rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
1d31ef
diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
1d31ef
--- openssh-7.4p1/clientloop.c.fingerprint	2016-12-23 15:38:50.520432387 +0100
1d31ef
+++ openssh-7.4p1/clientloop.c	2016-12-23 15:38:50.564432394 +0100
1d31ef
@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
1d31ef
 		if (ctx->keys_seen[i] != 2)
1d31ef
 			continue;
1d31ef
 		if ((fp = sshkey_fingerprint(ctx->keys[i],
1d31ef
-		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
1d31ef
+		    options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
1d31ef
 			fatal("%s: sshkey_fingerprint failed", __func__);
1d31ef
 		do_log2(loglevel, "Learned new hostkey: %s %s",
1d31ef
 		    sshkey_type(ctx->keys[i]), fp);
1d31ef
@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
1d31ef
 	}
1d31ef
 	for (i = 0; i < ctx->nold; i++) {
1d31ef
 		if ((fp = sshkey_fingerprint(ctx->old_keys[i],
1d31ef
-		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
1d31ef
+		    options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
1d31ef
 			fatal("%s: sshkey_fingerprint failed", __func__);
1d31ef
 		do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
1d31ef
 		    sshkey_type(ctx->old_keys[i]), fp);
1d31ef
@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
1d31ef
 	    (r = hostfile_replace_entries(options.user_hostfiles[0],
1d31ef
 	    ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
1d31ef
 	    options.hash_known_hosts, 0,
1d31ef
-	    options.fingerprint_hash)) != 0)
1d31ef
+	    options.fingerprint_hash[0])) != 0)
1d31ef
 		error("%s: hostfile_replace_entries failed: %s",
1d31ef
 		    __func__, ssh_err(r));
1d31ef
 }
1d31ef
@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
1d31ef
 			error("%s: parse key: %s", __func__, ssh_err(r));
1d31ef
 			goto out;
1d31ef
 		}
1d31ef
-		fp = sshkey_fingerprint(key, options.fingerprint_hash,
1d31ef
+		fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
1d31ef
 		    SSH_FP_DEFAULT);
1d31ef
 		debug3("%s: received %s key %s", __func__,
1d31ef
 		    sshkey_type(key), fp);
1d31ef
diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
1d31ef
--- openssh-7.4p1/readconf.c.fingerprint	2016-12-23 15:38:50.559432393 +0100
1d31ef
+++ openssh-7.4p1/readconf.c	2016-12-23 15:38:50.565432394 +0100
1d31ef
@@ -1668,16 +1668,18 @@ parse_keytypes:
1d31ef
 		goto parse_string;
1d31ef
 
1d31ef
 	case oFingerprintHash:
1d31ef
-		intptr = &options->fingerprint_hash;
1d31ef
-		arg = strdelim(&s);
1d31ef
-		if (!arg || *arg == '\0')
1d31ef
-			fatal("%.200s line %d: Missing argument.",
1d31ef
-			    filename, linenum);
1d31ef
-		if ((value = ssh_digest_alg_by_name(arg)) == -1)
1d31ef
-			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1d31ef
-			    filename, linenum, arg);
1d31ef
-		if (*activep && *intptr == -1)
1d31ef
-			*intptr = value;
1d31ef
+		if (*activep && options->num_fingerprint_hash == 0)
1d31ef
+			while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1d31ef
+				value = ssh_digest_alg_by_name(arg);
1d31ef
+				if (value == -1)
1d31ef
+					fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
1d31ef
+						filename, linenum, arg);
1d31ef
+				if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
1d31ef
+					fatal("%s line %d: too many fingerprints algorithm specs.",
1d31ef
+						filename, linenum);
1d31ef
+				options->fingerprint_hash[
1d31ef
+					options->num_fingerprint_hash++] = value;
1d31ef
+			}
1d31ef
 		break;
1d31ef
 
1d31ef
 	case oUpdateHostkeys:
1d31ef
@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
1d31ef
 	options->canonicalize_fallback_local = -1;
1d31ef
 	options->canonicalize_hostname = -1;
1d31ef
 	options->revoked_host_keys = NULL;
1d31ef
-	options->fingerprint_hash = -1;
1d31ef
+	options->num_fingerprint_hash = 0;
1d31ef
 	options->update_hostkeys = -1;
1d31ef
 	options->hostbased_key_types = NULL;
1d31ef
 	options->pubkey_key_types = NULL;
1d31ef
@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
1d31ef
 		options->canonicalize_fallback_local = 1;
1d31ef
 	if (options->canonicalize_hostname == -1)
1d31ef
 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
1d31ef
-	if (options->fingerprint_hash == -1)
1d31ef
-		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1d31ef
+	if (options->num_fingerprint_hash == 0) {
1d31ef
+		options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
1d31ef
+		options->fingerprint_hash[options->num_fingerprint_hash++] = (FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5);
1d31ef
+	}
1d31ef
 	if (options->update_hostkeys == -1)
1d31ef
 		options->update_hostkeys = 0;
1d31ef
 	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
1d31ef
@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
1d31ef
 }
1d31ef
 
1d31ef
 static void
1d31ef
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
1d31ef
+{
1d31ef
+	u_int i;
1d31ef
+
1d31ef
+	printf("%s", lookup_opcode_name(code));
1d31ef
+	for (i = 0; i < count; i++)
1d31ef
+		printf(" %s", fmt_intarg(code, vals[i]));
1d31ef
+	printf("\n");
1d31ef
+}
1d31ef
+
1d31ef
+static void
1d31ef
 dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
1d31ef
 {
1d31ef
 	u_int i;
1d31ef
@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
1d31ef
 	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
1d31ef
 	dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
1d31ef
 	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
1d31ef
-	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
1d31ef
 	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
1d31ef
 	dump_cfg_fmtint(oForwardX11, o->forward_x11);
1d31ef
 	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
1d31ef
@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
1d31ef
 	dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
1d31ef
 	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
1d31ef
 	dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
1d31ef
+	dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
1d31ef
 
1d31ef
 	/* Special cases */
1d31ef
 
1d31ef
diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
1d31ef
--- openssh-7.4p1/readconf.h.fingerprint	2016-12-23 15:38:50.559432393 +0100
1d31ef
+++ openssh-7.4p1/readconf.h	2016-12-23 15:38:50.565432394 +0100
1d31ef
@@ -21,6 +21,7 @@
1d31ef
 #define MAX_SEND_ENV		256
1d31ef
 #define SSH_MAX_HOSTS_FILES	32
1d31ef
 #define MAX_CANON_DOMAINS	32
1d31ef
+#define MAX_SSH_DIGESTS	8
1d31ef
 #define PATH_MAX_SUN		(sizeof((struct sockaddr_un *)0)->sun_path)
1d31ef
 
1d31ef
 struct allowed_cname {
1d31ef
@@ -162,7 +163,8 @@ typedef struct {
1d31ef
 
1d31ef
 	char	*revoked_host_keys;
1d31ef
 
1d31ef
-	int	 fingerprint_hash;
1d31ef
+	int num_fingerprint_hash;
1d31ef
+	int 	fingerprint_hash[MAX_SSH_DIGESTS];
1d31ef
 
1d31ef
 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
1d31ef
 
1d31ef
diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
1d31ef
--- openssh-7.4p1/ssh_config.5.fingerprint	2016-12-23 15:38:50.565432394 +0100
1d31ef
+++ openssh-7.4p1/ssh_config.5	2016-12-23 15:40:03.754444166 +0100
1d31ef
@@ -652,12 +652,13 @@ or
1d31ef
 .Cm no
1d31ef
 (the default).
1d31ef
 .It Cm FingerprintHash
1d31ef
-Specifies the hash algorithm used when displaying key fingerprints.
1d31ef
+Specifies the hash algorithms used when displaying key fingerprints.
1d31ef
 Valid options are:
1d31ef
 .Cm md5
1d31ef
 and
1d31ef
-.Cm sha256
1d31ef
-(the default).
1d31ef
+.Cm sha256 .
1d31ef
+The default is
1d31ef
+.Cm "sha256 md5".
1d31ef
 .It Cm ForwardAgent
1d31ef
 Specifies whether the connection to the authentication agent (if any)
1d31ef
 will be forwarded to the remote machine.
1d31ef
diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
1d31ef
--- openssh-7.4p1/sshconnect2.c.fingerprint	2016-12-23 15:38:50.561432394 +0100
1d31ef
+++ openssh-7.4p1/sshconnect2.c	2016-12-23 15:38:50.566432394 +0100
1d31ef
@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
1d31ef
 		    key->type, pktype);
1d31ef
 		goto done;
1d31ef
 	}
1d31ef
-	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
1d31ef
+	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
1d31ef
 	    SSH_FP_DEFAULT)) == NULL)
1d31ef
 		goto done;
1d31ef
 	debug2("input_userauth_pk_ok: fp %s", fp);
1d31ef
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
1d31ef
 	int matched, ret = -1, have_sig = 1;
1d31ef
 	char *fp;
1d31ef
 
1d31ef
-	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
1d31ef
+	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
1d31ef
 	    SSH_FP_DEFAULT)) == NULL)
1d31ef
 		return 0;
1d31ef
 	debug3("%s: %s %s", __func__, key_type(id->key), fp);
1d31ef
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
1d31ef
 		goto out;
1d31ef
 	}
1d31ef
 
1d31ef
-	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
1d31ef
+	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
1d31ef
 	    SSH_FP_DEFAULT)) == NULL) {
1d31ef
 		error("%s: sshkey_fingerprint failed", __func__);
1d31ef
 		goto out;
1d31ef
diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
1d31ef
--- openssh-7.4p1/sshconnect.c.fingerprint	2016-12-19 05:59:41.000000000 +0100
1d31ef
+++ openssh-7.4p1/sshconnect.c	2016-12-23 15:38:50.566432394 +0100
1d31ef
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
1d31ef
 				    "of known hosts.", type, ip);
1d31ef
 		} else if (options.visual_host_key) {
1d31ef
 			fp = sshkey_fingerprint(host_key,
1d31ef
-			    options.fingerprint_hash, SSH_FP_DEFAULT);
1d31ef
+			    options.fingerprint_hash[0], SSH_FP_DEFAULT);
1d31ef
 			ra = sshkey_fingerprint(host_key,
1d31ef
-			    options.fingerprint_hash, SSH_FP_RANDOMART);
1d31ef
+			    options.fingerprint_hash[0], SSH_FP_RANDOMART);
1d31ef
 			if (fp == NULL || ra == NULL)
1d31ef
 				fatal("%s: sshkey_fingerprint fail", __func__);
1d31ef
 			logit("Host key fingerprint is %s\n%s", fp, ra);
1d31ef
@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
1d31ef
 			else
1d31ef
 				snprintf(msg1, sizeof(msg1), ".");
1d31ef
 			/* The default */
1d31ef
-			fp = sshkey_fingerprint(host_key,
1d31ef
-			    options.fingerprint_hash, SSH_FP_DEFAULT);
1d31ef
-			ra = sshkey_fingerprint(host_key,
1d31ef
-			    options.fingerprint_hash, SSH_FP_RANDOMART);
1d31ef
-			if (fp == NULL || ra == NULL)
1d31ef
-				fatal("%s: sshkey_fingerprint fail", __func__);
1d31ef
 			msg2[0] = '\0';
1d31ef
 			if (options.verify_host_key_dns) {
1d31ef
 				if (matching_host_key_dns)
1d31ef
@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
1d31ef
 			}
1d31ef
 			snprintf(msg, sizeof(msg),
1d31ef
 			    "The authenticity of host '%.200s (%s)' can't be "
1d31ef
-			    "established%s\n"
1d31ef
-			    "%s key fingerprint is %s.%s%s\n%s"
1d31ef
+			    "established%s\n", host, ip, msg1);
1d31ef
+			for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
1d31ef
+				fp = sshkey_fingerprint(host_key,
1d31ef
+				    options.fingerprint_hash[i], SSH_FP_DEFAULT);
1d31ef
+				ra = sshkey_fingerprint(host_key,
1d31ef
+				    options.fingerprint_hash[i], SSH_FP_RANDOMART);
1d31ef
+				if (fp == NULL || ra == NULL)
1d31ef
+					fatal("%s: sshkey_fingerprint fail", __func__);
1d31ef
+				len = strlen(msg);
1d31ef
+				snprintf(msg+len, sizeof(msg)-len,
1d31ef
+				    "%s key fingerprint is %s.%s%s\n%s",
1d31ef
+				    type, fp,
1d31ef
+				    options.visual_host_key ? "\n" : "",
1d31ef
+				    options.visual_host_key ? ra : "",
1d31ef
+				    msg2);
1d31ef
+				free(ra);
1d31ef
+				free(fp);
1d31ef
+			}
1d31ef
+			len = strlen(msg);
1d31ef
+			snprintf(msg+len, sizeof(msg)-len,
1d31ef
 			    "Are you sure you want to continue connecting "
1d31ef
-			    "(yes/no)? ",
1d31ef
-			    host, ip, msg1, type, fp,
1d31ef
-			    options.visual_host_key ? "\n" : "",
1d31ef
-			    options.visual_host_key ? ra : "",
1d31ef
-			    msg2);
1d31ef
-			free(ra);
1d31ef
-			free(fp);
1d31ef
+			    "(yes/no)? ");
1d31ef
 			if (!confirm(msg))
1d31ef
 				goto fail;
1d31ef
 			hostkey_trusted = 1; /* user explicitly confirmed */
1d31ef
@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
1d31ef
 	struct sshkey *plain = NULL;
1d31ef
 
1d31ef
 	if ((fp = sshkey_fingerprint(host_key,
1d31ef
-	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
1d31ef
+	    options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
1d31ef
 		error("%s: fingerprint host key: %s", __func__, ssh_err(r));
1d31ef
 		r = -1;
1d31ef
 		goto out;
1d31ef
@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
1d31ef
 
1d31ef
 	if (sshkey_is_cert(host_key)) {
1d31ef
 		if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
1d31ef
-		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
1d31ef
+		    options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
1d31ef
 			error("%s: fingerprint CA key: %s",
1d31ef
 			    __func__, ssh_err(r));
1d31ef
 			r = -1;
1d31ef
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
1d31ef
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
1d31ef
 			continue;
1d31ef
 		fp = sshkey_fingerprint(found->key,
1d31ef
-		    options.fingerprint_hash, SSH_FP_DEFAULT);
1d31ef
+		    options.fingerprint_hash[0], SSH_FP_DEFAULT);
1d31ef
 		ra = sshkey_fingerprint(found->key,
1d31ef
-		    options.fingerprint_hash, SSH_FP_RANDOMART);
1d31ef
+		    options.fingerprint_hash[0], SSH_FP_RANDOMART);
1d31ef
 		if (fp == NULL || ra == NULL)
1d31ef
 			fatal("%s: sshkey_fingerprint fail", __func__);
1d31ef
 		logit("WARNING: %s key found for host %s\n"
1d31ef
@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
1d31ef
 {
1d31ef
 	char *fp;
1d31ef
 
1d31ef
-	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
1d31ef
+	fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
1d31ef
 	    SSH_FP_DEFAULT);
1d31ef
 	if (fp == NULL)
1d31ef
 		fatal("%s: sshkey_fingerprint fail", __func__);
1d31ef
diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
1d31ef
--- openssh-7.4p1/ssh-keysign.c.fingerprint	2016-12-19 05:59:41.000000000 +0100
1d31ef
+++ openssh-7.4p1/ssh-keysign.c	2016-12-23 15:38:50.566432394 +0100
1d31ef
@@ -285,7 +285,7 @@ main(int argc, char **argv)
1d31ef
 		}
1d31ef
 	}
1d31ef
 	if (!found) {
1d31ef
-		if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
1d31ef
+		if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
1d31ef
 		    SSH_FP_DEFAULT)) == NULL)
1d31ef
 			fatal("%s: sshkey_fingerprint failed", __progname);
1d31ef
 		fatal("no matching hostkey found for key %s %s",