1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

169 Commits

Author SHA1 Message Date
NIIBE Yutaka
39422f1d63 agent: Don't assume "OPENPGP.3" key means "Use-for-ssh:".
* agent/command-ssh.c: Fix comments.
* agent/findkey.c (public_key_from_file): Remove "OPENPGP.3" check.

--

GnuPG-bug-id: 5996
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-28 10:25:03 +09:00
NIIBE Yutaka
30b54a0ebb agent: Add KEYATTR command.
* agent/agent.h (agent_raw_key_from_file): Add R_KEYMETA argument.
(agent_update_private_key): New.
* agent/command-ssh.c (data_sign): Follow the change of the function
agent_raw_key_from_file.
* agent/command.c (do_one_keyinfo): Likewise.
(cmd_keyattr): New.
(register_commands): Add an entry of cmd_keyattr.
* agent/findkey.c (agent_update_private_key): New.
(agent_raw_key_from_file): Add R_KEYMETA argument.

--

GnuPG-bug-id: 5988
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-22 15:45:18 +09:00
Werner Koch
2766b9e56c
agent,ssh: Fix for make not-inserted OpenPGP.3 keys available for SSH.
* agent/command-ssh.c (ssh_send_available_keys):  Do not bump
key_counter for ignored keys.  Also use opt.debug instead of
opt.verbose and fix a memory leak.
--

The error shown by "ssh-add -l" before this fix was:
  error fetching identities: incomplete messag

Fixes-commit: 193fcc2f7a8cca5240ce50499c54f99235a87e1c
GnuPG-bug-id: 5996
2022-06-15 16:41:30 +02:00
NIIBE Yutaka
193fcc2f7a agent,ssh: Make not-inserted OpenPGP.3 keys available for SSH.
* agent/agent.h (agent_ssh_key_from_file): New.
* agent/command-ssh.c (get_ssh_keyinfo_on_cards): New.
(ssh_send_available_keys): Loop on the GNUPG_PRIVATE_KEYS_DIR.
Support keys by agent_ssh_key_from_file.
(ssh_handler_request_identities): Move card key handling to
ssh_send_available_keys.
* agent/findkey.c (public_key_from_file): New.  Adding handling
for SSH.
(agent_public_key_from_file): Use public_key_from_file.
(agent_ssh_key_from_file): New.

--

GnuPG-bug-id: 5996
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-26 17:11:52 +09:00
NIIBE Yutaka
1b0c4c2778 agent: Fix a bug accessing after release when opt.verbose.
* agent/command-ssh.c (ssh_handler_request_identities): Don't release
KEY_PUBLIC too early.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-20 15:51:47 +09:00
NIIBE Yutaka
ef3e5fd403 agent: Factor out handling scanning over ssh keys.
* agent/command-ssh.c (ssh_send_available_keys): New.
(ssh_handler_request_identities): Use ssh_send_available_keys.

--

GnuPG-bug-id: 5985
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-20 15:46:49 +09:00
Werner Koch
46d62d80a2
ssh: Returned faked response for the new session-bind extension.
* agent/command-ssh.c (SSH_OPT_CONSTRAIN_MAXSIGN): New.
(SSH_OPT_CONSTRAIN_EXTENSION): New.
(ssh_handler_add_identity): Ignore them.
(ssh_handler_extension): Take success for session-bind.
--

OpenSSH 8.9 does not gracefully allow communication with older agent
implementations.  Until this new OpenSSH feature has been settled we
return a faked response.

Code has not yet been tested.

GnuPG-bug-id: 5931
2022-04-14 12:30:55 +02:00
Jakub Jelen
c4436ebfa5 agent: Ignore MD5 Fingerprints for ssh keys
--
* agent/command-ssh.c (add_control_entry): Ignore failure of the MD5
  digest

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-14 11:47:04 +09:00
NIIBE Yutaka
9000081964 agent: Fix for possible support of Cygwin OpenSSH.
* agent/command-ssh.c (start_command_handler_ssh): Use es_sysopen.

--

With new (not-yet-released) libgpg-error, gpg-agent should be able to
handle connection from Cygwin version of OpenSSH.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-04-07 16:39:40 +09:00
NIIBE Yutaka
48ee11722d agent:w32: Fix for use of socket.
* agent/command-ssh.c (get_client_info): Use type gnupg_fd_t for
socket, until call of socket API.
(start_command_handler_ssh): Don't convert here.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-04-04 16:39:27 +09:00
Werner Koch
934a60de6b
ssh: Fix adding an ed25519 key with a zero length comment.
* agent/command-ssh.c (sexp_key_construct): Do not put an empty string
into an S-expression.
(stream_read_string): Do not not try to a read a zero length block.
--

Actually we could handles this different by not putting a comment tag
into the s-expression, however this requires more code and at other
places we already return "(none)" instead of an empty comment.

The second fix is more or less a cosmetic thing to get better error
messages in case the underlying read system call returns an error.

GnuPG-bug-id: 5794
2022-01-28 19:59:11 +01:00
Werner Koch
965bb0693c
A few minor code cleanups and typo fixes.
* agent/command-ssh.c (ssh_handler_request_identities): Remove double
check of ERR.
* g10/getkey.c (get_pubkey_byname): Remove double use of break.
* g10/pkglue.c (pk_encrypt): Handle possible NULL-ptr access due to
failed malloc.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-11 09:06:34 +02:00
Werner Koch
2d2391dfc2
agent: Skip unknown unknown ssh curves seen on cards.
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--

For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card.  This patches fixes this by ignoring keys
with unknown curves.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 15:39:32 +02:00
Werner Koch
1523b5f76f
gpg: New option --no-auto-trust-new-key.
* g10/gpg.c (oNoAutoTrustNewKey): New.
(opts): Add --no-auto-trust-new-key.
(main): Set it.
* g10/options.h (opt): Add flags.no_auto_trust_new_key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-15 10:47:19 +01:00
Werner Koch
224e26cf7b
agent: Support ssh-agent extensions for environment variables.
* common/session-env.c (session_env_list_stdenvnames): Extend to allow
return all names as one string.
* agent/command-ssh.c (SSH_REQUEST_EXTENSION): New.
(SSH_RESPONSE_EXTENSION_FAILURE): New.
(request_specs): Add handler for the extension command.
(ssh_handler_extension): New.
--

The extension mechanism is specified in
https://tools.ietf.org/html/draft-miller-ssh-agent-04

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-25 10:35:06 +01:00
Werner Koch
390497ea11
Replace most of the remaining stdio calls by estream calls.
--

We need to use es_fopen on Windows to cope with non-ascii file names.
This is quite a large but fortunately straightforward change.  At a
very few places we keep using stdio (for example due to the use of
popen).

GnuPG-bug-id: 5098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-10-20 12:15:56 +02:00
Werner Koch
0da923a124
agent: Allow to pass a timestamp to genkey and import.
* agent/command.c (cmd_genkey): Add option --timestamp.
(cmd_import_key): Ditto.
* agent/genkey.c (store_key): Add arg timestamp and change callers.
(agent_genkey): Ditto.
* agent/findkey.c (write_extended_private_key): Add args timestamp and
new key to write a Created line.
(agent_write_private_key): Add arg timestamp.
(agent_write_shadow_key): Ditto.
 agent/protect-tool.c (agent_write_private_key): Ditto as dummy arg.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-17 15:05:49 +02:00
Werner Koch
bb096905b9
agent: Add option --pss to pksign to be used by smartcards.
* agent/command.c (cmd_sethash): Add option --pss and allow for
--hash=null.
* agent/agent.h (struct server_control_s): Add digest.is_pss and
zero where needed.
* agent/pksign.c (agent_pksign_do): Allow for PSS with cards.
* scd/command.c (cmd_pksign): Add for --hash=none.
--

This is not a full implementaion of PSS but allows scdaemon card
drivers to detect already PSS formatted data.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-10 10:22:42 +02:00
James Bottomley
f541e1d95a
agent: separate out daemon handling infrastructure for reuse
* agent/call-scd.c: Factor re-usable code out to ...
* agent/call-daemon.c: new.  Store infos in an array to allow for
other backend daemons.
* agent/Makefile.am (gpg_agent_SOURCES): Add new file.
* agent/agent.h: Include assuan.h.
(enum daemon_type): New.
(opt): Replace scdaemon_program by daemon_program array.  Replace
scd_local by a array d_local.  Change users accordingly.
--

The model I'm using for a TPM daemon is the current scdaemon.  That
includes start and stop handlers plus liveness checks and an assuan
socket generator.  To avoid massive code duplication (and save me a
lot of effort), I've elected to strip this code out of call-scd.c into
a generic framework which can then be reused as is by the TPM handling
daemon.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Co-authored-by: Werner Koch <wk@gnupg.org>

Modified original patch for 2.2 heavily to fit the new framework used
in master (gnupg 2.3)

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-24 12:44:02 +02:00
NIIBE Yutaka
a7d46c78e2 agent,ssh: Tighten condition for EdDSA.
* agent/command-ssh.c (ssh_key_to_blob): Prepare for non-prefixed
point representation of EdDSA.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-06-05 09:20:21 +09:00
NIIBE Yutaka
2e988546c5 agent: Remove duplicated code for EdDSA.
* agent/command-ssh.c (ssh_receive_key): Curve is "Ed25519".
Use sexp_key_construct always.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-06-05 09:13:52 +09:00
Werner Koch
b18fb0264a
agent: Allow to use SETHASH for arbitrary data.
* agent/agent.h (struct server_control_s): Add field digest.data.
* agent/gpg-agent.c (agent_deinit_default_ctrl): Free that field.
* agent/command.c (reset_notify): Ditto.
(start_command_handler): ditto.
(cmd_sethash): Add new option --inquire.
* agent/call-scd.c (agent_card_pksign): For now return an error if
inquire mode was used.
* agent/command-ssh.c (ssh_handler_sign_request): Make sure
digest.data is cleared.
* agent/divert-scd.c (divert_pksign): Implement inquire mode.
* agent/pksign.c (agent_pksign_do): Ditto.
--

This is required to support EdDSA according to RFC8410.

GnuPG-bug-id: 4888
2020-05-18 19:24:41 +02:00
Daniel Kahn Gillmor
0904b8ef34 Spelling cleanup.
No functional changes, just fixing minor spelling issues.

---

Most of these were identified from the command line by running:

  codespell \
    --ignore-words-list fpr,stati,keyserver,keyservers,asign,cas,iff,ifset \
    --skip '*.po,ChangeLog*,help.*.txt,*.jpg,*.eps,*.pdf,*.png,*.gpg,*.asc' \
    doc g13 g10 kbx agent artwork scd tests tools am common dirmngr sm \
    NEWS README README.maint TODO

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-02-18 18:07:46 -05:00
Werner Koch
638526d37f
agent: Allow signing with card key even without a stub key.
* agent/call-scd.c (agent_card_serialno): Allow NULL for R_SERIAL.
(struct readkey_status_parm_s): New.
(readkey_status_cb): New.
(agent_card_readkey): Add optional arg R_KEYREF and change all
callers.
* agent/findkey.c (key_parms_from_sexp): Allow also a "public-key".
* agent/divert-scd.c (ask_for_card): Allow for SHADOW_INFO being NULL.
* agent/pksign.c (agent_pksign_do): Fallback to sign with an on-card
if there is no stub key yet.  Create the stub key.  Also fixed a
misnaming between s_pkey and s_skey.
--

This change allows to create OpenPGP keys directly from a card without
first making sure that a stub key exists.  It is also the less
surprising behaviour.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-13 11:45:41 +01:00
NIIBE Yutaka
15028627a1 agent: handle SSH operation by KEYGRIP.
* agent/command-ssh.c (card_key_available): Supply KEYINFO argument.
Call agent_card_readkey by KEYGRIP of KEYINFO.
Don't use $AUTHKEYID, but IDSTR of KEYINFO.
(ssh_handler_request_identities): Follow the change of
card_key_available.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-01-13 16:47:23 +09:00
NIIBE Yutaka
57b8ed61ab agent: SSH: SCD KEYINFO to list available keys.
* agent/agent.h (agent_card_cardlist): Remove.
(agent_card_keyinfo): Add CAP argument.
* agent/call-scd.c (card_cardlist_cb): Remove.
(agent_card_cardlist): Remove.
(agent_card_keyinfo): Support CAP constraint.
* agent/command-ssh.c (card_key_list): Remove.
(ssh_handler_request_identities): Use SCD KEYINFO command.
* agent/command.c (cmd_keyinfo): Follow the API change.
* agent/divert-scd.c (ask_for_card): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-01-09 11:55:42 +09:00
NIIBE Yutaka
479f7bf31c agent: For SSH key, don't put NUL-byte at the end.
* agent/command-ssh.c (ssh_key_to_protected_buffer): Update
the length by the second call of gcry_sexp_sprint.

--

GnuPG-bug-id: 4502
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-05-21 15:50:28 +09:00
Werner Koch
54e96c6fd2
agent: Replace most assert by log_assert.
--
2019-05-14 10:31:46 +02:00
Werner Koch
bdf252e76a
agent: Put Token lines into the key files.
* agent/findkey.c (write_extended_private_key): Add args serialno and
keyref.  Write a Token line if that does not yet exist.
(agent_write_private_key): Add args serialno and keyref and change all
callers.
(agent_write_shadow_key): Skip leading spaces.
* agent/keyformat.txt: Improve extended key format docs.
--

Noet that the extended key forma is the defaqult in 2.3.  This patch
is a first step to better handle tokens which carray the same key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-03 15:54:54 +02:00
Werner Koch
d93797c8a7
ssh: Simplify the curve name lookup.
* agent/command-ssh.c (struct ssh_key_type_spec): Add field
alt_curve_name.
(ssh_key_types): Add some alternate curve names.
(ssh_identifier_from_curve_name): Lookup also bey alternative names
and return the canonical name.
(ssh_key_to_blob): Simplify the ECDSA case by using gcry_pk_get_curve
instead of the explicit mapping.
(ssh_receive_key): Likewise.  Use ssh_identifier_from_curve_name to
validate the curve name.  Remove the reverse mapping because since
GnuPG-2.2 Libgcrypt 1.7 is required.
(ssh_handler_request_identities): Log an error message.
--

This change will make it easier to support other curves, in particular
those from tokens.  Libgcrypt has a large list of alias names which we
now use to to make the mapping more flexible.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-01-17 15:58:30 +01:00
Daniel Kahn Gillmor
54eb375ff1 all: fix spelling and typos
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-10-24 15:56:18 -04:00
Werner Koch
7385e1babf
ssh: Fix possible infinite loop in case of an read error.
* agent/command-ssh.c (ssh_handler_add_identity): Handle other errors
than EOF.
--

GnuPG-bug-id: 4221
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-10-24 20:11:33 +02:00
Werner Koch
68b8096b66
agent: Fix build regression for Windows.
* agent/command-ssh.c (get_client_info): Turn client_uid into an int.
Fix setting of it in case of a failed getsocketopt.
* agent/command.c (start_command_handler): Fix setting of the pid and
uid for Windows.
--

Fixes-commit: 28aa6890588cc108639951bb4bef03ac17743046
which obviously was only added to master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-10-22 17:24:58 +02:00
Werner Koch
36373798c0
Merge branch 'STABLE-BRANCH-2-2' into master
--
Fixed conflicts:
  NEWS            - keep master
  configure.ac    - merge
  g10/card-util.c - mostly 2.2
  g10/sig-check.c - 2.2
2018-04-10 10:14:30 +02:00
Werner Koch
9f69dbeb90
agent: Improve the unknown ssh flag detection.
* agent/command-ssh.c (ssh_handler_sign_request): Simplify detection
of flags.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-04-10 07:59:52 +02:00
Daniel Kahn Gillmor
381c46818f agent: unknown flags on ssh signing requests cause an error.
* agent/command-ssh.c (ssh_handler_sign_request): if a flag is passed
during an signature request that we do not know how to apply, return
GPG_ERR_UNKNOWN_OPTION.

--

https://tools.ietf.org/html/draft-miller-ssh-agent-02#section-4.5 says:

    If the agent does not support the requested flags, or is otherwise
    unable or unwilling to generate the signature (e.g. because it
    doesn't have the specified key, or the user refused confirmation of a
    constrained key), it must reply with a SSH_AGENT_FAILURE message.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
GnuPG-bug-id: 3880
2018-04-09 18:06:38 -04:00
Daniel Kahn Gillmor
55435cdd4f agent: change documentation reference for ssh-agent protocol.
* agent/command-ssh.c: repoint documentation reference.

--

Damien Miller is now documenting the ssh-agent protocol via the IETF.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-04-09 18:00:29 -04:00
NIIBE Yutaka
80b775bdbb agent: Support SSH signature flags.
* agent/command-ssh.c (SSH_AGENT_RSA_SHA2_256): New.
(SSH_AGENT_RSA_SHA2_512): New.
(ssh_handler_sign_request): Override SPEC when FLAGS
is specified.

--

GnuPG-bug-id: 3880
Reported-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-04-06 14:58:14 +09:00
Werner Koch
d4dc4245bf
Merge branch 'STABLE-BRANCH-2-2' into master 2018-03-27 08:48:00 +02:00
Werner Koch
02dce8c0cc
agent: Make the request origin a part of the cache items.
* agent/cache.c (agent_put_cache): Add arg 'ctrl' and change all
callers to pass it.
(agent_get_cache): Ditto.

* agent/cache.c (struct cache_items_s): Add field 'restricted'.
(housekeeping): Adjust debug output.
(agent_flush_cache): Ditto.
(agent_put_cache): Ditto.  Take RESTRICTED into account.
(agent_get_cache): Ditto.
--

If requests are coming from different sources they should not share the
same cache.  This way we make sure that a Pinentry pops up for a
remote request to a key we have already used locally.

GnuPG-bug-id: 3858
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-03-27 08:40:58 +02:00
NIIBE Yutaka
660eafa3a9 agent: Fix sending connecting process uid to pinentry.
* agent/command-ssh.c (get_client_info): Use LOCAL_PEERCRED.

--

LOCAL_PEERUID was wrong (while there is LOCAL_PEERUUID).
For FreeBSD and macOS, we can use LOCAL_PEERCRED to get uid.

GnuPG-bug-id: 3757
Fixes-commit: 28aa6890588cc108639951bb4bef03ac17743046
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-01-26 10:52:56 +09:00
NIIBE Yutaka
c2e69a7a8c Merge branch 'STABLE-BRANCH-2-2' into master
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-01-26 10:47:28 +09:00
NIIBE Yutaka
d7207b39b7 agent: Fix last commit.
* configure.ac: Check ucred.h as well as sys/ucred.h.
* agent/command-ssh.c: Add inclusion of ucred.h.

--

It was T2981, adding ucred.h for Solaris.  We also need sys/ucred.h
for FreeBSD and macOS.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-01-26 10:42:31 +09:00
NIIBE Yutaka
08e686a6a6 agent: More fix for get_client_pid for portability.
* configure.ac: Check sys/ucred.h instead of ucred.h.
    * agent/command-ssh.c: Include sys/ucred.h.

--

It's *BSD and macOS thing.

Fixes-commit: f7f806afa5083617f4aba02fc3b285b06a7d73d4
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-01-26 10:13:34 +09:00
Daniel Kahn Gillmor
28aa689058 agent: Send pinentry the uid of connecting process where possible.
* agent/agent.h (server_control_s): Add field 'client_uid'.
* agent/call-pinentry.c (start_pinentry): Add uid field to assuan
option "owner" sent to pinentry.
* agent/command-ssh.c (peer_info_s): New static struct.
(get_client_pid): Rename to...
(get_client_info): Here, and extract uid in addition to pid.
(start_command_handler_ssh): Use get_client_info() instead of
get_client_pid().
* agent/command.c (start_command_handler): Try assuan_get_peercred,
and only fall back to assuan_get_pid when assuan_get_peercred fails.

--

This also requires an update to pinentry to handle the new uid field.
Distributing the uid as well as the pid makes it harder for a
different user on the same machine to take advantage of any race
conditions between when a requesting process might ask for something
that needs pinentry, and when pinentry gets around to inspecting the
state of that process.

We put the uid before the nodename because the uid is guaranteed to be
a integer (represented in decimal), which makes it much simpler to
parse past than the potentially arbitrarily structured nodename.

Use a / instead of whitespace to delimit pid/uid at Werner's request.

If we were willing to depend on the nodename being
whitespace-delimited (as the current, unreleased pinentry code does),
then we could add the uid after the nodename.  But since no released
pinentry depends on this option anyway, i think we should make the
more conservative, easily-parseable choice and put the user ID first.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-10-19 03:09:44 -04:00
NIIBE Yutaka
328fca1872 agent: Minor fix for Windows.
* agent/command-ssh.c (serve_mmapped_ssh_request): Add const
qualifier.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-24 15:26:20 +09:00
Justus Winter
2739647985
agent: Support unprotected ssh keys.
* agent/command-ssh.c (ssh_key_to_protected_buffer): If the empty
passphrase is supplied, do not protect the key.

GnuPG-bug-id: 2856
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-26 14:56:54 +02:00
Justus Winter
525f2c482a
agent: Make digest algorithms for ssh fingerprints configurable.
* agent/agent.h (opt): New field 'ssh_fingerprint_digest'.
* agent/command-ssh.c (data_sign, ssh_identity_register): Honor the
option for strings used to communicate with the user.
* agent/findkey.c (agent_modify_description): Likewise.
* agent/gpg-agent.c (cmd_and_opt_values): New value.
(opts): New option '--ssh-fingerprint-digest'.
(parse_rereadable_options): Set the default to MD5 for now.
(main): Handle the new option.
* doc/gpg-agent.texi: Document the new option.
--

OpenSSH has transitioned from using MD5 to compute key fingerprints to
SHA256.  This patch makes the digest used when communicating key
fingerprints to the user (e.g. in pinentry dialogs) configurable.
For now this patch conservatively defaults to MD5.

GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-24 18:09:07 +02:00
Justus Winter
a5f046d99a
agent: Write both ssh fingerprints to 'sshcontrol' file.
* agent/command-ssh.c (add_control_entry): Hand in the key, write both
the MD5- and the SHA256-based fingerprint to the 'sshcontrol' file
when adding ssh keys.
(ssh_identity_register): Adapt callsite.

GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-24 17:32:58 +02:00
Justus Winter
3ac1a9d3a0
common: Support different digest algorithms for ssh fingerprints.
* common/ssh-utils.c (get_fingerprint): Add and honor 'algo' parameter.
(ssh_get_fingerprint{,_string}): Likewise.
* common/ssh-utils.h (ssh_get_fingerprint{,_string}): Update prototypes.
* common/t-ssh-utils.c (main): Adapt accordingly.
* agent/command-ssh.c (agent_raw_key_from_file): Likewise.
(ssh_identity_register): Likewise.
* agent/command.c (do_one_keyinfo): Likewise.
* agent/findkey.c (modify_description): Likewise.
--
This lays the foundation to support other algorithms.

GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-24 17:01:48 +02:00