rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Source Code
GIT

Blame openssh-6.7p1-fingerprint.patch

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   6c6416dc9d71d728ec2ccbb814fa74fc126d5866
  2.   openssh-6.7p1-fingerprint.patch
Blob History Raw
Petr Lautrbach 190035 
diff --git a/auth-rsa.c b/auth-rsa.c
Petr Lautrbach 190035 
index e9f4ede..ff7a132 100644
Petr Lautrbach 190035 
--- a/auth-rsa.c
Petr Lautrbach 190035 
+++ b/auth-rsa.c
Petr Lautrbach 190035 
@@ -1,4 +1,4 @@
Petr Lautrbach 190035 
-/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
Petr Lautrbach 190035 
+/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach 190035 
 /*
Petr Lautrbach 190035 
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
Petr Lautrbach 190035 
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
Petr Lautrbach 190035 
@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
Petr Lautrbach 190035 
 			    "actual %d vs. announced %d.",
Petr Lautrbach 190035 
 			    file, linenum, BN_num_bits(key->rsa->n), bits);
Petr Lautrbach 190035
Petr Lautrbach 190035 
-		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+		fp = key_fingerprint(key, options.fingerprint_hash,
Petr Lautrbach 190035 
+		    SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 		debug("matching key found: file %s, line %lu %s %s",
Petr Lautrbach 190035 
 		    file, linenum, key_type(key), fp);
Petr Lautrbach 190035 
 		free(fp);
Petr Lautrbach 190035 
diff --git a/auth.c b/auth.c
Petr Lautrbach 190035 
index 5e60682..5a9acd3 100644
Petr Lautrbach 190035 
--- a/auth.c
Petr Lautrbach 190035 
+++ b/auth.c
Petr Lautrbach 190035 
@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key)
Petr Lautrbach 190035 
 	case 1:
Petr Lautrbach 190035 
  revoked:
Petr Lautrbach 190035 
 		/* Key revoked */
Petr Lautrbach 190035 
-		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+		key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 		error("WARNING: authentication attempt with a revoked "
Petr Lautrbach 190035 
 		    "%s key %s ", key_type(key), key_fp);
Petr Lautrbach 190035 
 		free(key_fp);
Petr Lautrbach 190035 
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
Petr Lautrbach 190035 
index 6787e4c..b7ae353 100644
Petr Lautrbach 190035 
--- a/auth2-hostbased.c
Petr Lautrbach 190035 
+++ b/auth2-hostbased.c
Petr Lautrbach b457c9 
@@ -1,4 +1,4 @@
Petr Lautrbach b457c9 
-/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
Petr Lautrbach b457c9 
+/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach b457c9 
 /*
Petr Lautrbach b457c9 
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
Petr Lautrbach b457c9 
  *
Petr Lautrbach 190035 
@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Petr Lautrbach b457c9 
 	if (host_status == HOST_OK) {
Petr Lautrbach b457c9 
 		if (key_is_cert(key)) {
Petr Lautrbach b457c9 
 			fp = key_fingerprint(key->cert->signature_key,
Petr Lautrbach b457c9 
-			    SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+			    options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 			verbose("Accepted certificate ID \"%s\" signed by "
Petr Lautrbach b457c9 
 			    "%s CA %s from %s@%s", key->cert->key_id,
Petr Lautrbach b457c9 
 			    key_type(key->cert->signature_key), fp,
Petr Lautrbach b457c9 
 			    cuser, lookup);
Petr Lautrbach b457c9 
 		} else {
Petr Lautrbach b457c9 
-			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+			fp = key_fingerprint(key, options.fingerprint_hash,
Petr Lautrbach b457c9 
+			    SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 			verbose("Accepted %s public key %s from %s@%s",
Petr Lautrbach b457c9 
 			    key_type(key), fp, cuser, lookup);
Petr Lautrbach b457c9 
 		}
Petr Lautrbach 190035 
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
Petr Lautrbach 190035 
index f3ca965..3f4f789 100644
Petr Lautrbach 190035 
--- a/auth2-pubkey.c
Petr Lautrbach 190035 
+++ b/auth2-pubkey.c
Petr Lautrbach 190035 
@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	if (key_is_cert(key)) {
Petr Lautrbach b457c9 
 		fp = key_fingerprint(key->cert->signature_key,
Petr Lautrbach b457c9 
-		    SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+		    options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
Petr Lautrbach b457c9 
 		    key_type(key), key->cert->key_id,
Petr Lautrbach b457c9 
 		    (unsigned long long)key->cert->serial,
Petr Lautrbach 190035 
@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
Petr Lautrbach b457c9 
 		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
Petr Lautrbach b457c9 
 		free(fp);
Petr Lautrbach b457c9 
 	} else {
Petr Lautrbach b457c9 
-		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+		fp = key_fingerprint(key, options.fingerprint_hash,
Petr Lautrbach b457c9 
+		    SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 		auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
Petr Lautrbach b457c9 
 		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
Petr Lautrbach b457c9 
 		free(fp);
Petr Lautrbach 190035 
@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
Petr Lautrbach b457c9 
 				continue;
Petr Lautrbach b457c9 
 			if (!key_is_cert_authority)
Petr Lautrbach b457c9 
 				continue;
Petr Lautrbach b457c9 
-			fp = key_fingerprint(found, SSH_FP_MD5,
Petr Lautrbach b457c9 
-			    SSH_FP_HEX);
Petr Lautrbach b457c9 
+			fp = key_fingerprint(found, options.fingerprint_hash,
Petr Lautrbach b457c9 
+			    SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 			debug("matching CA found: file %s, line %lu, %s %s",
Petr Lautrbach b457c9 
 			    file, linenum, key_type(found), fp);
Petr Lautrbach b457c9 
 			/*
Petr Lautrbach 190035 
@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
Petr Lautrbach b457c9 
 			if (key_is_cert_authority)
Petr Lautrbach b457c9 
 				continue;
Petr Lautrbach b457c9 
 			found_key = 1;
Petr Lautrbach b457c9 
-			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+			fp = key_fingerprint(found, options.fingerprint_hash,
Petr Lautrbach b457c9 
+			    SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 			debug("matching key found: file %s, line %lu %s %s",
Petr Lautrbach b457c9 
 			    file, linenum, key_type(found), fp);
Petr Lautrbach b457c9 
 			free(fp);
Petr Lautrbach 190035 
@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
Petr Lautrbach b457c9 
 		return 0;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	ca_fp = key_fingerprint(key->cert->signature_key,
Petr Lautrbach b457c9 
-	    SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+	    options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	if (key_in_file(key->cert->signature_key,
Petr Lautrbach b457c9 
 	    options.trusted_user_ca_keys, 1) != 1) {
Petr Lautrbach 190035 
diff --git a/digest-libc.c b/digest-libc.c
Petr Lautrbach 190035 
index 1b4423a..169ded0 100644
Petr Lautrbach 190035 
--- a/digest-libc.c
Petr Lautrbach 190035 
+++ b/digest-libc.c
Petr Lautrbach b457c9 
@@ -1,4 +1,4 @@
Petr Lautrbach b457c9 
-/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
Petr Lautrbach b457c9 
+/* $OpenBSD: digest-libc.c,v 1.4 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach b457c9 
 /*
Petr Lautrbach b457c9 
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
Petr Lautrbach b457c9 
  * Copyright (c) 2014 Markus Friedl.  All rights reserved.
Petr Lautrbach b457c9 
@@ -126,6 +126,26 @@ ssh_digest_by_alg(int alg)
Petr Lautrbach b457c9 
 	return &(digests[alg]);
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+int
Petr Lautrbach b457c9 
+ssh_digest_alg_by_name(const char *name)
Petr Lautrbach b457c9 
+{
Petr Lautrbach b457c9 
+	int alg;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	for (alg = 0; alg < SSH_DIGEST_MAX; alg++) {
Petr Lautrbach b457c9 
+		if (strcasecmp(name, digests[alg].name) == 0)
Petr Lautrbach b457c9 
+			return digests[alg].id;
Petr Lautrbach b457c9 
+	}
Petr Lautrbach b457c9 
+	return -1;
Petr Lautrbach b457c9 
+}
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+const char *
Petr Lautrbach b457c9 
+ssh_digest_alg_name(int alg)
Petr Lautrbach b457c9 
+{
Petr Lautrbach b457c9 
+	const struct ssh_digest *digest = ssh_digest_by_alg(alg);
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	return digest == NULL ? NULL : digest->name;
Petr Lautrbach b457c9 
+}
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 size_t
Petr Lautrbach b457c9 
 ssh_digest_bytes(int alg)
Petr Lautrbach b457c9 
 {
Petr Lautrbach 190035 
diff --git a/digest-openssl.c b/digest-openssl.c
Petr Lautrbach 190035 
index 02b1703..bb58ff2 100644
Petr Lautrbach 190035 
--- a/digest-openssl.c
Petr Lautrbach 190035 
+++ b/digest-openssl.c
Petr Lautrbach b457c9 
@@ -1,4 +1,4 @@
Petr Lautrbach b457c9 
-/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */
Petr Lautrbach b457c9 
+/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach b457c9 
 /*
Petr Lautrbach b457c9 
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
Petr Lautrbach b457c9 
  *
Petr Lautrbach b457c9 
@@ -74,6 +74,26 @@ ssh_digest_by_alg(int alg)
Petr Lautrbach b457c9 
 	return &(digests[alg]);
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+int
Petr Lautrbach b457c9 
+ssh_digest_alg_by_name(const char *name)
Petr Lautrbach b457c9 
+{
Petr Lautrbach b457c9 
+	int alg;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	for (alg = 0; digests[alg].id != -1; alg++) {
Petr Lautrbach b457c9 
+		if (strcasecmp(name, digests[alg].name) == 0)
Petr Lautrbach b457c9 
+			return digests[alg].id;
Petr Lautrbach b457c9 
+	}
Petr Lautrbach b457c9 
+	return -1;
Petr Lautrbach b457c9 
+}
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+const char *
Petr Lautrbach b457c9 
+ssh_digest_alg_name(int alg)
Petr Lautrbach b457c9 
+{
Petr Lautrbach b457c9 
+	const struct ssh_digest *digest = ssh_digest_by_alg(alg);
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	return digest == NULL ? NULL : digest->name;
Petr Lautrbach b457c9 
+}
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 size_t
Petr Lautrbach b457c9 
 ssh_digest_bytes(int alg)
Petr Lautrbach b457c9 
 {
Petr Lautrbach 190035 
diff --git a/digest.h b/digest.h
Petr Lautrbach 190035 
index 6afb197..3fe0734 100644
Petr Lautrbach 190035 
--- a/digest.h
Petr Lautrbach 190035 
+++ b/digest.h
Petr Lautrbach 190035 
@@ -1,4 +1,4 @@
Petr Lautrbach 190035 
-/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
Petr Lautrbach 190035 
+/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach 190035 
 /*
Petr Lautrbach 190035 
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
Petr Lautrbach 190035 
  *
Petr Lautrbach 190035 
@@ -33,6 +33,12 @@
Petr Lautrbach 190035 
 struct sshbuf;
Petr Lautrbach 190035 
 struct ssh_digest_ctx;
Petr Lautrbach 190035
Petr Lautrbach 190035 
+/* Looks up a digest algorithm by name */
Petr Lautrbach 190035 
+int ssh_digest_alg_by_name(const char *name);
Petr Lautrbach 190035 
+
Petr Lautrbach 190035 
+/* Returns the algorithm name for a digest identifier */
Petr Lautrbach 190035 
+const char *ssh_digest_alg_name(int alg);
Petr Lautrbach 190035 
+
Petr Lautrbach 190035 
 /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
Petr Lautrbach 190035 
 size_t ssh_digest_bytes(int alg);
Petr Lautrbach 190035
Petr Lautrbach 190035 
diff --git a/dns.c b/dns.c
Petr Lautrbach 190035 
index c4d073c..4b8ae44 100644
Petr Lautrbach 190035 
--- a/dns.c
Petr Lautrbach 190035 
+++ b/dns.c
Petr Lautrbach b457c9 
@@ -1,4 +1,4 @@
Petr Lautrbach b457c9 
-/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */
Petr Lautrbach b457c9 
+/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /*
Petr Lautrbach b457c9 
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
Petr Lautrbach b457c9 
@@ -41,6 +41,7 @@
Petr Lautrbach b457c9 
 #include "key.h"
Petr Lautrbach b457c9 
 #include "dns.h"
Petr Lautrbach b457c9 
 #include "log.h"
Petr Lautrbach b457c9 
+#include "digest.h"
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 static const char *errset_text[] = {
Petr Lautrbach b457c9 
 	"success",		/* 0 ERRSET_SUCCESS */
Petr Lautrbach 190035 
@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
Petr Lautrbach b457c9 
     u_char **digest, u_int *digest_len, Key *key)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
 	int success = 0;
Petr Lautrbach b457c9 
-	enum fp_type fp_type = 0;
Petr Lautrbach b457c9 
+	int fp_alg = -1;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	switch (key->type) {
Petr Lautrbach b457c9 
 	case KEY_RSA:
Petr Lautrbach 190035 
@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	switch (*digest_type) {
Petr Lautrbach b457c9 
 	case SSHFP_HASH_SHA1:
Petr Lautrbach b457c9 
-		fp_type = SSH_FP_SHA1;
Petr Lautrbach b457c9 
+		fp_alg = SSH_DIGEST_SHA1;
Petr Lautrbach b457c9 
 		break;
Petr Lautrbach b457c9 
 	case SSHFP_HASH_SHA256:
Petr Lautrbach b457c9 
-		fp_type = SSH_FP_SHA256;
Petr Lautrbach b457c9 
+		fp_alg = SSH_DIGEST_SHA256;
Petr Lautrbach b457c9 
 		break;
Petr Lautrbach b457c9 
 	default:
Petr Lautrbach b457c9 
 		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
Petr Lautrbach b457c9 
 	}
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	if (*algorithm && *digest_type) {
Petr Lautrbach b457c9 
-		*digest = key_fingerprint_raw(key, fp_type, digest_len);
Petr Lautrbach b457c9 
+		*digest = key_fingerprint_raw(key, fp_alg, digest_len);
Petr Lautrbach b457c9 
 		if (*digest == NULL)
Petr Lautrbach b457c9 
 			fatal("dns_read_key: null from key_fingerprint_raw()");
Petr Lautrbach b457c9 
 		success = 1;
Petr Lautrbach 190035 
diff --git a/key.c b/key.c
Petr Lautrbach 190035 
index 2060761..780be1c 100644
Petr Lautrbach 190035 
--- a/key.c
Petr Lautrbach 190035 
+++ b/key.c
Petr Lautrbach b457c9 
@@ -40,8 +40,7 @@ key_new_private(int type)
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 u_char*
Petr Lautrbach b457c9 
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
Petr Lautrbach b457c9 
-    u_int *dgst_raw_length)
Petr Lautrbach b457c9 
+key_fingerprint_raw(const Key *k, int dgst_alg, u_int *dgst_raw_length)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
 	u_char *ret = NULL;
Petr Lautrbach b457c9 
 	size_t dlen;
Petr Lautrbach 190035 
@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	if (dgst_raw_length != NULL)
Petr Lautrbach b457c9 
 		*dgst_raw_length = 0;
Petr Lautrbach b457c9 
-	if ((r = sshkey_fingerprint_raw(k, dgst_type, &ret, &dlen)) != 0)
Petr Lautrbach b457c9 
+	if ((r = sshkey_fingerprint_raw(k, dgst_alg, &ret, &dlen)) != 0)
Petr Lautrbach b457c9 
 		fatal("%s: %s", __func__, ssh_err(r));
Petr Lautrbach b457c9 
 	if (dlen > INT_MAX)
Petr Lautrbach b457c9 
 		fatal("%s: giant len %zu", __func__, dlen);
Petr Lautrbach 190035 
diff --git a/key.h b/key.h
Petr Lautrbach 190035 
index c6401a5..e1a3625 100644
Petr Lautrbach 190035 
--- a/key.h
Petr Lautrbach 190035 
+++ b/key.h
Petr Lautrbach b457c9 
@@ -67,7 +67,7 @@ void	 key_add_private(Key *);
Petr Lautrbach b457c9 
 Key	*key_new_private(int);
Petr Lautrbach b457c9 
 void	 key_free(Key *);
Petr Lautrbach b457c9 
 Key	*key_demote(const Key *);
Petr Lautrbach b457c9 
-u_char	*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
Petr Lautrbach b457c9 
+u_char	*key_fingerprint_raw(const Key *, int, u_int *);
Petr Lautrbach b457c9 
 int	 key_write(const Key *, FILE *);
Petr Lautrbach b457c9 
 int	 key_read(Key *, char **);
Petr Lautrbach b457c9
Petr Lautrbach 190035 
diff --git a/krl.c b/krl.c
Petr Lautrbach 190035 
index eb31df9..4abed7e 100644
Petr Lautrbach 190035 
--- a/krl.c
Petr Lautrbach 190035 
+++ b/krl.c
Petr Lautrbach b457c9 
@@ -36,6 +36,7 @@
Petr Lautrbach b457c9 
 #include "misc.h"
Petr Lautrbach b457c9 
 #include "log.h"
Petr Lautrbach b457c9 
 #include "xmalloc.h"
Petr Lautrbach b457c9 
+#include "digest.h"
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 #include "krl.h"
Petr Lautrbach b457c9
Petr Lautrbach 190035 
@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key)
Petr Lautrbach b457c9 
 	u_int len;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	debug3("%s: revoke type %s by sha1", __func__, key_type(key));
Petr Lautrbach b457c9 
-	if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL)
Petr Lautrbach b457c9 
+	if ((blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &len)) == NULL)
Petr Lautrbach b457c9 
 		return -1;
Petr Lautrbach b457c9 
 	return revoke_blob(&krl->revoked_sha1s, blob, len);
Petr Lautrbach b457c9 
 }
Petr Lautrbach 190035 
@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	/* Check explicitly revoked hashes first */
Petr Lautrbach b457c9 
 	memset(&rb, 0, sizeof(rb));
Petr Lautrbach b457c9 
-	if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
Petr Lautrbach b457c9 
+	if ((rb.blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &rb.len)) == NULL)
Petr Lautrbach b457c9 
 		return -1;
Petr Lautrbach b457c9 
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
Petr Lautrbach b457c9 
 	free(rb.blob);
Petr Lautrbach 190035 
diff --git a/readconf.c b/readconf.c
Petr Lautrbach 190035 
index 7948ce1..3f5c58b 100644
Petr Lautrbach 190035 
--- a/readconf.c
Petr Lautrbach 190035 
+++ b/readconf.c
Petr Lautrbach b457c9 
@@ -56,6 +56,7 @@
Petr Lautrbach b457c9 
 #include "kex.h"
Petr Lautrbach b457c9 
 #include "mac.h"
Petr Lautrbach b457c9 
 #include "uidswap.h"
Petr Lautrbach b457c9 
+#include "digest.h"
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /* Format of the configuration file:
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
@@ -151,6 +152,7 @@ typedef enum {
Petr Lautrbach b457c9 
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
Petr Lautrbach b457c9 
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
Petr Lautrbach b457c9 
 	oStreamLocalBindMask, oStreamLocalBindUnlink,
Petr Lautrbach b457c9 
+	oFingerprintHash,
Petr Lautrbach b457c9 
 	oIgnoredUnknownOption, oDeprecated, oUnsupported
Petr Lautrbach b457c9 
 } OpCodes;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
@@ -265,6 +267,7 @@ static struct {
Petr Lautrbach b457c9 
 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
Petr Lautrbach b457c9 
 	{ "streamlocalbindmask", oStreamLocalBindMask },
Petr Lautrbach b457c9 
 	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
Petr Lautrbach b457c9 
+	{ "fingerprinthash", oFingerprintHash },
Petr Lautrbach b457c9 
 	{ "ignoreunknown", oIgnoreUnknown },
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	{ NULL, oBadOption }
Petr Lautrbach 190035 
@@ -1433,6 +1436,18 @@ parse_int:
Petr Lautrbach b457c9 
 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
Petr Lautrbach b457c9 
 		goto parse_flag;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+	case oFingerprintHash:
Petr Lautrbach b457c9 
+		arg = strdelim(&s);
Petr Lautrbach b457c9 
+		if (!arg || *arg == '\0')
Petr Lautrbach b457c9 
+			fatal("%.200s line %d: Missing argument.",
Petr Lautrbach b457c9 
+			    filename, linenum);
Petr Lautrbach b457c9 
+		if ((value = ssh_digest_alg_by_name(arg)) == -1)
Petr Lautrbach b457c9 
+			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
Petr Lautrbach b457c9 
+			    filename, linenum, arg);
Petr Lautrbach b457c9 
+		if (*activep)
Petr Lautrbach b457c9 
+			options->fingerprint_hash = value;
Petr Lautrbach b457c9 
+		break;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 	case oDeprecated:
Petr Lautrbach b457c9 
 		debug("%s line %d: Deprecated option \"%s\"",
Petr Lautrbach b457c9 
 		    filename, linenum, keyword);
Petr Lautrbach 190035 
@@ -1609,6 +1624,7 @@ initialize_options(Options * options)
Petr Lautrbach b457c9 
 	options->canonicalize_max_dots = -1;
Petr Lautrbach b457c9 
 	options->canonicalize_fallback_local = -1;
Petr Lautrbach b457c9 
 	options->canonicalize_hostname = -1;
Petr Lautrbach b457c9 
+	options->fingerprint_hash = -1;
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /*
Petr Lautrbach 190035 
@@ -1786,6 +1802,9 @@ fill_default_options(Options * options)
Petr Lautrbach b457c9 
 		options->canonicalize_fallback_local = 1;
Petr Lautrbach b457c9 
 	if (options->canonicalize_hostname == -1)
Petr Lautrbach b457c9 
 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
Petr Lautrbach b457c9 
+	if (options->fingerprint_hash == -1)
Petr Lautrbach b457c9 
+		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 #define CLEAR_ON_NONE(v) \
Petr Lautrbach b457c9 
 	do { \
Petr Lautrbach b457c9 
 		if (option_clear_or_none(v)) { \
Petr Lautrbach 190035 
diff --git a/readconf.h b/readconf.h
Petr Lautrbach 190035 
index 0b9cb77..a028306 100644
Petr Lautrbach 190035 
--- a/readconf.h
Petr Lautrbach 190035 
+++ b/readconf.h
Petr Lautrbach b457c9 
@@ -144,6 +144,8 @@ typedef struct {
Petr Lautrbach b457c9 
 	int	num_permitted_cnames;
Petr Lautrbach b457c9 
 	struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+	int	fingerprint_hash;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
Petr Lautrbach b457c9 
 }       Options;
Petr Lautrbach b457c9
Petr Lautrbach 190035 
diff --git a/regress/Makefile b/regress/Makefile
Petr Lautrbach 190035 
index 3feb7a9..2905a0d 100644
Petr Lautrbach 190035 
--- a/regress/Makefile
Petr Lautrbach 190035 
+++ b/regress/Makefile
Petr Lautrbach 190035 
@@ -1,6 +1,6 @@
Petr Lautrbach 190035 
-#	$OpenBSD: Makefile,v 1.70 2014/06/24 01:14:17 djm Exp $
Petr Lautrbach 190035 
+#	$OpenBSD: Makefile,v 1.71 2014/12/22 02:15:52 djm Exp $
Petr Lautrbach 190035
Petr Lautrbach 190035 
-REGRESS_TARGETS=	unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
Petr Lautrbach 190035 
+REGRESS_TARGETS=	unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec
Petr Lautrbach 190035 
 tests:		$(REGRESS_TARGETS)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 # Interop tests are not run by default
Petr Lautrbach 190035 
@@ -119,7 +119,7 @@ t3:
Petr Lautrbach 190035 
 	${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
Petr Lautrbach 190035
Petr Lautrbach 190035 
 t4:
Petr Lautrbach 190035 
-	${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\
Petr Lautrbach 190035 
+	${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
Petr Lautrbach 190035 
 		awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
Petr Lautrbach 190035
Petr Lautrbach 190035 
 t5:
Petr Lautrbach 190035 
@@ -164,6 +164,10 @@ t10: $(OBJ)/t10.out
Petr Lautrbach 190035 
 	${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null
Petr Lautrbach 190035 
 	${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
Petr Lautrbach 190035
Petr Lautrbach 190035 
+t11:
Petr Lautrbach 190035 
+	${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
Petr Lautrbach 190035 
+		awk '{print $$2}' | diff - ${.CURDIR}/t11.ok
Petr Lautrbach 190035 
+
Petr Lautrbach 190035 
 t-exec:	${LTESTS:=.sh}
Petr Lautrbach 190035 
 	@if [ "x$?" = "x" ]; then exit 0; fi; \
Petr Lautrbach 190035 
 	for TEST in ""$?; do \
Petr Lautrbach 190035 
diff --git a/regress/t11.ok b/regress/t11.ok
Petr Lautrbach 190035 
new file mode 100644
Petr Lautrbach 190035 
index 0000000..1925bb4
Petr Lautrbach 190035 
--- /dev/null
Petr Lautrbach 190035 
+++ b/regress/t11.ok
Petr Lautrbach 190035 
@@ -0,0 +1 @@
Petr Lautrbach 190035 
+SHA256:4w1rnrek3klTJOTVhwuCIFd5k+pq9Bfo5KTxxb8BqbY
Petr Lautrbach 190035 
diff --git a/regress/t4.ok b/regress/t4.ok
Petr Lautrbach 190035 
index 8c4942b..4631ea8 100644
Petr Lautrbach 190035 
--- a/regress/t4.ok
Petr Lautrbach 190035 
+++ b/regress/t4.ok
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
Petr Lautrbach 190035 
+MD5:3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
Petr Lautrbach 190035 
index 764f7fb..9c38a7c 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/test_file.c
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/test_file.c
Petr Lautrbach 190035 
@@ -1,4 +1,4 @@
Petr Lautrbach 190035 
-/* 	$OpenBSD: test_file.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
Petr Lautrbach 190035 
+/* 	$OpenBSD: test_file.c,v 1.2 2014/12/22 02:15:52 djm Exp $ */
Petr Lautrbach 190035 
 /*
Petr Lautrbach 190035 
  * Regress test for sshkey.h key management API
Petr Lautrbach 190035 
  *
Petr Lautrbach 190035 
@@ -33,6 +33,7 @@
Petr Lautrbach 190035 
 #include "authfile.h"
Petr Lautrbach 190035 
 #include "sshkey.h"
Petr Lautrbach 190035 
 #include "sshbuf.h"
Petr Lautrbach 190035 
+#include "digest.h"
Petr Lautrbach 190035
Petr Lautrbach 190035 
 #include "common.h"
Petr Lautrbach 190035
Petr Lautrbach 190035 
@@ -81,7 +82,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("RSA1 key hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("rsa1_1.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -90,7 +91,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("RSA1 key bubblebabble fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("rsa1_1.fp.bb");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -164,7 +165,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("RSA key hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("rsa_1.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -173,7 +174,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("RSA cert hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("rsa_1-cert.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -183,7 +184,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("RSA key bubblebabble fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("rsa_1.fp.bb");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -257,7 +258,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("DSA key hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("dsa_1.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -266,7 +267,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("DSA cert hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("dsa_1-cert.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -276,7 +277,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("DSA key bubblebabble fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("dsa_1.fp.bb");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -357,7 +358,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("ECDSA key hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("ecdsa_1.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -366,7 +367,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("ECDSA cert hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("ecdsa_1-cert.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -376,7 +377,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("ECDSA key bubblebabble fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("ecdsa_1.fp.bb");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -424,7 +425,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("Ed25519 key hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("ed25519_1.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -433,7 +434,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("Ed25519 cert hex fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("ed25519_1-cert.fp");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
@@ -443,7 +444,7 @@ sshkey_file_tests(void)
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	TEST_START("Ed25519 key bubblebabble fingerprint");
Petr Lautrbach 190035 
 	buf = load_text_file("ed25519_1.fp.bb");
Petr Lautrbach 190035 
-	cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
+	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
Petr Lautrbach 190035 
 	ASSERT_PTR_NE(cp, NULL);
Petr Lautrbach 190035 
 	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
Petr Lautrbach 190035 
 	sshbuf_free(buf);
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
Petr Lautrbach 190035 
index 56ee1f8..b26145b 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/dsa_1-cert.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
Petr Lautrbach 190035 
+MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp
Petr Lautrbach 190035 
index 56ee1f8..b26145b 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/dsa_1.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/dsa_1.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
Petr Lautrbach 190035 
+MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp
Petr Lautrbach 190035 
index ba9de82..8226574 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/dsa_2.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/dsa_2.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
Petr Lautrbach 190035 
+MD5:72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
Petr Lautrbach 190035 
index a56dbc8..c3d747a 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
Petr Lautrbach 190035 
+MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp
Petr Lautrbach 190035 
index a56dbc8..c3d747a 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/ecdsa_1.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
Petr Lautrbach 190035 
+MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp
Petr Lautrbach 190035 
index eb4bbdf..fe7526b 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/ecdsa_2.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
Petr Lautrbach 190035 
+MD5:51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
Petr Lautrbach 190035 
index e6d23d0..fbde87a 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
Petr Lautrbach 190035 
+MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp
Petr Lautrbach 190035 
index e6d23d0..fbde87a 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/ed25519_1.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/ed25519_1.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
Petr Lautrbach 190035 
+MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp
Petr Lautrbach 190035 
index 02c684f..ec1cdbb 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/ed25519_2.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/ed25519_2.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
Petr Lautrbach 190035 
+MD5:5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp
Petr Lautrbach 190035 
index 782ece0..2e1068c 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/rsa1_1.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/rsa1_1.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
Petr Lautrbach 190035 
+MD5:a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp
Petr Lautrbach 190035 
index c332537..cd00393 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/rsa1_2.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/rsa1_2.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
Petr Lautrbach 190035 
+MD5:c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
Petr Lautrbach 190035 
index bf9c2e3..1cf780d 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/rsa_1-cert.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
Petr Lautrbach 190035 
+MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp
Petr Lautrbach 190035 
index bf9c2e3..1cf780d 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/rsa_1.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/rsa_1.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
Petr Lautrbach 190035 
+MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
Petr Lautrbach 190035 
diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp
Petr Lautrbach 190035 
index 53939f4..8d43676 100644
Petr Lautrbach 190035 
--- a/regress/unittests/sshkey/testdata/rsa_2.fp
Petr Lautrbach 190035 
+++ b/regress/unittests/sshkey/testdata/rsa_2.fp
Petr Lautrbach 190035 
@@ -1 +1 @@
Petr Lautrbach 190035 
-fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
Petr Lautrbach 190035 
+MD5:fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
Petr Lautrbach 190035 
diff --git a/servconf.c b/servconf.c
Petr Lautrbach 190035 
index b7f3294..e3ebaac 100644
Petr Lautrbach 190035 
--- a/servconf.c
Petr Lautrbach 190035 
+++ b/servconf.c
Petr Lautrbach b457c9 
@@ -54,6 +54,7 @@
Petr Lautrbach b457c9 
 #include "packet.h"
Petr Lautrbach b457c9 
 #include "hostfile.h"
Petr Lautrbach b457c9 
 #include "auth.h"
Petr Lautrbach b457c9 
+#include "digest.h"
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 static void add_listen_addr(ServerOptions *, char *, int);
Petr Lautrbach b457c9 
 static void add_one_listen_addr(ServerOptions *, char *, int);
Petr Lautrbach 190035 
@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions *options)
Petr Lautrbach b457c9 
 	options->ip_qos_interactive = -1;
Petr Lautrbach b457c9 
 	options->ip_qos_bulk = -1;
Petr Lautrbach b457c9 
 	options->version_addendum = NULL;
Petr Lautrbach b457c9 
+	options->fingerprint_hash = -1;
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 void
Petr Lautrbach 190035 
@@ -312,6 +314,8 @@ fill_default_server_options(ServerOptions *options)
Petr Lautrbach b457c9 
 		options->fwd_opts.streamlocal_bind_mask = 0177;
Petr Lautrbach b457c9 
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
Petr Lautrbach b457c9 
 		options->fwd_opts.streamlocal_bind_unlink = 0;
Petr Lautrbach b457c9 
+	if (options->fingerprint_hash == -1)
Petr Lautrbach b457c9 
+		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
Petr Lautrbach b457c9 
 	/* Turn privilege separation on by default */
Petr Lautrbach b457c9 
 	if (use_privsep == -1)
Petr Lautrbach b457c9 
 		use_privsep = PRIVSEP_NOSANDBOX;
Petr Lautrbach b457c9 
@@ -361,7 +365,7 @@ typedef enum {
Petr Lautrbach b457c9 
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
Petr Lautrbach b457c9 
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
Petr Lautrbach b457c9 
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
Petr Lautrbach b457c9 
-	sAllowStreamLocalForwarding,
Petr Lautrbach b457c9 
+	sAllowStreamLocalForwarding, sFingerprintHash,
Petr Lautrbach b457c9 
 	sDeprecated, sUnsupported
Petr Lautrbach b457c9 
 } ServerOpCodes;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
@@ -492,6 +496,7 @@ static struct {
Petr Lautrbach b457c9 
 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
Petr Lautrbach b457c9 
 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
Petr Lautrbach b457c9 
 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
Petr Lautrbach b457c9 
+	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
Petr Lautrbach b457c9 
 	{ NULL, sBadOption, 0 }
Petr Lautrbach b457c9 
 };
Petr Lautrbach b457c9
Petr Lautrbach 190035 
@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions *options, char *line,
Petr Lautrbach b457c9 
 		intptr = &options->fwd_opts.streamlocal_bind_unlink;
Petr Lautrbach b457c9 
 		goto parse_flag;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+	case sFingerprintHash:
Petr Lautrbach b457c9 
+		arg = strdelim(&cp;;
Petr Lautrbach b457c9 
+		if (!arg || *arg == '\0')
Petr Lautrbach b457c9 
+			fatal("%.200s line %d: Missing argument.",
Petr Lautrbach b457c9 
+			    filename, linenum);
Petr Lautrbach b457c9 
+		if ((value = ssh_digest_alg_by_name(arg)) == -1)
Petr Lautrbach b457c9 
+			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
Petr Lautrbach b457c9 
+			    filename, linenum, arg);
Petr Lautrbach b457c9 
+		if (*activep)
Petr Lautrbach b457c9 
+			options->fingerprint_hash = value;
Petr Lautrbach b457c9 
+		break;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 	case sDeprecated:
Petr Lautrbach b457c9 
 		logit("%s line %d: Deprecated option %s",
Petr Lautrbach b457c9 
 		    filename, linenum, arg);
Petr Lautrbach b457c9 
@@ -1905,6 +1922,8 @@ fmt_intarg(ServerOpCodes code, int val)
Petr Lautrbach b457c9 
 		return fmt_multistate_int(val, multistate_tcpfwd);
Petr Lautrbach b457c9 
 	case sAllowStreamLocalForwarding:
Petr Lautrbach b457c9 
 		return fmt_multistate_int(val, multistate_tcpfwd);
Petr Lautrbach b457c9 
+	case sFingerprintHash:
Petr Lautrbach b457c9 
+		return ssh_digest_alg_name(val);
Petr Lautrbach b457c9 
 	case sProtocol:
Petr Lautrbach b457c9 
 		switch (val) {
Petr Lautrbach b457c9 
 		case SSH_PROTO_1:
Petr Lautrbach b457c9 
@@ -2066,6 +2085,7 @@ dump_config(ServerOptions *o)
Petr Lautrbach b457c9 
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
Petr Lautrbach b457c9 
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
Petr Lautrbach b457c9 
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
Petr Lautrbach b457c9 
+	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	/* string arguments */
Petr Lautrbach b457c9 
 	dump_cfg_string(sPidFile, o->pid_file);
Petr Lautrbach 190035 
diff --git a/servconf.h b/servconf.h
Petr Lautrbach 190035 
index 766db3a..49b228b 100644
Petr Lautrbach 190035 
--- a/servconf.h
Petr Lautrbach 190035 
+++ b/servconf.h
Petr Lautrbach b457c9 
@@ -1,4 +1,4 @@
Petr Lautrbach b457c9 
-/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */
Petr Lautrbach b457c9 
+/* $OpenBSD: servconf.h,v 1.115 2014/12/21 22:27:56 djm Exp $ */
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /*
Petr Lautrbach b457c9 
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
Petr Lautrbach b457c9 
@@ -185,6 +185,8 @@ typedef struct {
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	u_int	num_auth_methods;
Petr Lautrbach b457c9 
 	char   *auth_methods[MAX_AUTH_METHODS];
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	int	fingerprint_hash;
Petr Lautrbach b457c9 
 }       ServerOptions;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /* Information about the incoming connection as used by Match */
Petr Lautrbach 190035 
diff --git a/ssh-add.1 b/ssh-add.1
Petr Lautrbach 190035 
index 4812448..04d1840 100644
Petr Lautrbach 190035 
--- a/ssh-add.1
Petr Lautrbach 190035 
+++ b/ssh-add.1
Petr Lautrbach b457c9 
@@ -44,6 +44,7 @@
Petr Lautrbach b457c9 
 .Sh SYNOPSIS
Petr Lautrbach b457c9 
 .Nm ssh-add
Petr Lautrbach b457c9 
 .Op Fl cDdkLlXx
Petr Lautrbach b457c9 
+.Op Fl E Ar fingerprint_hash
Petr Lautrbach b457c9 
 .Op Fl t Ar life
Petr Lautrbach b457c9 
 .Op Ar
Petr Lautrbach b457c9 
 .Nm ssh-add
Petr Lautrbach 190035 
@@ -108,6 +109,14 @@ If no public key is found at a given path,
Petr Lautrbach b457c9 
 will append
Petr Lautrbach b457c9 
 .Pa .pub
Petr Lautrbach b457c9 
 and retry.
Petr Lautrbach b457c9 
+.It Fl E Ar fingerprint_hash
Petr Lautrbach b457c9 
+Specifies the hash algorithm used when displaying key fingerprints.
Petr Lautrbach b457c9 
+Valid options are:
Petr Lautrbach b457c9 
+.Dq md5
Petr Lautrbach b457c9 
+and
Petr Lautrbach b457c9 
+.Dq sha256 .
Petr Lautrbach b457c9 
+The default is
Petr Lautrbach b457c9 
+.Dq sha256 .
Petr Lautrbach b457c9 
 .It Fl e Ar pkcs11
Petr Lautrbach b457c9 
 Remove keys provided by the PKCS#11 shared library
Petr Lautrbach b457c9 
 .Ar pkcs11 .
Petr Lautrbach 190035 
diff --git a/ssh-add.c b/ssh-add.c
Petr Lautrbach 190035 
index 78a3359..5d6a5f4 100644
Petr Lautrbach 190035 
--- a/ssh-add.c
Petr Lautrbach 190035 
+++ b/ssh-add.c
Petr Lautrbach b457c9 
@@ -63,6 +63,7 @@
Petr Lautrbach b457c9 
 #include "pathnames.h"
Petr Lautrbach b457c9 
 #include "misc.h"
Petr Lautrbach b457c9 
 #include "ssherr.h"
Petr Lautrbach b457c9 
+#include "digest.h"
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /* argv0 */
Petr Lautrbach b457c9 
 extern char *__progname;
Petr Lautrbach b457c9 
@@ -79,6 +80,8 @@ static char *default_files[] = {
Petr Lautrbach b457c9 
 	NULL
Petr Lautrbach b457c9 
 };
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 /* Default lifetime (0 == forever) */
Petr Lautrbach b457c9 
 static int lifetime = 0;
Petr Lautrbach b457c9
Petr Lautrbach 190035 
@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection *ac, int do_fp)
Petr Lautrbach b457c9 
 		    key = ssh_get_next_identity(ac, &comment, version)) {
Petr Lautrbach b457c9 
 			had_identities = 1;
Petr Lautrbach b457c9 
 			if (do_fp) {
Petr Lautrbach b457c9 
-				fp = key_fingerprint(key, SSH_FP_MD5,
Petr Lautrbach b457c9 
-				    SSH_FP_HEX);
Petr Lautrbach b457c9 
+				fp = key_fingerprint(key, fingerprint_hash,
Petr Lautrbach b457c9 
+				    SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 				printf("%d %s %s (%s)\n",
Petr Lautrbach b457c9 
 				    key_size(key), fp, comment, key_type(key));
Petr Lautrbach b457c9 
 				free(fp);
Petr Lautrbach b457c9 
@@ -408,6 +411,7 @@ usage(void)
Petr Lautrbach b457c9 
 	fprintf(stderr, "usage: %s [options] [file ...]\n", __progname);
Petr Lautrbach b457c9 
 	fprintf(stderr, "Options:\n");
Petr Lautrbach b457c9 
 	fprintf(stderr, "  -l          List fingerprints of all identities.\n");
Petr Lautrbach b457c9 
+	fprintf(stderr, "  -E hash     Specify hash algorithm used for fingerprints.\n");
Petr Lautrbach b457c9 
 	fprintf(stderr, "  -L          List public key parameters of all identities.\n");
Petr Lautrbach b457c9 
 	fprintf(stderr, "  -k          Load only keys and not certificates.\n");
Petr Lautrbach b457c9 
 	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
Petr Lautrbach b457c9 
@@ -428,6 +432,7 @@ main(int argc, char **argv)
Petr Lautrbach b457c9 
 	AuthenticationConnection *ac = NULL;
Petr Lautrbach b457c9 
 	char *pkcs11provider = NULL;
Petr Lautrbach b457c9 
 	int i, ch, deleting = 0, ret = 0, key_only = 0;
Petr Lautrbach b457c9 
+	int xflag = 0, lflag = 0, Dflag = 0;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
Petr Lautrbach b457c9 
 	sanitise_stdfd();
Petr Lautrbach b457c9 
@@ -446,21 +451,28 @@ main(int argc, char **argv)
Petr Lautrbach b457c9 
 		    "Could not open a connection to your authentication agent.\n");
Petr Lautrbach b457c9 
 		exit(2);
Petr Lautrbach b457c9 
 	}
Petr Lautrbach b457c9 
-	while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
Petr Lautrbach b457c9 
+	while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) {
Petr Lautrbach b457c9 
 		switch (ch) {
Petr Lautrbach b457c9 
+		case 'E':
Petr Lautrbach b457c9 
+			fingerprint_hash = ssh_digest_alg_by_name(optarg);
Petr Lautrbach b457c9 
+			if (fingerprint_hash == -1)
Petr Lautrbach b457c9 
+				fatal("Invalid hash algorithm \"%s\"", optarg);
Petr Lautrbach b457c9 
+			break;
Petr Lautrbach b457c9 
 		case 'k':
Petr Lautrbach b457c9 
 			key_only = 1;
Petr Lautrbach b457c9 
 			break;
Petr Lautrbach b457c9 
 		case 'l':
Petr Lautrbach b457c9 
 		case 'L':
Petr Lautrbach b457c9 
-			if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
Petr Lautrbach b457c9 
-				ret = 1;
Petr Lautrbach b457c9 
-			goto done;
Petr Lautrbach b457c9 
+			if (lflag != 0)
Petr Lautrbach b457c9 
+				fatal("-%c flag already specified", lflag);
Petr Lautrbach b457c9 
+			lflag = ch;
Petr Lautrbach b457c9 
+			break;
Petr Lautrbach b457c9 
 		case 'x':
Petr Lautrbach b457c9 
 		case 'X':
Petr Lautrbach b457c9 
-			if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
Petr Lautrbach b457c9 
-				ret = 1;
Petr Lautrbach b457c9 
-			goto done;
Petr Lautrbach b457c9 
+			if (xflag != 0)
Petr Lautrbach b457c9 
+				fatal("-%c flag already specified", xflag);
Petr Lautrbach b457c9 
+			xflag = ch;
Petr Lautrbach b457c9 
+			break;
Petr Lautrbach b457c9 
 		case 'c':
Petr Lautrbach b457c9 
 			confirm = 1;
Petr Lautrbach b457c9 
 			break;
Petr Lautrbach b457c9 
@@ -468,9 +480,8 @@ main(int argc, char **argv)
Petr Lautrbach b457c9 
 			deleting = 1;
Petr Lautrbach b457c9 
 			break;
Petr Lautrbach b457c9 
 		case 'D':
Petr Lautrbach b457c9 
-			if (delete_all(ac) == -1)
Petr Lautrbach b457c9 
-				ret = 1;
Petr Lautrbach b457c9 
-			goto done;
Petr Lautrbach b457c9 
+			Dflag = 1;
Petr Lautrbach b457c9 
+			break;
Petr Lautrbach b457c9 
 		case 's':
Petr Lautrbach b457c9 
 			pkcs11provider = optarg;
Petr Lautrbach b457c9 
 			break;
Petr Lautrbach b457c9 
@@ -491,6 +502,23 @@ main(int argc, char **argv)
Petr Lautrbach b457c9 
 			goto done;
Petr Lautrbach b457c9 
 		}
Petr Lautrbach b457c9 
 	}
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1)
Petr Lautrbach b457c9 
+		fatal("Invalid combination of actions");
Petr Lautrbach b457c9 
+	else if (xflag) {
Petr Lautrbach b457c9 
+		if (lock_agent(ac, xflag == 'x' ? 1 : 0) == -1)
Petr Lautrbach b457c9 
+			ret = 1;
Petr Lautrbach b457c9 
+		goto done;
Petr Lautrbach b457c9 
+	} else if (lflag) {
Petr Lautrbach b457c9 
+		if (list_identities(ac, lflag == 'l' ? 1 : 0) == -1)
Petr Lautrbach b457c9 
+			ret = 1;
Petr Lautrbach b457c9 
+		goto done;
Petr Lautrbach b457c9 
+	} else if (Dflag) {
Petr Lautrbach b457c9 
+		if (delete_all(ac) == -1)
Petr Lautrbach b457c9 
+			ret = 1;
Petr Lautrbach b457c9 
+		goto done;
Petr Lautrbach b457c9 
+	}
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 	argc -= optind;
Petr Lautrbach b457c9 
 	argv += optind;
Petr Lautrbach b457c9 
 	if (pkcs11provider != NULL) {
Petr Lautrbach 190035 
diff --git a/ssh-agent.1 b/ssh-agent.1
Petr Lautrbach 190035 
index a1e634f..d7e791b 100644
Petr Lautrbach 190035 
--- a/ssh-agent.1
Petr Lautrbach 190035 
+++ b/ssh-agent.1
Petr Lautrbach b457c9 
@@ -45,6 +45,7 @@
Petr Lautrbach b457c9 
 .Op Fl c | s
Petr Lautrbach b457c9 
 .Op Fl d
Petr Lautrbach b457c9 
 .Op Fl a Ar bind_address
Petr Lautrbach b457c9 
+.Op Fl E Ar fingerprint_hash
Petr Lautrbach b457c9 
 .Op Fl t Ar life
Petr Lautrbach b457c9 
 .Op Ar command Op Ar arg ...
Petr Lautrbach b457c9 
 .Nm ssh-agent
Petr Lautrbach b457c9 
@@ -96,6 +97,14 @@ Debug mode.
Petr Lautrbach b457c9 
 When this option is specified
Petr Lautrbach b457c9 
 .Nm
Petr Lautrbach b457c9 
 will not fork.
Petr Lautrbach b457c9 
+.It Fl E Ar fingerprint_hash
Petr Lautrbach b457c9 
+Specifies the hash algorithm used when displaying key fingerprints.
Petr Lautrbach b457c9 
+Valid options are:
Petr Lautrbach b457c9 
+.Dq md5
Petr Lautrbach b457c9 
+and
Petr Lautrbach b457c9 
+.Dq sha256 .
Petr Lautrbach b457c9 
+The default is
Petr Lautrbach b457c9 
+.Dq sha256 .
Petr Lautrbach b457c9 
 .It Fl k
Petr Lautrbach b457c9 
 Kill the current agent (given by the
Petr Lautrbach b457c9 
 .Ev SSH_AGENT_PID
Petr Lautrbach 190035 
diff --git a/ssh-agent.c b/ssh-agent.c
Petr Lautrbach 190035 
index 25f10c5..c8036c8 100644
Petr Lautrbach 190035 
--- a/ssh-agent.c
Petr Lautrbach 190035 
+++ b/ssh-agent.c
Petr Lautrbach b457c9 
@@ -142,6 +142,8 @@ extern char *__progname;
Petr Lautrbach b457c9 
 /* Default lifetime in seconds (0 == forever) */
Petr Lautrbach b457c9 
 static long lifetime = 0;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
 static void
Petr Lautrbach b457c9 
 close_socket(SocketEntry *e)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
@@ -203,7 +205,7 @@ confirm_key(Identity *id)
Petr Lautrbach b457c9 
 	char *p;
Petr Lautrbach b457c9 
 	int ret = -1;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
-	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach b457c9 
+	p = key_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach b457c9 
 	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
Petr Lautrbach b457c9 
 	    id->comment, p))
Petr Lautrbach b457c9 
 		ret = 0;
Petr Lautrbach b457c9 
@@ -1026,7 +1028,7 @@ usage(void)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
 	fprintf(stderr,
Petr Lautrbach b457c9 
 	    "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
Petr Lautrbach b457c9 
-	    "                 [command [arg ...]]\n"
Petr Lautrbach b457c9 
+	    "                 [-E fingerprint_hash] [command [arg ...]]\n"
Petr Lautrbach b457c9 
 	    "       ssh-agent [-c | -s] -k\n");
Petr Lautrbach b457c9 
 	exit(1);
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9 
@@ -1069,8 +1071,13 @@ main(int ac, char **av)
Petr Lautrbach b457c9 
 	__progname = ssh_get_progname(av[0]);
Petr Lautrbach b457c9 
 	seed_rng();
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
-	while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
Petr Lautrbach b457c9 
+	while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) {
Petr Lautrbach b457c9 
 		switch (ch) {
Petr Lautrbach b457c9 
+		case 'E':
Petr Lautrbach b457c9 
+			fingerprint_hash = ssh_digest_alg_by_name(optarg);
Petr Lautrbach b457c9 
+			if (fingerprint_hash == -1)
Petr Lautrbach b457c9 
+				fatal("Invalid hash algorithm \"%s\"", optarg);
Petr Lautrbach b457c9 
+			break;
Petr Lautrbach b457c9 
 		case 'c':
Petr Lautrbach b457c9 
 			if (s_flag)
Petr Lautrbach b457c9 
 				usage();
Petr Lautrbach 190035 
diff --git a/ssh-keygen.1 b/ssh-keygen.1
Petr Lautrbach 190035 
index 723a016..276dacc 100644
Petr Lautrbach 190035 
--- a/ssh-keygen.1
Petr Lautrbach 190035 
+++ b/ssh-keygen.1
Petr Lautrbach 190035 
@@ -73,6 +73,7 @@
Petr Lautrbach 190035 
 .Op Fl f Ar keyfile
Petr Lautrbach 190035 
 .Nm ssh-keygen
Petr Lautrbach 190035 
 .Fl l
Petr Lautrbach 190035 
+.Op Fl E Ar fingerprint_hash
Petr Lautrbach 190035 
 .Op Fl f Ar input_keyfile
Petr Lautrbach 190035 
 .Nm ssh-keygen
Petr Lautrbach 190035 
 .Fl B
Petr Lautrbach 190035 
@@ -269,6 +270,14 @@ When used in combination with
Petr Lautrbach 190035 
 this option indicates that a CA key resides in a PKCS#11 token (see the
Petr Lautrbach 190035 
 .Sx CERTIFICATES
Petr Lautrbach 190035 
 section for details).
Petr Lautrbach 190035 
+.It Fl E Ar fingerprint_hash
Petr Lautrbach 190035 
+Specifies the hash algorithm used when displaying key fingerprints.
Petr Lautrbach b457c9 
+Valid options are:
Petr Lautrbach b457c9 
+.Dq md5
Petr Lautrbach b457c9 
+and
Petr Lautrbach b457c9 
+.Dq sha256 .
Petr Lautrbach b457c9 
+The default is
Petr Lautrbach b457c9 
+.Dq sha256 .
Petr Lautrbach 190035 
 .It Fl e
Petr Lautrbach 190035 
 This option will read a private or public OpenSSH key file and
Petr Lautrbach 190035 
 print to stdout the key in one of the formats specified by the
Petr Lautrbach 190035 
diff --git a/ssh-keygen.c b/ssh-keygen.c
Petr Lautrbach 190035 
index 23058ee..64fa217 100644
Petr Lautrbach 190035 
--- a/ssh-keygen.c
Petr Lautrbach 190035 
+++ b/ssh-keygen.c
Petr Lautrbach 190035 
@@ -53,6 +53,7 @@
Petr Lautrbach 190035 
 #include "ssh-pkcs11.h"
Petr Lautrbach 190035 
 #include "atomicio.h"
Petr Lautrbach 190035 
 #include "krl.h"
Petr Lautrbach 190035 
+#include "digest.h"
Petr Lautrbach b457c9
Petr Lautrbach 190035 
 /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
Petr Lautrbach 190035 
 #define DEFAULT_BITS		2048
Petr Lautrbach 190035 
@@ -90,6 +91,9 @@ int show_cert = 0;
Petr Lautrbach 190035 
 int print_fingerprint = 0;
Petr Lautrbach 190035 
 int print_bubblebabble = 0;
Petr Lautrbach b457c9
Petr Lautrbach 190035 
+/* Hash algorithm to use for fingerprints. */
Petr Lautrbach 190035 
+int fingerprint_hash = SSH_FP_HASH_DEFAULT;
Petr Lautrbach 190035 
+
Petr Lautrbach 190035 
 /* The identity file name, given on the command line or entered by the user. */
Petr Lautrbach 190035 
 char identity_file[1024];
Petr Lautrbach 190035 
 int have_identity = 0;
Petr Lautrbach 190035 
@@ -749,11 +753,11 @@ do_download(struct passwd *pw)
Petr Lautrbach 190035 
 	Key **keys = NULL;
Petr Lautrbach 190035 
 	int i, nkeys;
Petr Lautrbach 190035 
 	enum fp_rep rep;
Petr Lautrbach 190035 
-	enum fp_type fptype;
Petr Lautrbach 190035 
+	int fptype;
Petr Lautrbach 190035 
 	char *fp, *ra;
Petr Lautrbach b457c9
Petr Lautrbach 190035 
-	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
Petr Lautrbach 190035 
-	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
Petr Lautrbach 190035 
+	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
Petr Lautrbach 190035 
+	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
Petr Lautrbach b457c9
Petr Lautrbach 190035 
 	pkcs11_init(0);
Petr Lautrbach 190035 
 	nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
Petr Lautrbach 190035 
@@ -762,7 +766,7 @@ do_download(struct passwd *pw)
Petr Lautrbach 190035 
 	for (i = 0; i < nkeys; i++) {
Petr Lautrbach 190035 
 		if (print_fingerprint) {
Petr Lautrbach 190035 
 			fp = key_fingerprint(keys[i], fptype, rep);
Petr Lautrbach 190035 
-			ra = key_fingerprint(keys[i], SSH_FP_MD5,
Petr Lautrbach 190035 
+			ra = key_fingerprint(keys[i], fingerprint_hash,
Petr Lautrbach 190035 
 			    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 			printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
Petr Lautrbach 190035 
 			    fp, key_type(keys[i]));
Petr Lautrbach 190035 
@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw)
Petr Lautrbach 190035 
 	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
Petr Lautrbach 190035 
 	int i, skip = 0, num = 0, invalid = 1;
Petr Lautrbach 190035 
 	enum fp_rep rep;
Petr Lautrbach 190035 
-	enum fp_type fptype;
Petr Lautrbach 190035 
+	int fptype;
Petr Lautrbach 190035 
 	struct stat st;
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
Petr Lautrbach 190035 
-	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
Petr Lautrbach 190035 
-
Petr Lautrbach 190035 
+	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
Petr Lautrbach 190035 
+	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
Petr Lautrbach 190035 
 	if (!have_identity)
Petr Lautrbach 190035 
 		ask_filename(pw, "Enter file in which the key is");
Petr Lautrbach 190035 
 	if (stat(identity_file, &st) < 0) {
Petr Lautrbach 190035 
@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw)
Petr Lautrbach 190035 
 	public = key_load_public(identity_file, &comment);
Petr Lautrbach 190035 
 	if (public != NULL) {
Petr Lautrbach 190035 
 		fp = key_fingerprint(public, fptype, rep);
Petr Lautrbach 190035 
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
+		ra = key_fingerprint(public, fingerprint_hash,
Petr Lautrbach 190035 
+		    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 		printf("%u %s %s (%s)\n", key_size(public), fp, comment,
Petr Lautrbach 190035 
 		    key_type(public));
Petr Lautrbach 190035 
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
Petr Lautrbach 190035 
@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw)
Petr Lautrbach 190035 
 		}
Petr Lautrbach 190035 
 		comment = *cp ? cp : comment;
Petr Lautrbach 190035 
 		fp = key_fingerprint(public, fptype, rep);
Petr Lautrbach 190035 
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
+		ra = key_fingerprint(public, fingerprint_hash,
Petr Lautrbach 190035 
+		    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 		printf("%u %s %s (%s)\n", key_size(public), fp,
Petr Lautrbach 190035 
 		    comment ? comment : "no comment", key_type(public));
Petr Lautrbach 190035 
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
Petr Lautrbach 190035 
@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
Petr Lautrbach 190035 
 {
Petr Lautrbach 190035 
 	if (print_fingerprint) {
Petr Lautrbach 190035 
 		enum fp_rep rep;
Petr Lautrbach 190035 
-		enum fp_type fptype;
Petr Lautrbach 190035 
+		int fptype;
Petr Lautrbach 190035 
 		char *fp, *ra;
Petr Lautrbach 190035
Petr Lautrbach 190035 
-		fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
Petr Lautrbach 190035 
-		rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
Petr Lautrbach 190035 
+		fptype = print_bubblebabble ?
Petr Lautrbach 190035 
+		    SSH_DIGEST_SHA1 : fingerprint_hash;
Petr Lautrbach 190035 
+		rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
Petr Lautrbach 190035 
 		fp = key_fingerprint(public, fptype, rep);
Petr Lautrbach 190035 
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
+		ra = key_fingerprint(public, fingerprint_hash,
Petr Lautrbach 190035 
+		    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 		printf("%u %s %s (%s)\n", key_size(public), fp, name,
Petr Lautrbach 190035 
 		    key_type(public));
Petr Lautrbach 190035 
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
Petr Lautrbach 190035 
@@ -1906,9 +1913,9 @@ do_show_cert(struct passwd *pw)
Petr Lautrbach 190035 
 		fatal("%s is not a certificate", identity_file);
Petr Lautrbach 190035 
 	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 	ca_fp = key_fingerprint(key->cert->signature_key,
Petr Lautrbach 190035 
-	    SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	    fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	printf("%s:\n", identity_file);
Petr Lautrbach 190035 
 	printf("        Type: %s %s certificate\n", key_ssh_name(key),
Petr Lautrbach 190035 
@@ -2187,7 +2194,7 @@ usage(void)
Petr Lautrbach 190035 
 	    "       ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
Petr Lautrbach 190035 
 	    "       ssh-keygen -y [-f input_keyfile]\n"
Petr Lautrbach 190035 
 	    "       ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
Petr Lautrbach 190035 
-	    "       ssh-keygen -l [-f input_keyfile]\n"
Petr Lautrbach 190035 
+	    "       ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"
Petr Lautrbach 190035 
 	    "       ssh-keygen -B [-f input_keyfile]\n");
Petr Lautrbach 190035 
 #ifdef ENABLE_PKCS11
Petr Lautrbach 190035 
 	fprintf(stderr,
Petr Lautrbach 190035 
@@ -2256,9 +2263,10 @@ main(int argc, char **argv)
Petr Lautrbach 190035 
 		exit(1);
Petr Lautrbach 190035 
 	}
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	/* Remaining characters: EUYdw */
Petr Lautrbach 190035 
+	/* Remaining characters: UYdw */
Petr Lautrbach 190035 
 	while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"
Petr Lautrbach 190035 
-	    "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
Petr Lautrbach 190035 
+	    "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
Petr Lautrbach 190035 
+	    "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
Petr Lautrbach 190035 
 		switch (opt) {
Petr Lautrbach 190035 
 		case 'A':
Petr Lautrbach 190035 
 			gen_all_hostkeys = 1;
Petr Lautrbach 190035 
@@ -2269,6 +2277,11 @@ main(int argc, char **argv)
Petr Lautrbach 190035 
 				fatal("Bits has bad value %s (%s)",
Petr Lautrbach 190035 
 					optarg, errstr);
Petr Lautrbach 190035 
 			break;
Petr Lautrbach 190035 
+		case 'E':
Petr Lautrbach 190035 
+			fingerprint_hash = ssh_digest_alg_by_name(optarg);
Petr Lautrbach 190035 
+			if (fingerprint_hash == -1)
Petr Lautrbach 190035 
+				fatal("Invalid hash algorithm \"%s\"", optarg);
Petr Lautrbach 190035 
+			break;
Petr Lautrbach 190035 
 		case 'F':
Petr Lautrbach 190035 
 			find_host = 1;
Petr Lautrbach 190035 
 			rr_hostname = optarg;
Petr Lautrbach 190035 
@@ -2700,8 +2713,9 @@ passphrase_again:
Petr Lautrbach 190035 
 	fclose(f);
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	if (!quiet) {
Petr Lautrbach 190035 
-		char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
-		char *ra = key_fingerprint(public, SSH_FP_MD5,
Petr Lautrbach 190035 
+		char *fp = key_fingerprint(public, fingerprint_hash,
Petr Lautrbach 190035 
+		    SSH_FP_DEFAULT);
Petr Lautrbach 190035 
+		char *ra = key_fingerprint(public, fingerprint_hash,
Petr Lautrbach 190035 
 		    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 		printf("Your public key has been saved in %s.\n",
Petr Lautrbach 190035 
 		    identity_file);
Petr Lautrbach 190035 
diff --git a/ssh-keysign.c b/ssh-keysign.c
Petr Lautrbach 190035 
index d95bb7d..3526d7d 100644
Petr Lautrbach 190035 
--- a/ssh-keysign.c
Petr Lautrbach 190035 
+++ b/ssh-keysign.c
Petr Lautrbach 190035 
@@ -246,7 +246,8 @@ main(int argc, char **argv)
Petr Lautrbach 190035 
 		}
Petr Lautrbach 190035 
 	}
Petr Lautrbach 190035 
 	if (!found) {
Petr Lautrbach 190035 
-		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+		fp = key_fingerprint(key, options.fingerprint_hash,
Petr Lautrbach 190035 
+		    SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 		fatal("no matching hostkey found for key %s %s",
Petr Lautrbach 190035 
 		    key_type(key), fp);
Petr Lautrbach 190035 
 	}
Petr Lautrbach 190035 
diff --git a/ssh.1 b/ssh.1
Petr Lautrbach 190035 
index fa5cfb2..d3198a1 100644
Petr Lautrbach 190035 
--- a/ssh.1
Petr Lautrbach 190035 
+++ b/ssh.1
Petr Lautrbach 190035 
@@ -1083,7 +1083,7 @@ Fingerprints can be determined using
Petr Lautrbach 190035 
 If the fingerprint is already known, it can be matched
Petr Lautrbach 190035 
 and the key can be accepted or rejected.
Petr Lautrbach 190035 
 Because of the difficulty of comparing host keys
Petr Lautrbach 190035 
-just by looking at hex strings,
Petr Lautrbach 190035 
+just by looking at fingerprint strings,
Petr Lautrbach 190035 
 there is also support to compare host keys visually,
Petr Lautrbach 190035 
 using
Petr Lautrbach 190035 
 .Em random art .
Petr Lautrbach 190035 
diff --git a/sshconnect.c b/sshconnect.c
Petr Lautrbach 190035 
index ac09eae..7db31e6 100644
Petr Lautrbach 190035 
--- a/sshconnect.c
Petr Lautrbach 190035 
+++ b/sshconnect.c
Petr Lautrbach 190035 
@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
Petr Lautrbach 190035 
 				    "key for IP address '%.128s' to the list "
Petr Lautrbach 190035 
 				    "of known hosts.", type, ip);
Petr Lautrbach 190035 
 		} else if (options.visual_host_key) {
Petr Lautrbach 190035 
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
Petr Lautrbach 190035 
-			    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
+			fp = key_fingerprint(host_key,
Petr Lautrbach 190035 
+			    options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
+			ra = key_fingerprint(host_key,
Petr Lautrbach 190035 
+			    options.fingerprint_hash, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 			logit("Host key fingerprint is %s\n%s\n", fp, ra);
Petr Lautrbach 190035 
 			free(ra);
Petr Lautrbach 190035 
 			free(fp);
Petr Lautrbach 190035 
@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
Petr Lautrbach 190035 
 			else
Petr Lautrbach 190035 
 				snprintf(msg1, sizeof(msg1), ".");
Petr Lautrbach 190035 
 			/* The default */
Petr Lautrbach 190035 
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
Petr Lautrbach 190035 
-			    SSH_FP_RANDOMART);
Petr Lautrbach 190035 
+			fp = key_fingerprint(host_key,
Petr Lautrbach 190035 
+			    options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
+			ra = key_fingerprint(host_key,
Petr Lautrbach 190035 
+			    options.fingerprint_hash, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 			msg2[0] = '\0';
Petr Lautrbach 190035 
 			if (options.verify_host_key_dns) {
Petr Lautrbach 190035 
 				if (matching_host_key_dns)
Petr Lautrbach 190035 
@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
Petr Lautrbach 190035 
 	char *fp;
Petr Lautrbach 190035 
 	Key *plain = NULL;
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 	debug("Server host key: %s %s", key_type(host_key), fp);
Petr Lautrbach 190035 
 	free(fp);
Petr Lautrbach 190035
Petr Lautrbach 190035 
@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
Petr Lautrbach 190035 
 			continue;
Petr Lautrbach 190035 
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
Petr Lautrbach 190035 
 			continue;
Petr Lautrbach 190035 
-		fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
-		ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
+		fp = key_fingerprint(found->key,
Petr Lautrbach 190035 
+		    options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
+		ra = key_fingerprint(found->key,
Petr Lautrbach 190035 
+		    options.fingerprint_hash, SSH_FP_RANDOMART);
Petr Lautrbach 190035 
 		logit("WARNING: %s key found for host %s\n"
Petr Lautrbach 190035 
 		    "in %s:%lu\n"
Petr Lautrbach 190035 
 		    "%s key fingerprint %s.",
Petr Lautrbach 190035 
@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key)
Petr Lautrbach 190035 
 {
Petr Lautrbach 190035 
 	char *fp;
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	fp = key_fingerprint(host_key, options.fingerprint_hash,
Petr Lautrbach 190035 
+	    SSH_FP_DEFAULT);
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
Petr Lautrbach 190035 
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
Petr Lautrbach 190035 
diff --git a/sshconnect2.c b/sshconnect2.c
Petr Lautrbach 190035 
index 68f7f4f..4724b66 100644
Petr Lautrbach 190035 
--- a/sshconnect2.c
Petr Lautrbach 190035 
+++ b/sshconnect2.c
Petr Lautrbach 190035 
@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
Petr Lautrbach 190035 
 		    key->type, pktype);
Petr Lautrbach 190035 
 		goto done;
Petr Lautrbach 190035 
 	}
Petr Lautrbach 190035 
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 	debug2("input_userauth_pk_ok: fp %s", fp);
Petr Lautrbach 190035 
 	free(fp);
Petr Lautrbach 190035
Petr Lautrbach 190035 
@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
Petr Lautrbach 190035 
 	int have_sig = 1;
Petr Lautrbach 190035 
 	char *fp;
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
Petr Lautrbach 190035 
+	fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);
Petr Lautrbach 190035 
 	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
Petr Lautrbach 190035 
 	free(fp);
Petr Lautrbach 190035
Petr Lautrbach 190035 
diff --git a/sshd_config.5 b/sshd_config.5
Petr Lautrbach 190035 
index fd44abe..0449eeb 100644
Petr Lautrbach 190035 
--- a/sshd_config.5
Petr Lautrbach 190035 
+++ b/sshd_config.5
Petr Lautrbach 190035 
@@ -483,6 +483,15 @@ and finally
Petr Lautrbach 190035 
 See PATTERNS in
Petr Lautrbach 190035 
 .Xr ssh_config 5
Petr Lautrbach 190035 
 for more information on patterns.
Petr Lautrbach 190035 
+.It Cm FingerprintHash
Petr Lautrbach 190035 
+Specifies the hash algorithm used when logging key fingerprints.
Petr Lautrbach 190035 
+Valid options are:
Petr Lautrbach 190035 
+.Dq md5
Petr Lautrbach 190035 
+and
Petr Lautrbach 190035 
+.Dq sha256 .
Petr Lautrbach 190035 
+The default is
Petr Lautrbach 190035 
+.Dq sha256 .
Petr Lautrbach 190035 
+.Pp
Petr Lautrbach 190035 
 .It Cm ForceCommand
Petr Lautrbach 190035 
 Forces the execution of the command specified by
Petr Lautrbach 190035 
 .Cm ForceCommand ,
Petr Lautrbach 190035 
diff --git a/sshkey.c b/sshkey.c
Petr Lautrbach 190035 
index fdd0c8a..70df758 100644
Petr Lautrbach 190035 
--- a/sshkey.c
Petr Lautrbach 190035 
+++ b/sshkey.c
Petr Lautrbach 190035 
@@ -29,6 +29,7 @@
Petr Lautrbach 190035
Petr Lautrbach 190035 
 #include <sys/param.h>
Petr Lautrbach 190035 
 #include <sys/types.h>
Petr Lautrbach 190035 
+#include <netinet/in.h>
Petr Lautrbach 190035
Petr Lautrbach 190035 
 #include <openssl/evp.h>
Petr Lautrbach 190035 
 #include <openssl/err.h>
Petr Lautrbach 190035 
@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
Petr Lautrbach 190035 
 }
Petr Lautrbach 190035
Petr Lautrbach 190035 
 int
Petr Lautrbach 190035 
-sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
Petr Lautrbach 190035 
+sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
Petr Lautrbach 190035 
     u_char **retp, size_t *lenp)
Petr Lautrbach 190035 
 {
Petr Lautrbach 190035 
 	u_char *blob = NULL, *ret = NULL;
Petr Lautrbach 190035 
 	size_t blob_len = 0;
Petr Lautrbach 190035 
-	int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR;
Petr Lautrbach 190035 
+	int r = SSH_ERR_INTERNAL_ERROR;
Petr Lautrbach 190035
Petr Lautrbach 190035 
 	if (retp != NULL)
Petr Lautrbach 190035 
 		*retp = NULL;
Petr Lautrbach 190035 
 	if (lenp != NULL)
Petr Lautrbach 190035 
 		*lenp = 0;
Petr Lautrbach 190035 
-
Petr Lautrbach 190035 
-	switch (dgst_type) {
Petr Lautrbach 190035 
-	case SSH_FP_MD5:
Petr Lautrbach 190035 
-		hash_alg = SSH_DIGEST_MD5;
Petr Lautrbach b457c9 
-		break;
Petr Lautrbach b457c9 
-	case SSH_FP_SHA1:
Petr Lautrbach b457c9 
-		hash_alg = SSH_DIGEST_SHA1;
Petr Lautrbach b457c9 
-		break;
Petr Lautrbach b457c9 
-	case SSH_FP_SHA256:
Petr Lautrbach b457c9 
-		hash_alg = SSH_DIGEST_SHA256;
Petr Lautrbach b457c9 
-		break;
Petr Lautrbach b457c9 
-	default:
Petr Lautrbach b457c9 
+	if (ssh_digest_bytes(dgst_alg) == 0) {
Petr Lautrbach b457c9 
 		r = SSH_ERR_INVALID_ARGUMENT;
Petr Lautrbach b457c9 
 		goto out;
Petr Lautrbach b457c9 
 	}
Petr Lautrbach 190035 
@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
Petr Lautrbach b457c9 
 		r = SSH_ERR_ALLOC_FAIL;
Petr Lautrbach b457c9 
 		goto out;
Petr Lautrbach b457c9 
 	}
Petr Lautrbach b457c9 
-	if ((r = ssh_digest_memory(hash_alg, blob, blob_len,
Petr Lautrbach b457c9 
+	if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
Petr Lautrbach b457c9 
 	    ret, SSH_DIGEST_MAX_LENGTH)) != 0)
Petr Lautrbach b457c9 
 		goto out;
Petr Lautrbach b457c9 
 	/* success */
Petr Lautrbach 190035 
@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
Petr Lautrbach b457c9 
 		ret = NULL;
Petr Lautrbach b457c9 
 	}
Petr Lautrbach b457c9 
 	if (lenp != NULL)
Petr Lautrbach b457c9 
-		*lenp = ssh_digest_bytes(hash_alg);
Petr Lautrbach b457c9 
+		*lenp = ssh_digest_bytes(dgst_alg);
Petr Lautrbach b457c9 
 	r = 0;
Petr Lautrbach b457c9 
  out:
Petr Lautrbach b457c9 
 	free(ret);
Petr Lautrbach 190035 
@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 static char *
Petr Lautrbach b457c9 
-fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len)
Petr Lautrbach b457c9 
+fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
-	char *retval;
Petr Lautrbach b457c9 
-	size_t i;
Petr Lautrbach b457c9 
+	char *ret;
Petr Lautrbach b457c9 
+	size_t plen = strlen(alg) + 1;
Petr Lautrbach b457c9 
+	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
Petr Lautrbach b457c9 
+	int r;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
-	if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL)
Petr Lautrbach b457c9 
+	if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
Petr Lautrbach b457c9 
+		return NULL;
Petr Lautrbach b457c9 
+	strlcpy(ret, alg, rlen);
Petr Lautrbach b457c9 
+	strlcat(ret, ":", rlen);
Petr Lautrbach b457c9 
+	if (dgst_raw_len == 0)
Petr Lautrbach b457c9 
+		return ret;
Petr Lautrbach b457c9 
+	if ((r = b64_ntop(dgst_raw, dgst_raw_len,
Petr Lautrbach b457c9 
+	    ret + plen, rlen - plen)) == -1) {
Petr Lautrbach b457c9 
+		explicit_bzero(ret, rlen);
Petr Lautrbach b457c9 
+		free(ret);
Petr Lautrbach b457c9 
 		return NULL;
Petr Lautrbach b457c9 
-	for (i = 0; i < dgst_raw_len; i++) {
Petr Lautrbach b457c9 
-		char hex[4];
Petr Lautrbach b457c9 
-		snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
Petr Lautrbach b457c9 
-		strlcat(retval, hex, dgst_raw_len * 3 + 1);
Petr Lautrbach b457c9 
 	}
Petr Lautrbach b457c9 
+	/* Trim padding characters from end */
Petr Lautrbach b457c9 
+	ret[strcspn(ret, "=")] = '\0';
Petr Lautrbach b457c9 
+	return ret;
Petr Lautrbach b457c9 
+}
Petr Lautrbach 190035
Petr Lautrbach 190035 
-	/* Remove the trailing ':' character */
Petr Lautrbach 190035 
-	retval[(dgst_raw_len * 3) - 1] = '\0';
Petr Lautrbach b457c9 
+static char *
Petr Lautrbach b457c9 
+fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
Petr Lautrbach b457c9 
+{
Petr Lautrbach b457c9 
+	char *retval, hex[5];
Petr Lautrbach b457c9 
+	size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
Petr Lautrbach 190035 
+
Petr Lautrbach b457c9 
+	if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
Petr Lautrbach b457c9 
+		return NULL;
Petr Lautrbach b457c9 
+	strlcpy(retval, alg, rlen);
Petr Lautrbach b457c9 
+	strlcat(retval, ":", rlen);
Petr Lautrbach b457c9 
+	for (i = 0; i < dgst_raw_len; i++) {
Petr Lautrbach b457c9 
+		snprintf(hex, sizeof(hex), "%s%02x",
Petr Lautrbach b457c9 
+		    i > 0 ? ":" : "", dgst_raw[i]);
Petr Lautrbach b457c9 
+		strlcat(retval, hex, rlen);
Petr Lautrbach b457c9 
+	}
Petr Lautrbach b457c9 
 	return retval;
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach 190035 
@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
Petr Lautrbach b457c9 
 #define	FLDSIZE_Y	(FLDBASE + 1)
Petr Lautrbach b457c9 
 #define	FLDSIZE_X	(FLDBASE * 2 + 1)
Petr Lautrbach b457c9 
 static char *
Petr Lautrbach b457c9 
-fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9 
+fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9 
     const struct sshkey *k)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
 	/*
Petr Lautrbach 190035 
@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9 
 	 * intersects with itself.  Matter of taste.
Petr Lautrbach b457c9 
 	 */
Petr Lautrbach b457c9 
 	char	*augmentation_string = " .o+=*BOX@%&#/^SE";
Petr Lautrbach b457c9 
-	char	*retval, *p, title[FLDSIZE_X];
Petr Lautrbach b457c9 
+	char	*retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
Petr Lautrbach b457c9 
 	u_char	 field[FLDSIZE_X][FLDSIZE_Y];
Petr Lautrbach b457c9 
-	size_t	 i, tlen;
Petr Lautrbach b457c9 
+	size_t	 i, tlen, hlen;
Petr Lautrbach b457c9 
 	u_int	 b;
Petr Lautrbach b457c9 
 	int	 x, y, r;
Petr Lautrbach b457c9 
 	size_t	 len = strlen(augmentation_string) - 1;
Petr Lautrbach 190035 
@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9 
 		sshkey_type(k), sshkey_size(k));
Petr Lautrbach b457c9 
 	/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
Petr Lautrbach b457c9 
 	if (r < 0 || r > (int)sizeof(title))
Petr Lautrbach b457c9 
-		snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
Petr Lautrbach b457c9 
-	tlen = strlen(title);
Petr Lautrbach b457c9 
+		r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
Petr Lautrbach b457c9 
+	tlen = (r <= 0) ? 0 : strlen(title);
Petr Lautrbach b457c9 
+
Petr Lautrbach b457c9 
+	/* assemble hash ID. */
Petr Lautrbach b457c9 
+	r = snprintf(hash, sizeof(hash), "[%s]", alg);
Petr Lautrbach b457c9 
+	hlen = (r <= 0) ? 0 : strlen(hash);
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	/* output upper border */
Petr Lautrbach b457c9 
 	p = retval;
Petr Lautrbach 190035 
@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9 
 		*p++ = '-';
Petr Lautrbach b457c9 
 	memcpy(p, title, tlen);
Petr Lautrbach b457c9 
 	p += tlen;
Petr Lautrbach b457c9 
-	for (i = p - retval - 1; i < FLDSIZE_X; i++)
Petr Lautrbach b457c9 
+	for (i += tlen; i < FLDSIZE_X; i++)
Petr Lautrbach b457c9 
 		*p++ = '-';
Petr Lautrbach b457c9 
 	*p++ = '+';
Petr Lautrbach b457c9 
 	*p++ = '\n';
Petr Lautrbach 190035 
@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 	/* output lower border */
Petr Lautrbach b457c9 
 	*p++ = '+';
Petr Lautrbach b457c9 
-	for (i = 0; i < FLDSIZE_X; i++)
Petr Lautrbach b457c9 
+	for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
Petr Lautrbach b457c9 
+		*p++ = '-';
Petr Lautrbach b457c9 
+	memcpy(p, hash, hlen);
Petr Lautrbach b457c9 
+	p += hlen;
Petr Lautrbach b457c9 
+	for (i += hlen; i < FLDSIZE_X; i++)
Petr Lautrbach b457c9 
 		*p++ = '-';
Petr Lautrbach b457c9 
 	*p++ = '+';
Petr Lautrbach b457c9
Petr Lautrbach 190035 
@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
Petr Lautrbach b457c9 
 }
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 char *
Petr Lautrbach b457c9 
-sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type,
Petr Lautrbach b457c9 
+sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
Petr Lautrbach b457c9 
     enum sshkey_fp_rep dgst_rep)
Petr Lautrbach b457c9 
 {
Petr Lautrbach b457c9 
 	char *retval = NULL;
Petr Lautrbach b457c9 
 	u_char *dgst_raw;
Petr Lautrbach b457c9 
 	size_t dgst_raw_len;
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
-	if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0)
Petr Lautrbach b457c9 
+	if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
Petr Lautrbach b457c9 
 		return NULL;
Petr Lautrbach b457c9 
 	switch (dgst_rep) {
Petr Lautrbach b457c9 
+	case SSH_FP_DEFAULT:
Petr Lautrbach b457c9 
+		if (dgst_alg == SSH_DIGEST_MD5) {
Petr Lautrbach b457c9 
+			retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
Petr Lautrbach b457c9 
+			    dgst_raw, dgst_raw_len);
Petr Lautrbach b457c9 
+		} else {
Petr Lautrbach b457c9 
+			retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
Petr Lautrbach b457c9 
+			    dgst_raw, dgst_raw_len);
Petr Lautrbach b457c9 
+		}
Petr Lautrbach b457c9 
+		break;
Petr Lautrbach b457c9 
 	case SSH_FP_HEX:
Petr Lautrbach b457c9 
-		retval = fingerprint_hex(dgst_raw, dgst_raw_len);
Petr Lautrbach b457c9 
+		retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
Petr Lautrbach b457c9 
+		    dgst_raw, dgst_raw_len);
Petr Lautrbach b457c9 
+		break;
Petr Lautrbach b457c9 
+	case SSH_FP_BASE64:
Petr Lautrbach b457c9 
+		retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
Petr Lautrbach b457c9 
+		    dgst_raw, dgst_raw_len);
Petr Lautrbach b457c9 
 		break;
Petr Lautrbach b457c9 
 	case SSH_FP_BUBBLEBABBLE:
Petr Lautrbach b457c9 
 		retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
Petr Lautrbach b457c9 
 		break;
Petr Lautrbach b457c9 
 	case SSH_FP_RANDOMART:
Petr Lautrbach b457c9 
-		retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k);
Petr Lautrbach b457c9 
+		retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
Petr Lautrbach b457c9 
+		    dgst_raw, dgst_raw_len, k);
Petr Lautrbach b457c9 
 		break;
Petr Lautrbach b457c9 
 	default:
Petr Lautrbach b457c9 
 		explicit_bzero(dgst_raw, dgst_raw_len);
Petr Lautrbach 190035 
diff --git a/sshkey.h b/sshkey.h
Petr Lautrbach 190035 
index 450b30c..4554b09 100644
Petr Lautrbach 190035 
--- a/sshkey.h
Petr Lautrbach 190035 
+++ b/sshkey.h
Petr Lautrbach b457c9 
@@ -1,4 +1,4 @@
Petr Lautrbach b457c9 
-/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */
Petr Lautrbach b457c9 
+/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /*
Petr Lautrbach b457c9 
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
Petr Lautrbach b457c9 
@@ -67,16 +67,14 @@ enum sshkey_types {
Petr Lautrbach b457c9 
 	KEY_UNSPEC
Petr Lautrbach b457c9 
 };
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
-/* Fingerprint hash algorithms */
Petr Lautrbach b457c9 
-enum sshkey_fp_type {
Petr Lautrbach b457c9 
-	SSH_FP_SHA1,
Petr Lautrbach b457c9 
-	SSH_FP_MD5,
Petr Lautrbach b457c9 
-	SSH_FP_SHA256
Petr Lautrbach b457c9 
-};
Petr Lautrbach b457c9 
+/* Default fingerprint hash */
Petr Lautrbach b457c9 
+#define SSH_FP_HASH_DEFAULT	SSH_DIGEST_SHA256
Petr Lautrbach b457c9
Petr Lautrbach b457c9 
 /* Fingerprint representation formats */
Petr Lautrbach b457c9 
 enum sshkey_fp_rep {
Petr Lautrbach b457c9 
+	SSH_FP_DEFAULT = 0,
Petr Lautrbach b457c9 
 	SSH_FP_HEX,
Petr Lautrbach b457c9 
+	SSH_FP_BASE64,
Petr Lautrbach b457c9 
 	SSH_FP_BUBBLEBABBLE,
Petr Lautrbach b457c9 
 	SSH_FP_RANDOMART
Petr Lautrbach b457c9 
 };
Petr Lautrbach 190035 
@@ -124,9 +122,9 @@ int		 sshkey_equal_public(const struct sshkey *,
Petr Lautrbach b457c9 
     const struct sshkey *);
Petr Lautrbach b457c9 
 int		 sshkey_equal(const struct sshkey *, const struct sshkey *);
Petr Lautrbach b457c9 
 char		*sshkey_fingerprint(const struct sshkey *,
Petr Lautrbach b457c9 
-    enum sshkey_fp_type, enum sshkey_fp_rep);
Petr Lautrbach b457c9 
+    int, enum sshkey_fp_rep);
Petr Lautrbach b457c9 
 int		 sshkey_fingerprint_raw(const struct sshkey *k,
Petr Lautrbach b457c9 
-    enum sshkey_fp_type dgst_type, u_char **retp, size_t *lenp);
Petr Lautrbach b457c9 
+    int, u_char **retp, size_t *lenp);
Petr Lautrbach b457c9 
 const char	*sshkey_type(const struct sshkey *);
Petr Lautrbach b457c9 
 const char	*sshkey_cert_type(const struct sshkey *);
Petr Lautrbach b457c9 
 int		 sshkey_write(const struct sshkey *, FILE *);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation