agent: Make digest algorithms for ssh fingerprints configurable.

* agent/agent.h (opt): New field 'ssh_fingerprint_digest'. * agent/command-ssh.c (data_sign, ssh_identity_register): Honor the option for strings used to communicate with the user. * agent/findkey.c (agent_modify_description): Likewise. * agent/gpg-agent.c (cmd_and_opt_values): New value. (opts): New option '--ssh-fingerprint-digest'. (parse_rereadable_options): Set the default to MD5 for now. (main): Handle the new option. * doc/gpg-agent.texi: Document the new option. -- OpenSSH has transitioned from using MD5 to compute key fingerprints to SHA256. This patch makes the digest used when communicating key fingerprints to the user (e.g. in pinentry dialogs) configurable. For now this patch conservatively defaults to MD5. GnuPG-bug-id: 2106 Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-24 17:48:42 +02:00 · 2017-05-24 17:48:42 +02:00 · 525f2c482a
parent a5f046d99a
commit 525f2c482a
5 changed files with 24 additions and 3 deletions
--- a/agent/agent.h
+++ b/agent/agent.h
@ -167,6 +167,10 @@ struct
     gpg-agent.c: If the value is less than 2 the name has not yet
     been malloced. */
  int browser_socket;
+
+  /* The digest algorithm to use for ssh fingerprints when
+   * communicating with the user.  */
+  int ssh_fingerprint_digest;
 } opt;


--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@ -2774,7 +2774,7 @@ data_sign (ctrl_t ctrl, ssh_key_type_spec_t *spec,
      err = agent_raw_key_from_file (ctrl, ctrl->keygrip, &key);
      if (err)
        goto out;
-      err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr);
+      err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &fpr);
      if (!err)
        {
          gcry_sexp_t tmpsxp = gcry_sexp_find_token (key, "comment", 0);
@ -3052,7 +3052,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,

  bin2hex (key_grip_raw, 20, key_grip);

-  err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &key_fpr);
+  err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &key_fpr);
  if (err)
    goto out;

--- a/agent/findkey.c
+++ b/agent/findkey.c
@ -412,7 +412,8 @@ agent_modify_description (const char *in, const char *comment,

                case 'F': /* SSH style fingerprint.  */
                  if (!ssh_fpr && key)
-                    ssh_get_fingerprint_string (key, GCRY_MD_MD5, &ssh_fpr);
+                    ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest,
+                                                &ssh_fpr);
                  if (ssh_fpr)
                    {
                      if (out)
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@ -129,6 +129,7 @@ enum cmd_and_opt_values
  oKeepTTY,
  oKeepDISPLAY,
  oSSHSupport,
+  oSSHFingerprintDigest,
  oPuttySupport,
  oDisableScdaemon,
  oDisableCheckOwnSocket,
@ -232,6 +233,8 @@ static ARGPARSE_OPTS opts[] = {
                /* */    N_("allow passphrase to be prompted through Emacs")),

  ARGPARSE_s_n (oSSHSupport,   "enable-ssh-support", N_("enable ssh support")),
+  ARGPARSE_s_s (oSSHFingerprintDigest, "ssh-fingerprint-digest",
+                N_("digest to use when communicating ssh fingerprints")),
  ARGPARSE_s_n (oPuttySupport, "enable-putty-support",
 #ifdef HAVE_W32_SYSTEM
                /* */           N_("enable putty support")
@ -800,6 +803,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
      opt.allow_emacs_pinentry = 0;
      opt.disable_scdaemon = 0;
      disable_check_own_socket = 0;
+      opt.ssh_fingerprint_digest = GCRY_MD_MD5;
      return 1;
    }

@ -1176,6 +1180,11 @@ main (int argc, char **argv )
 	case oSSHSupport:
          ssh_support = 1;
          break;
+	case oSSHFingerprintDigest:
+          opt.ssh_fingerprint_digest = gcry_md_map_name (pargs.r.ret_str);
+          if (opt.ssh_fingerprint_digest == 0)
+            log_error ("Unknown digest algorithm: %s\n", pargs.r.ret_str);
+          break;
        case oPuttySupport:
 #        ifdef HAVE_W32_SYSTEM
          putty_support = 1;
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@ -636,6 +636,13 @@ and allows the use of gpg-agent with the ssh implementation
@command{putty}.  This is similar to the regular ssh-agent support but
 makes use of Windows message queue as required by @command{putty}.

+@anchor{option --ssh-fingerprint-digest}
+@item --ssh-fingerprint-digest
+@opindex ssh-fingerprint-digest
+
+Select the digest algorithm used to compute ssh fingerprints that are
+communicated to the user, e.g. in pinentry dialogs.  OpenSSH has
+transitioned from using MD5 to the more secure SHA256.

@end table