upstream commit

update to new API (key_fingerprint => sshkey_fingerprint) check sshkey_fingerprint return values; ok markus
2025-07-31 01:35:11 +02:00 · 2015-01-28 22:36:00 +00:00 · 2015-01-28 22:36:00 +00:00 · 9ce86c926d
commit 9ce86c926d
parent 9125525c37
12 changed files with 81 additions and 68 deletions
--- a/auth-rsa.c
+++ b/auth-rsa.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -238,8 +238,9 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
 			    "actual %d vs. announced %d.",
 			    file, linenum, BN_num_bits(key->rsa->n), bits);
-		fp = key_fingerprint(key, options.fingerprint_hash,
+		if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
-		    SSH_FP_DEFAULT);
+		    SSH_FP_DEFAULT)) == NULL)
 			continue;
 		debug("matching key found: file %s, line %lu %s %s",
 		    file, linenum, key_type(key), fp);
 		free(fp);
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.23 2015/01/28 11:07:25 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -224,15 +224,17 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 	if (host_status == HOST_OK) {
 		if (key_is_cert(key)) {
-			fp = key_fingerprint(key->cert->signature_key,
+			if ((fp = sshkey_fingerprint(key->cert->signature_key,
-			    options.fingerprint_hash, SSH_FP_DEFAULT);
+			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			verbose("Accepted certificate ID \"%s\" signed by "
 			    "%s CA %s from %s@%s", key->cert->key_id,
 			    key_type(key->cert->signature_key), fp,
 			    cuser, lookup);
 		} else {
-			fp = key_fingerprint(key, options.fingerprint_hash,
+			if ((fp = sshkey_fingerprint(key,
-			    SSH_FP_DEFAULT);
+			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			verbose("Accepted %s public key %s from %s@%s",
 			    key_type(key), fp, cuser, lookup);
 		}
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.45 2015/01/13 07:39:19 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.46 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -228,18 +228,20 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
 	}
 	if (key_is_cert(key)) {
-		fp = key_fingerprint(key->cert->signature_key,
+		fp = sshkey_fingerprint(key->cert->signature_key,
 		    options.fingerprint_hash, SSH_FP_DEFAULT);
 		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
 		    key_type(key), key->cert->key_id,
 		    (unsigned long long)key->cert->serial,
-		    key_type(key->cert->signature_key), fp,
+		    key_type(key->cert->signature_key),
 		    fp == NULL ? "(null)" : "",
 		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
 		free(fp);
 	} else {
-		fp = key_fingerprint(key, options.fingerprint_hash,
+		fp = sshkey_fingerprint(key, options.fingerprint_hash,
 		    SSH_FP_DEFAULT);
-		auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
+		auth_info(authctxt, "%s %s%s%s", key_type(key),
 		    fp == NULL ? "(null)" : "",
 		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
 		free(fp);
 	}
@ -382,8 +384,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 				continue;
 			if (!key_is_cert_authority)
 				continue;
-			fp = key_fingerprint(found, options.fingerprint_hash,
+			if ((fp = sshkey_fingerprint(found,
-			    SSH_FP_DEFAULT);
+			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
 				continue;
 			debug("matching CA found: file %s, line %lu, %s %s",
 			    file, linenum, key_type(found), fp);
 			/*
@ -422,12 +425,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 				continue;
 			if (key_is_cert_authority)
 				continue;
-			found_key = 1;
+			if ((fp = sshkey_fingerprint(found,
-			fp = key_fingerprint(found, options.fingerprint_hash,
+			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
-			    SSH_FP_DEFAULT);
+				continue;
 			debug("matching key found: file %s, line %lu %s %s",
 			    file, linenum, key_type(found), fp);
 			free(fp);
 			found_key = 1;
 			break;
 		}
 	}
@ -449,8 +453,9 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
 		return 0;
-	ca_fp = key_fingerprint(key->cert->signature_key,
+	if ((ca_fp = sshkey_fingerprint(key->cert->signature_key,
-	    options.fingerprint_hash, SSH_FP_DEFAULT);
+	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
 		return 0;
 	if (sshkey_in_file(key->cert->signature_key,
 	    options.trusted_user_ca_keys, 1, 0) != 0) {
--- a/dns.c
+++ b/dns.c
@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.33 2015/01/15 09:40:00 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.34 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -294,7 +294,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 		free(dnskey_digest);
 	}
-	free(hostkey_digest); /* from key_fingerprint_raw() */
+	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
 	freerrset(fingerprints);
 	if (*flags & DNS_VERIFY_FOUND)
@ -337,7 +337,7 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
 			for (i = 0; i < rdata_digest_len; i++)
 				fprintf(f, "%02x", rdata_digest[i]);
 			fprintf(f, "\n");
-			free(rdata_digest); /* from key_fingerprint_raw() */
+			free(rdata_digest); /* from sshkey_fingerprint_raw() */
 			success = 1;
 		}
 	}
--- a/key.c
+++ b/key.c
@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.126 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */
 /*
 * placed in the public domain
 */
@ -39,23 +39,6 @@ key_new_private(int type)
 	return ret;
 }
 u_char*
 key_fingerprint_raw(const Key *k, int dgst_alg, u_int *dgst_raw_length)
 {
 	u_char *ret = NULL;
 	size_t dlen;
 	int r;
 	if (dgst_raw_length != NULL)
 		*dgst_raw_length = 0;
 	if ((r = sshkey_fingerprint_raw(k, dgst_alg, &ret, &dlen)) != 0)
 		fatal("%s: %s", __func__, ssh_err(r));
 	if (dlen > INT_MAX)
 		fatal("%s: giant len %zu", __func__, dlen);
 	*dgst_raw_length = dlen;
 	return ret;
 }
 int
 key_read(Key *ret, char **cpp)
 {
--- a/key.h
+++ b/key.h
@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.46 2015/01/13 07:39:19 djm Exp $ */
+/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@ -39,7 +39,6 @@ typedef struct sshkey Key;
 #define key_free		sshkey_free
 #define key_equal_public	sshkey_equal_public
 #define key_equal		sshkey_equal
 #define key_fingerprint		sshkey_fingerprint
 #define key_type		sshkey_type
 #define key_cert_type		sshkey_cert_type
 #define key_ssh_name		sshkey_ssh_name
@ -59,14 +58,12 @@ typedef struct sshkey Key;
 #define key_ec_nid_to_hash_alg	sshkey_ec_nid_to_hash_alg
 #define key_dump_ec_point	sshkey_dump_ec_point
 #define key_dump_ec_key		sshkey_dump_ec_key
 #define key_fingerprint		sshkey_fingerprint
 #endif
 void	 key_add_private(Key *);
 Key	*key_new_private(int);
 void	 key_free(Key *);
 Key	*key_demote(const Key *);
 u_char	*key_fingerprint_raw(const Key *, int, u_int *);
 int	 key_write(const Key *, FILE *);
 int	 key_read(Key *, char **);
--- a/ssh-add.c
+++ b/ssh-add.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.117 2015/01/16 06:40:12 deraadt Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.118 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -375,7 +375,8 @@ list_identities(int agent_fd, int do_fp)
 				fp = sshkey_fingerprint(idlist->keys[i],
 				    fingerprint_hash, SSH_FP_DEFAULT);
 				printf("%d %s %s (%s)\n",
-				    sshkey_size(idlist->keys[i]), fp,
+				    sshkey_size(idlist->keys[i]),
 				    fp == NULL ? "(null)" : fp,
 				    idlist->comments[i],
 				    sshkey_type(idlist->keys[i]));
 				free(fp);
--- a/ssh-agent.c
+++ b/ssh-agent.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.196 2015/01/16 06:40:12 deraadt Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.197 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -212,7 +212,8 @@ confirm_key(Identity *id)
 	int ret = -1;
 	p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
-	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+	if (p != NULL &&
 	    ask_permission("Allow use of key %s?\nKey fingerprint %s.",
 	    id->comment, p))
 		ret = 0;
 	free(p);
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.258 2015/01/19 00:32:54 deraadt Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.259 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -800,6 +800,8 @@ do_download(struct passwd *pw)
 			fp = sshkey_fingerprint(keys[i], fptype, rep);
 			ra = sshkey_fingerprint(keys[i], fingerprint_hash,
 			    SSH_FP_RANDOMART);
 			if (fp == NULL || ra == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),
 			    fp, sshkey_type(keys[i]));
 			if (log_level >= SYSLOG_LEVEL_VERBOSE)
@ -846,6 +848,8 @@ do_fingerprint(struct passwd *pw)
 		fp = sshkey_fingerprint(public, fptype, rep);
 		ra = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_RANDOMART);
 		if (fp == NULL || ra == NULL)
 			fatal("%s: sshkey_fingerprint fail", __func__);
 		printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,
 		    sshkey_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
@ -915,6 +919,8 @@ do_fingerprint(struct passwd *pw)
 		fp = sshkey_fingerprint(public, fptype, rep);
 		ra = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_RANDOMART);
 		if (fp == NULL || ra == NULL)
 			fatal("%s: sshkey_fingerprint fail", __func__);
 		printf("%u %s %s (%s)\n", sshkey_size(public), fp,
 		    comment ? comment : "no comment", sshkey_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
@ -1902,6 +1908,8 @@ do_show_cert(struct passwd *pw)
 	key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
 	ca_fp = sshkey_fingerprint(key->cert->signature_key,
 	    fingerprint_hash, SSH_FP_DEFAULT);
 	if (key_fp == NULL || ca_fp == NULL)
 		fatal("%s: sshkey_fingerprint fail", __func__);
 	printf("%s:\n", identity_file);
 	printf("        Type: %s %s certificate\n", sshkey_ssh_name(key),
@ -2216,7 +2224,7 @@ main(int argc, char **argv)
 {
 	char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;
 	char *checkpoint = NULL;
-	char out_file[PATH_MAX], *rr_hostname = NULL, *ep;
+	char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;
 	struct sshkey *private, *public;
 	struct passwd *pw;
 	struct stat st;
@ -2709,10 +2717,12 @@ passphrase_again:
 	fclose(f);
 	if (!quiet) {
-		char *fp = sshkey_fingerprint(public, fingerprint_hash,
+		fp = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_DEFAULT);
-		char *ra = sshkey_fingerprint(public, fingerprint_hash,
+		ra = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_RANDOMART);
 		if (fp == NULL || ra == NULL)
 			fatal("sshkey_fingerprint failed");
 		printf("Your public key has been saved in %s.\n",
 		    identity_file);
 		printf("The key fingerprint is:\n");
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.46 2015/01/15 09:40:00 djm Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.47 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2002 Markus Friedl.  All rights reserved.
 *
@ -274,8 +274,9 @@ main(int argc, char **argv)
 		}
 	}
 	if (!found) {
-		fp = sshkey_fingerprint(key, options.fingerprint_hash,
+		if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
-		    SSH_FP_DEFAULT);
+		    SSH_FP_DEFAULT)) == NULL)
 			fatal("%s: sshkey_fingerprint failed", __func__);
 		fatal("no matching hostkey found for key %s %s",
 		    sshkey_type(key), fp ? fp : "");
 	}
--- a/sshconnect.c
+++ b/sshconnect.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.258 2015/01/26 06:10:03 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.259 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -770,7 +770,7 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,
 		if (options.proxy_command == NULL) {
 			if (getnameinfo(hostaddr, addrlen,
 			    ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0)
-			fatal("check_host_key: getnameinfo failed");
+			fatal("%s: getnameinfo failed", __func__);
 			*hostfile_ipaddr = put_host_port(ntop, port);
 		} else {
 			*hostfile_ipaddr = xstrdup("<no hostip for proxy "
@ -919,10 +919,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
 				    "key for IP address '%.128s' to the list "
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
-			fp = key_fingerprint(host_key,
+			fp = sshkey_fingerprint(host_key,
 			    options.fingerprint_hash, SSH_FP_DEFAULT);
-			ra = key_fingerprint(host_key,
+			ra = sshkey_fingerprint(host_key,
 			    options.fingerprint_hash, SSH_FP_RANDOMART);
 			if (fp == NULL || ra == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			logit("Host key fingerprint is %s\n%s\n", fp, ra);
 			free(ra);
 			free(fp);
@ -962,10 +964,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
-			fp = key_fingerprint(host_key,
+			fp = sshkey_fingerprint(host_key,
 			    options.fingerprint_hash, SSH_FP_DEFAULT);
-			ra = key_fingerprint(host_key,
+			ra = sshkey_fingerprint(host_key,
 			    options.fingerprint_hash, SSH_FP_RANDOMART);
 			if (fp == NULL || ra == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
@ -1399,10 +1403,12 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
 			continue;
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
-		fp = key_fingerprint(found->key,
+		fp = sshkey_fingerprint(found->key,
 		    options.fingerprint_hash, SSH_FP_DEFAULT);
-		ra = key_fingerprint(found->key,
+		ra = sshkey_fingerprint(found->key,
 		    options.fingerprint_hash, SSH_FP_RANDOMART);
 		if (fp == NULL || ra == NULL)
 			fatal("%s: sshkey_fingerprint fail", __func__);
 		logit("WARNING: %s key found for host %s\n"
 		    "in %s:%lu\n"
 		    "%s key fingerprint %s.",
@ -1423,8 +1429,10 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
-	fp = key_fingerprint(host_key, options.fingerprint_hash,
+	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT);
 	if (fp == NULL)
 		fatal("%s: sshkey_fingerprint fail", __func__);
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
--- a/sshconnect2.c
+++ b/sshconnect2.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.221 2015/01/20 20:16:21 markus Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.222 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Damien Miller.  All rights reserved.
@ -591,7 +591,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 		    key->type, pktype);
 		goto done;
 	}
-	fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
+	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT)) == NULL)
 		goto done;
 	debug2("input_userauth_pk_ok: fp %s", fp);
 	free(fp);
@ -1009,7 +1011,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
 	int have_sig = 1;
 	char *fp;
-	fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);
+	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT)) == NULL)
 		return 0;
 	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
 	free(fp);