_str);
+ if (opt.ssh_fingerprint_digest == 0)
+ log_error ("Unknown digest algorithm: %s\n", pargs.r.ret_str);
+ break;
case oPuttySupport:
# ifdef HAVE_W32_SYSTEM
putty_support = 1;
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 6ed0ff8..d61dc85 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -636,6 +636,13 @@ and allows the use of gpg-agent with the ssh implementation
@command{putty}. This is similar to the regular ssh-agent support but
makes use of Windows message queue as required by @command{putty}.
+ at anchor{option --ssh-fingerprint-digest}
+ at item --ssh-fingerprint-digest
+ at opindex ssh-fingerprint-digest
+
+Select the digest algorithm used to compute ssh fingerprints that are
+communicated to the user, e.g. in pinentry dialogs. OpenSSH has
+transitioned from using MD5 to the more secure SHA256.
@end table
commit a5f046d99a084b6a95268f03c1b588e8b78083cb
Author: Justus Winter <justus at g10code.com>
Date: Wed May 24 17:29:31 2017 +0200
agent: Write both ssh fingerprints to 'sshcontrol' file.
* agent/command-ssh.c (add_control_entry): Hand in the key, write both
the MD5- and the SHA256-based fingerprint to the 'sshcontrol' file
when adding ssh keys.
(ssh_identity_register): Adapt callsite.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus at g10code.com>
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index 3dd3dd7..b8edd1a 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -1040,12 +1040,14 @@ search_control_file (ssh_control_file_t cf, const char *hexgrip,
We can assume that the user wants to allow ssh using this key. */
static gpg_error_t
add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
- const char *hexgrip, const char *fmtfpr,
+ const char *hexgrip, gcry_sexp_t key,
int ttl, int confirm)
{
gpg_error_t err;
ssh_control_file_t cf;
int disabled;
+ char *fpr_md5 = NULL;
+ char *fpr_sha256 = NULL;
(void)ctrl;
@@ -1059,19 +1061,31 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
struct tm *tp;
time_t atime = time (NULL);
+ err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr_md5);
+ if (err)
+ goto out;
+
+ err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &fpr_sha256);
+ if (err)
+ goto out;
+
/* Not yet in the file - add it. Because the file has been
opened in append mode, we simply need to write to it. */
tp = localtime (&atime);
fprintf (cf->fp,
("# %s key added on: %04d-%02d-%02d %02d:%02d:%02d\n"
- "# MD5 Fingerprint: %s\n"
+ "# Fingerprints: %s\n"
+ "# %s\n"
"%s %d%s\n"),
spec->name,
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
tp->tm_hour, tp->tm_min, tp->tm_sec,
- fmtfpr, hexgrip, ttl, confirm? " confirm":"");
+ fpr_md5, fpr_sha256, hexgrip, ttl, confirm? " confirm":"");
}
+ out:
+ xfree (fpr_md5);
+ xfree (fpr_sha256);
close_control_file (cf);
return 0;
}
@@ -3118,7 +3132,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
key_exists:
/* And add an entry to the sshcontrol file. */
- err = add_control_entry (ctrl, spec, key_grip, key_fpr, ttl, confirm);
+ err = add_control_entry (ctrl, spec, key_grip, key, ttl, confirm);
out:
commit 3a07a69dfc87b4fff610740d3dde8e23f0d2f8bc
Author: Justus Winter <justus at g10code.com>
Date: Wed May 24 17:03:58 2017 +0200
common: Correctly render SHA256-based ssh fingerprints.
* common/ssh-utils.c (dummy_realloc): New function.
(dummy_free): Likewise.
(get_fingerprint): Prepend the fingerprint with the name of the digest
algorithm. Correctly render SHA256-based ssh fingerprints.
* common/t-ssh-utils.c (sample_keys): Add SHA256 hashes for the keys.
(main): Add an option to dump the keys to gather fingerprints, also
print the SHA256 fingerprint for keys given as arguments, and check
the SHA256 fingerprints of the test keys.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus at g10code.com>
diff --git a/common/ssh-utils.c b/common/ssh-utils.c
index 3925602..38d6e8a 100644
--- a/common/ssh-utils.c
+++ b/common/ssh-utils.c
@@ -64,6 +64,9 @@ is_eddsa (gcry_sexp_t keyparms)
return result;
}
+/* Dummy functions for es_mopen. */
+static void *dummy_realloc (void *mem, size_t size) { (void) size; return mem; }
+static void dummy_free (void *mem) { (void) mem; }
/* Return the Secure Shell type fingerprint for KEY using digest ALGO.
The length of the fingerprint is returned at R_LEN and the
@@ -232,10 +235,74 @@ get_fingerprint (gcry_sexp_t key, int algo,
if (as_string)
{
- *r_fpr = (algo == GCRY_MD_MD5 ? bin2hexcolon : /* XXX we need base64 */ bin2hex)
- (gcry_md_read (md, algo), gcry_md_get_algo_dlen (algo), NULL);
+ const char *algo_name;
+ char *fpr;
+
+ /* Prefix string with the algorithm name and a colon. */
+ algo_name = gcry_md_algo_name (algo);
+ *r_fpr = xtrymalloc (strlen (algo_name) + 1 + 3 * gcry_md_get_algo_dlen (algo) + 1);
+ if (*r_fpr == NULL)
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ goto leave;
+ }
+
+ strncpy (*r_fpr, algo_name, strlen (algo_name));
+ fpr = (char *) *r_fpr + strlen (algo_name);
+ *fpr++ = ':';
+
+ if (algo == GCRY_MD_MD5)
+ {
+ bin2hexcolon (gcry_md_read (md, algo), gcry_md_get_algo_dlen (algo), fpr);
+ strlwr (fpr);
+ }
+ else
+ {
+ struct b64state b64s;
+ estream_t stream;
+ char *p;
+ long int len;
+
+ /* Write the base64-encoded hash to fpr. */
+ stream = es_mopen (fpr, 3 * gcry_md_get_algo_dlen (algo) + 1, 0,
+ 0, dummy_realloc, dummy_free, "w");
+ if (stream == NULL)
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ goto leave;
+ }
+
+ err = b64enc_start_es (&b64s, stream, "");
+ if (err)
+ {
+ es_fclose (stream);
+ goto leave;
+ }
+
+ err = b64enc_write (&b64s,
+ gcry_md_read (md, algo), gcry_md_get_algo_dlen (algo));
+ if (err)
+ {
+ es_fclose (stream);
+ goto leave;
+ }
+
+ /* Finish, get the length, and close the stream. */
+ err = b64enc_finish (&b64s);
+ len = es_ftell (stream);
+ es_fclose (stream);
+ if (err)
+ goto leave;
+
+ /* Terminate. */
+ fpr[len] = 0;
+
+ /* Strip the trailing padding characters. */
+ for (p = fpr + len - 1; p > fpr && *p == '='; p--)
+ *p = 0;
+ }
+
*r_len = strlen (*r_fpr) + 1;
- strlwr (*r_fpr);
}
else
{
diff --git a/common/t-ssh-utils.c b/common/t-ssh-utils.c
index a4e948f..1c9b87b 100644
--- a/common/t-ssh-utils.c
+++ b/common/t-ssh-utils.c
@@ -28,7 +28,12 @@
#include "ssh-utils.h"
-static struct { const char *key; const char *fpr; } sample_keys[] = {
+static struct
+{
+ const char *key;
+ const char *fpr_md5;
+ const char *fpr_sha256;
+} sample_keys[] = {
{ "(protected-private-key "
"(rsa "
"(n #"
@@ -70,7 +75,8 @@ static struct { const char *key; const char *fpr; } sample_keys[] = {
")"
"(comment passphrase_is_abc)"
")",
- "c7:c6:a7:ec:04:6c:87:59:54:f2:88:58:09:e0:f2:b1"
+ "MD5:c7:c6:a7:ec:04:6c:87:59:54:f2:88:58:09:e0:f2:b1",
+ "SHA256:ksKb4DKk2SFX56GRtpt0szBnyjiYARSb2FNlUb7snnE"
},
{
"(protected-private-key "
@@ -99,7 +105,8 @@ static struct { const char *key; const char *fpr; } sample_keys[] = {
")"
"(comment sample_dsa_passphrase_is_abc)"
")",
- "2d:b1:70:1a:04:9e:41:a3:ce:27:a5:c7:22:fe:3a:a3"
+ "MD5:2d:b1:70:1a:04:9e:41:a3:ce:27:a5:c7:22:fe:3a:a3",
+ "SHA256:z8+8HEuD/5QpegGS4tSK02dJF+a6o2V67VM2gOPz9oQ"
},
{ /* OpenSSH 6.7p1 generated key: */
"(protected-private-key "
@@ -118,7 +125,8 @@ static struct { const char *key; const char *fpr; } sample_keys[] = {
")"
"(comment \"ecdsa w/o comment\")"
")", /* Passphrase="abc" */
- "93:4f:08:02:7d:cb:16:9b:0c:39:21:4b:cf:28:5a:19"
+ "MD5:93:4f:08:02:7d:cb:16:9b:0c:39:21:4b:cf:28:5a:19",
+ "SHA256:zSj4uXfE1hlQnESD2LO723fMGXsNwzHrfqOfqep37is"
},
{ /* OpenSSH 6.7p1 generated key: */
"(protected-private-key "
@@ -139,7 +147,8 @@ static struct { const char *key; const char *fpr; } sample_keys[] = {
")"
"(comment \"ecdsa w/o comment\")"
")", /* Passphrase="abc" */
- "a3:cb:44:c8:56:15:25:62:85:fd:e8:04:7a:26:dc:76"
+ "MD5:a3:cb:44:c8:56:15:25:62:85:fd:e8:04:7a:26:dc:76",
+ "SHA256:JuQh5fjduynuuTEwI9C6yAKK1NnLX9PPd7TP0qZfbGs"
},
{ /* OpenSSH 6.7p1 generated key: */
"(protected-private-key "
@@ -161,7 +170,8 @@ static struct { const char *key; const char *fpr; } sample_keys[] = {
")"
"(comment \"ecdsa w/o comment\")"
")", /* Passphrase="abc" */
- "1e:a6:94:ab:bd:81:73:5f:22:bc:0e:c7:89:f6:68:df"
+ "MD5:1e:a6:94:ab:bd:81:73:5f:22:bc:0e:c7:89:f6:68:df",
+ "SHA256:+pbRyYa2UBwDki1k4Wziu2CKrdJIbZM/hOWOQ/sNe/0"
},
{ /* OpenSSH 6.7p1 generated key: */
"(protected-private-key "
@@ -180,7 +190,8 @@ static struct { const char *key; const char *fpr; } sample_keys[] = {
")"
"(comment \"eddsa w/o comment\")"
")", /* Passphrase="abc" */
- "f1:fa:c8:a6:40:bb:b9:a1:65:d7:62:65:ac:26:78:0e"
+ "MD5:f1:fa:c8:a6:40:bb:b9:a1:65:d7:62:65:ac:26:78:0e",
+ "SHA256:yhwBfYnTOnSXcWf1EOPo+oIIpNJ6w/bG36udZ96MmsQ"
},
{
NULL,
@@ -259,9 +270,43 @@ main (int argc, char **argv)
char *string;
int idx;
- if (argc == 2)
+ /* --dump-keys dumps the keys as KEYGRIP.key.IDX. Useful to compute
+ fingerprints to enhance the test vectors. */
+ if (argc == 2 && strcmp (argv[1], "--dump-keys") == 0)
+ for (idx=0; sample_keys[idx].key; idx++)
+ {
+ FILE *s;
+ char *name;
+ char grip[20];
+ char *hexgrip;
+
+ err = keygrip_from_canon_sexp (sample_keys[idx].key,
+ strlen (sample_keys[idx].key),
+ grip);
+ if (err)
+ {
+ fprintf (stderr, "%s:%d: error computing keygrip: %s\n",
+ __FILE__, __LINE__, gpg_strerror (err));
+ exit (1);
+ }
+ hexgrip = bin2hex (grip, 20, NULL);
+
+ name = xtryasprintf ("%s.key.%d", hexgrip, idx);
+ s = fopen (name, "w");
+ if (s == NULL)
+ {
+ fprintf (stderr, "%s:%d: error opening file: %s\n",
+ __FILE__, __LINE__, gpg_strerror (gpg_error_from_syserror ()));
+ exit (1);
+ }
+ xfree (name);
+ fprintf (s, "%s", sample_keys[idx].key);
+ fclose (s);
+ }
+ else if (argc == 2)
{
key = read_key (argv[1]);
+
err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &string);
if (err)
{
@@ -271,6 +316,17 @@ main (int argc, char **argv)
}
puts (string);
xfree (string);
+
+ err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &string);
+ if (err)
+ {
+ fprintf (stderr, "%s:%d: error getting fingerprint: %s\n",
+ __FILE__, __LINE__, gpg_strerror (err));
+ exit (1);
+ }
+ puts (string);
+ xfree (string);
+
gcry_sexp_release (key);
}
else
@@ -288,7 +344,6 @@ main (int argc, char **argv)
}
err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &string);
- gcry_sexp_release (key);
if (err)
{
fprintf (stderr, "%s:%d: error getting fingerprint for "
@@ -297,16 +352,38 @@ main (int argc, char **argv)
exit (1);
}
- if (strcmp (string, sample_keys[idx].fpr))
+ if (strcmp (string, sample_keys[idx].fpr_md5))
+ {
+ fprintf (stderr, "%s:%d: fingerprint mismatch for "
+ "sample key %d\n",
+ __FILE__, __LINE__, idx);
+ fprintf (stderr, "want: %s\n got: %s\n",
+ sample_keys[idx].fpr_md5, string);
+ exit (1);
+ }
+ xfree (string);
+
+ err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &string);
+ if (err)
+ {
+ fprintf (stderr, "%s:%d: error getting fingerprint for "
+ "sample key %d: %s\n",
+ __FILE__, __LINE__, idx, gpg_strerror (err));
+ exit (1);
+ }
+
+ if (strcmp (string, sample_keys[idx].fpr_sha256))
{
fprintf (stderr, "%s:%d: fingerprint mismatch for "
"sample key %d\n",
__FILE__, __LINE__, idx);
fprintf (stderr, "want: %s\n got: %s\n",
- sample_keys[idx].fpr, string);
+ sample_keys[idx].fpr_sha256, string);
exit (1);
}
xfree (string);
+
+ gcry_sexp_release (key);
}
}
commit 3ac1a9d3a018816233a855faff059b4e0657a0f1
Author: Justus Winter <justus at g10code.com>
Date: Fri Dec 4 15:19:07 2015 +0100
common: Support different digest algorithms for ssh fingerprints.
* common/ssh-utils.c (get_fingerprint): Add and honor 'algo' parameter.
(ssh_get_fingerprint{,_string}): Likewise.
* common/ssh-utils.h (ssh_get_fingerprint{,_string}): Update prototypes.
* common/t-ssh-utils.c (main): Adapt accordingly.
* agent/command-ssh.c (agent_raw_key_from_file): Likewise.
(ssh_identity_register): Likewise.
* agent/command.c (do_one_keyinfo): Likewise.
* agent/findkey.c (modify_description): Likewise.
--
This lays the foundation to support other algorithms.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus at g10code.com>
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index 99c80c0..3dd3dd7 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -2760,7 +2760,7 @@ data_sign (ctrl_t ctrl, ssh_key_type_spec_t *spec,
err = agent_raw_key_from_file (ctrl, ctrl->keygrip, &key);
if (err)
goto out;
- err = ssh_get_fingerprint_string (key, &fpr);
+ err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr);
if (!err)
{
gcry_sexp_t tmpsxp = gcry_sexp_find_token (key, "comment", 0);
@@ -3038,7 +3038,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
bin2hex (key_grip_raw, 20, key_grip);
- err = ssh_get_fingerprint_string (key, &key_fpr);
+ err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &key_fpr);
if (err)
goto out;
diff --git a/agent/command.c b/agent/command.c
index df788ef..d370821 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -1201,7 +1201,7 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx,
if (!agent_raw_key_from_file (ctrl, grip, &key))
{
- ssh_get_fingerprint_string (key, &fpr);
+ ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr);
gcry_sexp_release (key);
}
}
diff --git a/agent/findkey.c b/agent/findkey.c
index b24d8f1..1f547b0 100644
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -412,7 +412,7 @@ agent_modify_description (const char *in, const char *comment,
case 'F': /* SSH style fingerprint. */
if (!ssh_fpr && key)
- ssh_get_fingerprint_string (key, &ssh_fpr);
+ ssh_get_fingerprint_string (key, GCRY_MD_MD5, &ssh_fpr);
if (ssh_fpr)
{
if (out)
diff --git a/common/ssh-utils.c b/common/ssh-utils.c
index 60aa07b..3925602 100644
--- a/common/ssh-utils.c
+++ b/common/ssh-utils.c
@@ -65,12 +65,13 @@ is_eddsa (gcry_sexp_t keyparms)
}
-/* Return the Secure Shell type fingerprint for KEY. The length of
- the fingerprint is returned at R_LEN and the fingerprint itself at
- R_FPR. In case of a error code is returned and NULL stored at
- R_FPR. */
+/* Return the Secure Shell type fingerprint for KEY using digest ALGO.
+ The length of the fingerprint is returned at R_LEN and the
+ fingerprint itself at R_FPR. In case of a error code is returned
+ and NULL stored at R_FPR. */
static gpg_error_t
-get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len, int as_string)
+get_fingerprint (gcry_sexp_t key, int algo,
+ void **r_fpr, size_t *r_len, int as_string)
{
gpg_error_t err;
gcry_sexp_t list = NULL;
@@ -111,7 +112,7 @@ get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len, int as_string)
goto leave;
}
- err = gcry_md_open (&md, GCRY_MD_MD5, 0);
+ err = gcry_md_open (&md, algo, 0);
if (err)
goto leave;
@@ -229,23 +230,23 @@ get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len, int as_string)
}
}
- *r_fpr = gcry_malloc (as_string? 61:20);
- if (!*r_fpr)
- {
- err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
- goto leave;
- }
-
if (as_string)
{
- bin2hexcolon (gcry_md_read (md, GCRY_MD_MD5), 16, *r_fpr);
- *r_len = 3*16+1;
+ *r_fpr = (algo == GCRY_MD_MD5 ? bin2hexcolon : /* XXX we need base64 */ bin2hex)
+ (gcry_md_read (md, algo), gcry_md_get_algo_dlen (algo), NULL);
+ *r_len = strlen (*r_fpr) + 1;
strlwr (*r_fpr);
}
else
{
- memcpy (*r_fpr, gcry_md_read (md, GCRY_MD_MD5), 16);
- *r_len = 16;
+ *r_len = gcry_md_get_algo_dlen (algo);
+ *r_fpr = xtrymalloc (*r_len);
+ if (!*r_fpr)
+ {
+ err = gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+ goto leave;
+ }
+ memcpy (*r_fpr, gcry_md_read (md, algo), *r_len);
}
err = 0;
@@ -257,28 +258,30 @@ get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len, int as_string)
return err;
}
-/* Return the Secure Shell type fingerprint for KEY. The length of
- the fingerprint is returned at R_LEN and the fingerprint itself at
- R_FPR. In case of an error an error code is returned and NULL
- stored at R_FPR. */
+/* Return the Secure Shell type fingerprint for KEY using digest ALGO.
+ The length of the fingerprint is returned at R_LEN and the
+ fingerprint itself at R_FPR. In case of an error an error code is
+ returned and NULL stored at R_FPR. */
gpg_error_t
-ssh_get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len)
+ssh_get_fingerprint (gcry_sexp_t key, int algo,
+ void **r_fpr, size_t *r_len)
{
- return get_fingerprint (key, r_fpr, r_len, 0);
+ return get_fingerprint (key, algo, r_fpr, r_len, 0);
}
-/* Return the Secure Shell type fingerprint for KEY as a string. The
- fingerprint is mallcoed and stored at R_FPRSTR. In case of an
- error an error code is returned and NULL stored at R_FPRSTR. */
+/* Return the Secure Shell type fingerprint for KEY using digest ALGO
+ as a string. The fingerprint is mallcoed and stored at R_FPRSTR.
+ In case of an error an error code is returned and NULL stored at
+ R_FPRSTR. */
gpg_error_t
-ssh_get_fingerprint_string (gcry_sexp_t key, char **r_fprstr)
+ssh_get_fingerprint_string (gcry_sexp_t key, int algo, char **r_fprstr)
{
gpg_error_t err;
size_t dummy;
void *string;
- err = get_fingerprint (key, &string, &dummy, 1);
+ err = get_fingerprint (key, algo, &string, &dummy, 1);
*r_fprstr = string;
return err;
}
diff --git a/common/ssh-utils.h b/common/ssh-utils.h
index 36d38a3..53d9f55 100644
--- a/common/ssh-utils.h
+++ b/common/ssh-utils.h
@@ -31,9 +31,11 @@
#define GNUPG_COMMON_SSH_UTILS_H
-gpg_error_t ssh_get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len);
+gpg_error_t ssh_get_fingerprint (gcry_sexp_t key, int algo,
+ void **r_fpr, size_t *r_len);
-gpg_error_t ssh_get_fingerprint_string (gcry_sexp_t key, char **r_fprstr);
+gpg_error_t ssh_get_fingerprint_string (gcry_sexp_t key, int algo,
+ char **r_fprstr);
#endif /*GNUPG_COMMON_SSH_UTILS_H*/
diff --git a/common/t-ssh-utils.c b/common/t-ssh-utils.c
index f63ea95..a4e948f 100644
--- a/common/t-ssh-utils.c
+++ b/common/t-ssh-utils.c
@@ -262,7 +262,7 @@ main (int argc, char **argv)
if (argc == 2)
{
key = read_key (argv[1]);
- err = ssh_get_fingerprint_string (key, &string);
+ err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &string);
if (err)
{
fprintf (stderr, "%s:%d: error getting fingerprint: %s\n",
@@ -287,7 +287,7 @@ main (int argc, char **argv)
exit (1);
}
- err = ssh_get_fingerprint_string (key, &string);
+ err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &string);
gcry_sexp_release (key);
if (err)
{
-----------------------------------------------------------------------
Summary of changes:
agent/agent.h | 4 ++
agent/command-ssh.c | 26 ++++++++---
agent/command.c | 2 +-
agent/findkey.c | 3 +-
agent/gpg-agent.c | 9 ++++
common/ssh-utils.c | 128 +++++++++++++++++++++++++++++++++++++++------------
common/ssh-utils.h | 6 ++-
common/t-ssh-utils.c | 103 +++++++++++++++++++++++++++++++++++------
doc/gpg-agent.texi | 7 +++
9 files changed, 236 insertions(+), 52 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list