[people/arne_f/ipfire-3.x.git] / openssh / patches / openssh-5.8p1-fingerprint.patch

diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
--- openssh-5.8p1/auth2-hostbased.c.fingerprint	2010-08-05 05:04:50.000000000 +0200
+++ openssh-5.8p1/auth2-hostbased.c	2011-02-25 09:17:18.000000000 +0100
@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
 
 	if (host_status == HOST_OK) {
 		if (key_is_cert(key)) {
-			fp = key_fingerprint(key->cert->signature_key,
-			    SSH_FP_MD5, SSH_FP_HEX);
+			fp = key_selected_fingerprint(key->cert->signature_key,
+			    SSH_FP_HEX);
 			verbose("Accepted certificate ID \"%s\" signed by "
-			    "%s CA %s from %s@%s", key->cert->key_id,
-			    key_type(key->cert->signature_key), fp,
+			    "%s CA %s%s from %s@%s", key->cert->key_id,
+			    key_type(key->cert->signature_key),
+			    key_fingerprint_prefix(), fp,
 			    cuser, lookup);
 		} else {
-			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-			verbose("Accepted %s public key %s from %s@%s",
-			    key_type(key), fp, cuser, lookup);
+			fp = key_selected_fingerprint(key, SSH_FP_HEX);
+			verbose("Accepted %s public key %s%s from %s@%s",
+			    key_type(key), key_fingerprint_prefix(),
+			    fp, cuser, lookup);
 		}
 		xfree(fp);
 	}
diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.fingerprint	2010-12-01 01:50:14.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-02-25 09:17:18.000000000 +0100
@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
 				continue;
 			if (!key_is_cert_authority)
 				continue;
-			fp = key_fingerprint(found, SSH_FP_MD5,
-			    SSH_FP_HEX);
-			debug("matching CA found: file %s, line %lu, %s %s",
-			    file, linenum, key_type(found), fp);
+			fp = key_selected_fingerprint(found, SSH_FP_HEX);
+			debug("matching CA found: file %s, line %lu, %s %s%s",
+			    file, linenum, key_type(found),
+			    key_fingerprint_prefix(), fp);
 			/*
 			 * If the user has specified a list of principals as
 			 * a key option, then prefer that list to matching
@@ -362,9 +362,9 @@ user_key_allowed2(struct passwd *pw, Key
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);
-			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-			verbose("Found matching %s key: %s",
-			    key_type(found), fp);
+			fp = key_selected_fingerprint(found, SSH_FP_HEX);
+			verbose("Found matching %s key: %s%s",
+			    key_type(found), key_fingerprint_prefix(), fp);
 			xfree(fp);
 			break;
 		}
@@ -388,13 +388,13 @@ user_cert_trusted_ca(struct passwd *pw, 
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
 		return 0;
 
-	ca_fp = key_fingerprint(key->cert->signature_key,
-	    SSH_FP_MD5, SSH_FP_HEX);
+	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
 
 	if (key_in_file(key->cert->signature_key,
 	    options.trusted_user_ca_keys, 1) != 1) {
-		debug2("%s: CA %s %s is not listed in %s", __func__,
-		    key_type(key->cert->signature_key), ca_fp,
+		debug2("%s: CA %s%s %s is not listed in %s", __func__,
+		    key_type(key->cert->signature_key),
+		    key_fingerprint_prefix(), ca_fp,
 		    options.trusted_user_ca_keys);
 		goto out;
 	}
diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
--- openssh-5.8p1/auth.c.fingerprint	2010-12-01 02:21:51.000000000 +0100
+++ openssh-5.8p1/auth.c	2011-02-25 09:17:18.000000000 +0100
@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
 		return 1;
 	case 1:
 		/* Key revoked */
-		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
 		error("WARNING: authentication attempt with a revoked "
-		    "%s key %s ", key_type(key), key_fp);
+		    "%s key %s%s ", key_type(key),
+		    key_fingerprint_prefix(), key_fp);
 		xfree(key_fp);
 		return 1;
 	}
diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
--- openssh-5.8p1/auth-rsa.c.fingerprint	2010-12-04 23:01:47.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c	2011-02-25 09:17:18.000000000 +0100
@@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
 	 * options; this will be reset if the options cause the
 	 * authentication to be rejected.
 	 */
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	verbose("Found matching %s key: %s",
-	    key_type(key), fp);
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
+	verbose("Found matching %s key: %s%s",
+	    key_type(key), key_fingerprint_prefix(), fp);
 	xfree(fp);
 	key_free(key);
 
diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
--- openssh-5.8p1/key.c.fingerprint	2011-02-04 01:48:34.000000000 +0100
+++ openssh-5.8p1/key.c	2011-02-25 09:18:16.000000000 +0100
@@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs
 	return retval;
 }
 
+enum fp_type
+key_fingerprint_selection(void)
+{
+	static enum fp_type rv;
+	static char rv_defined = 0;
+	char *env;
+
+	if (!rv_defined) {
+		env = getenv("SSH_FINGERPRINT_TYPE");
+		rv = (env && !strcmp (env, "sha")) ?
+			SSH_FP_SHA1 : SSH_FP_MD5;
+		rv_defined = 1;
+	}
+	return rv;
+}
+
+char *
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
+{
+	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
+}
+
+char *
+key_fingerprint_prefix(void)
+{
+	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
+}
+
 /*
  * Reads a multiple-precision integer in decimal from the buffer, and advances
  * the pointer.  The integer must already be initialized.  This function is
diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
--- openssh-5.8p1/key.h.fingerprint	2010-11-05 00:19:49.000000000 +0100
+++ openssh-5.8p1/key.h	2011-02-25 09:17:18.000000000 +0100
@@ -96,6 +96,9 @@ int		 key_equal_public(const Key *, cons
 int		 key_equal(const Key *, const Key *);
 char		*key_fingerprint(Key *, enum fp_type, enum fp_rep);
 u_char		*key_fingerprint_raw(Key *, enum fp_type, u_int *);
+enum fp_type	 key_fingerprint_selection(void);
+char		*key_selected_fingerprint(Key *, enum fp_rep);
+char		*key_fingerprint_prefix(void);
 const char	*key_type(const Key *);
 const char	*key_cert_type(const Key *);
 int		 key_write(const Key *, FILE *);
diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
--- openssh-5.8p1/ssh-add.c.fingerprint	2010-11-11 04:17:02.000000000 +0100
+++ openssh-5.8p1/ssh-add.c	2011-02-25 09:17:18.000000000 +0100
@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
 		    key = ssh_get_next_identity(ac, &comment, version)) {
 			had_identities = 1;
 			if (do_fp) {
-				fp = key_fingerprint(key, SSH_FP_MD5,
-				    SSH_FP_HEX);
-				printf("%d %s %s (%s)\n",
-				    key_size(key), fp, comment, key_type(key));
+				fp = key_selected_fingerprint(key, SSH_FP_HEX);
+				printf("%d %s%s %s (%s)\n",
+				    key_size(key), key_fingerprint_prefix(),
+				    fp, comment, key_type(key));
 				xfree(fp);
 			} else {
 				if (!key_write(key, stdout))
diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
--- openssh-5.8p1/ssh-agent.c.fingerprint	2010-12-01 01:50:35.000000000 +0100
+++ openssh-5.8p1/ssh-agent.c	2011-02-25 09:17:18.000000000 +0100
@@ -199,9 +199,9 @@ confirm_key(Identity *id)
 	char *p;
 	int ret = -1;
 
-	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
-	    id->comment, p))
+	p = key_selected_fingerprint(id->key, SSH_FP_HEX);
+	if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
+	    id->comment, key_fingerprint_prefix(), p))
 		ret = 0;
 	xfree(p);
 
diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.fingerprint	2010-12-01 02:21:51.000000000 +0100
+++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:17:18.000000000 +0100
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
 	}
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	debug2("input_userauth_pk_ok: fp %s", fp);
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
+	debug2("input_userauth_pk_ok: fp %s%s",
+	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 
 	/*
@@ -1203,8 +1204,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	int have_sig = 1;
 	char *fp;
 
-	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
+	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
+	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 
 	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
--- openssh-5.8p1/sshconnect.c.fingerprint	2011-01-16 13:17:59.000000000 +0100
+++ openssh-5.8p1/sshconnect.c	2011-02-25 09:17:18.000000000 +0100
@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
 				    "key for IP address '%.128s' to the list "
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
-			    SSH_FP_RANDOMART);
-			logit("Host key fingerprint is %s\n%s\n", fp, ra);
+			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+			logit("Host key fingerprint is %s%s\n%s\n",
+			    key_fingerprint_prefix(), fp, ra);
 			xfree(ra);
 			xfree(fp);
 		}
@@ -838,9 +838,8 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
-			    SSH_FP_RANDOMART);
+			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
@@ -855,10 +854,11 @@ check_host_key(char *hostname, struct so
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
 			    "established%s\n"
-			    "%s key fingerprint is %s.%s%s\n%s"
+			    "%s key fingerprint is %s%s.%s%s\n%s"
 			    "Are you sure you want to continue connecting "
 			    "(yes/no)? ",
-			    host, ip, msg1, type, fp,
+			    host, ip, msg1, type,
+			    key_fingerprint_prefix(), fp,
 			    options.visual_host_key ? "\n" : "",
 			    options.visual_host_key ? ra : "",
 			    msg2);
@@ -1104,8 +1104,9 @@ verify_host_key(char *host, struct socka
 	int flags = 0;
 	char *fp;
 
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-	debug("Server host key: %s %s", key_type(host_key), fp);
+	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+	debug("Server host key: %s %s%s", key_type(host_key),
+	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 
 	/* XXX certs are not yet supported for DNS */
@@ -1214,14 +1215,15 @@ show_other_keys(struct hostkeys *hostkey
 			continue;
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
-		fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
-		ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+		fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
+		ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
 		logit("WARNING: %s key found for host %s\n"
 		    "in %s:%lu\n"
-		    "%s key fingerprint %s.",
+		    "%s key fingerprint %s%s.",
 		    key_type(found->key),
 		    found->host, found->file, found->line,
-		    key_type(found->key), fp);
+		    key_type(found->key),
+		    key_fingerprint_prefix(), fp);
 		if (options.visual_host_key)
 			logit("%s", ra);
 		xfree(ra);
@@ -1236,7 +1238,7 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
 
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
@@ -1244,8 +1246,8 @@ warn_changed_key(Key *host_key)
 	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
-	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-	    key_type(host_key), fp);
+	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
+	    key_type(host_key),key_fingerprint_prefix(),  fp);
 	error("Please contact your system administrator.");
 
 	xfree(fp);
diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
--- openssh-5.8p1/ssh-keygen.c.fingerprint	2011-01-11 07:20:31.000000000 +0100
+++ openssh-5.8p1/ssh-keygen.c	2011-02-25 09:17:18.000000000 +0100
@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
 {
 	FILE *f;
 	Key *public;
-	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
+	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
 	int i, skip = 0, num = 0, invalid = 1;
 	enum fp_rep rep;
 	enum fp_type fptype;
 	struct stat st;
 
-	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+	fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+	pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
 	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
 
 	if (!have_identity)
@@ -732,8 +733,8 @@ do_fingerprint(struct passwd *pw)
 	public = key_load_public(identity_file, &comment);
 	if (public != NULL) {
 		fp = key_fingerprint(public, fptype, rep);
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-		printf("%u %s %s (%s)\n", key_size(public), fp, comment,
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
 		    key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
@@ -798,8 +799,8 @@ do_fingerprint(struct passwd *pw)
 		}
 		comment = *cp ? cp : comment;
 		fp = key_fingerprint(public, fptype, rep);
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-		printf("%u %s %s (%s)\n", key_size(public), fp,
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
 		    comment ? comment : "no comment", key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
@@ -823,13 +824,15 @@ printhost(FILE *f, const char *name, Key
 	if (print_fingerprint) {
 		enum fp_rep rep;
 		enum fp_type fptype;
-		char *fp, *ra;
+		char *fp, *ra, *pfx;
 
-		fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+		fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+		pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
 		rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
 		fp = key_fingerprint(public, fptype, rep);
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-		printf("%u %s %s (%s)\n", key_size(public), fp, name,
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
 		    key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
@@ -1695,16 +1698,17 @@ do_show_cert(struct passwd *pw)
 		fatal("%s is not a certificate", identity_file);
 	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
 
-	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	ca_fp = key_fingerprint(key->cert->signature_key,
-	    SSH_FP_MD5, SSH_FP_HEX);
+	key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
+	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
 
 	printf("%s:\n", identity_file);
 	printf("        Type: %s %s certificate\n", key_ssh_name(key),
 	    key_cert_type(key));
-	printf("        Public key: %s %s\n", key_type(key), key_fp);
-	printf("        Signing CA: %s %s\n",
-	    key_type(key->cert->signature_key), ca_fp);
+	printf("        Public key: %s %s%s\n", key_type(key),
+	    key_fingerprint_prefix(), key_fp);
+	printf("        Signing CA: %s %s%s\n",
+	    key_type(key->cert->signature_key),
+	    key_fingerprint_prefix(), ca_fp);
 	printf("        Key ID: \"%s\"\n", key->cert->key_id);
 	if (!v00) {
 		printf("        Serial: %llu\n",
@@ -2249,13 +2253,12 @@ passphrase_again:
 	fclose(f);
 
 	if (!quiet) {
-		char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
-		char *ra = key_fingerprint(public, SSH_FP_MD5,
-		    SSH_FP_RANDOMART);
+		char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
+		char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
 		printf("Your public key has been saved in %s.\n",
 		    identity_file);
 		printf("The key fingerprint is:\n");
-		printf("%s %s\n", fp, comment);
+		printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
 		printf("The key's randomart image is:\n");
 		printf("%s\n", ra);
 		xfree(ra);
Commit	Line	Data
852f4e06 SS	1	diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
	2	--- openssh-5.8p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200
	3	+++ openssh-5.8p1/auth2-hostbased.c 2011-02-25 09:17:18.000000000 +0100
	4	@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
	5
	6	if (host_status == HOST_OK) {
	7	if (key_is_cert(key)) {
	8	- fp = key_fingerprint(key->cert->signature_key,
	9	- SSH_FP_MD5, SSH_FP_HEX);
	10	+ fp = key_selected_fingerprint(key->cert->signature_key,
	11	+ SSH_FP_HEX);
	12	verbose("Accepted certificate ID \"%s\" signed by "
	13	- "%s CA %s from %s@%s", key->cert->key_id,
	14	- key_type(key->cert->signature_key), fp,
	15	+ "%s CA %s%s from %s@%s", key->cert->key_id,
	16	+ key_type(key->cert->signature_key),
	17	+ key_fingerprint_prefix(), fp,
	18	cuser, lookup);
	19	} else {
	20	- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
	21	- verbose("Accepted %s public key %s from %s@%s",
	22	- key_type(key), fp, cuser, lookup);
	23	+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
	24	+ verbose("Accepted %s public key %s%s from %s@%s",
	25	+ key_type(key), key_fingerprint_prefix(),
	26	+ fp, cuser, lookup);
	27	}
	28	xfree(fp);
	29	}
	30	diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
	31	--- openssh-5.8p1/auth2-pubkey.c.fingerprint 2010-12-01 01:50:14.000000000 +0100
	32	+++ openssh-5.8p1/auth2-pubkey.c 2011-02-25 09:17:18.000000000 +0100
	33	@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
	34	continue;
	35	if (!key_is_cert_authority)
	36	continue;
	37	- fp = key_fingerprint(found, SSH_FP_MD5,
	38	- SSH_FP_HEX);
	39	- debug("matching CA found: file %s, line %lu, %s %s",
	40	- file, linenum, key_type(found), fp);
	41	+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
	42	+ debug("matching CA found: file %s, line %lu, %s %s%s",
	43	+ file, linenum, key_type(found),
	44	+ key_fingerprint_prefix(), fp);
	45	/*
	46	* If the user has specified a list of principals as
	47	* a key option, then prefer that list to matching
	48	@@ -362,9 +362,9 @@ user_key_allowed2(struct passwd *pw, Key
	49	found_key = 1;
	50	debug("matching key found: file %s, line %lu",
	51	file, linenum);
	52	- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
	53	- verbose("Found matching %s key: %s",
	54	- key_type(found), fp);
	55	+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
	56	+ verbose("Found matching %s key: %s%s",
	57	+ key_type(found), key_fingerprint_prefix(), fp);
	58	xfree(fp);
	59	break;
	60	}
	61	@@ -388,13 +388,13 @@ user_cert_trusted_ca(struct passwd *pw,
	62	if (!key_is_cert(key) \|\| options.trusted_user_ca_keys == NULL)
	63	return 0;
	64
65	- ca_fp = key_fingerprint(key->cert->signature_key,
66	- SSH_FP_MD5, SSH_FP_HEX);
67	+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
68
69	if (key_in_file(key->cert->signature_key,
70	options.trusted_user_ca_keys, 1) != 1) {
71	- debug2("%s: CA %s %s is not listed in %s", __func__,
72	- key_type(key->cert->signature_key), ca_fp,
73	+ debug2("%s: CA %s%s %s is not listed in %s", __func__,
74	+ key_type(key->cert->signature_key),
75	+ key_fingerprint_prefix(), ca_fp,
76	options.trusted_user_ca_keys);
77	goto out;
78	}
79	diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
80	--- openssh-5.8p1/auth.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
81	+++ openssh-5.8p1/auth.c 2011-02-25 09:17:18.000000000 +0100
82	@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
83	return 1;
84	case 1:
85	/* Key revoked */
86	- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
87	+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
88	error("WARNING: authentication attempt with a revoked "
89	- "%s key %s ", key_type(key), key_fp);
90	+ "%s key %s%s ", key_type(key),
91	+ key_fingerprint_prefix(), key_fp);
92	xfree(key_fp);
93	return 1;
94	}
95	diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
96	--- openssh-5.8p1/auth-rsa.c.fingerprint 2010-12-04 23:01:47.000000000 +0100
97	+++ openssh-5.8p1/auth-rsa.c 2011-02-25 09:17:18.000000000 +0100
98	@@ -318,9 +318,9 @@ auth_rsa(Authctxt authctxt, BIGNUM cli
99	* options; this will be reset if the options cause the
100	* authentication to be rejected.
101	*/
102	- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
103	- verbose("Found matching %s key: %s",
104	- key_type(key), fp);
105	+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
106	+ verbose("Found matching %s key: %s%s",
107	+ key_type(key), key_fingerprint_prefix(), fp);
108	xfree(fp);
109	key_free(key);
110
111	diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
112	--- openssh-5.8p1/key.c.fingerprint 2011-02-04 01:48:34.000000000 +0100
113	+++ openssh-5.8p1/key.c 2011-02-25 09:18:16.000000000 +0100
114	@@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs
115	return retval;
116	}
117
118	+enum fp_type
119	+key_fingerprint_selection(void)
120	+{
121	+ static enum fp_type rv;
122	+ static char rv_defined = 0;
123	+ char *env;
124	+
125	+ if (!rv_defined) {
126	+ env = getenv("SSH_FINGERPRINT_TYPE");
127	+ rv = (env && !strcmp (env, "sha")) ?
128	+ SSH_FP_SHA1 : SSH_FP_MD5;
129	+ rv_defined = 1;
130	+ }
131	+ return rv;
132	+}
133	+
134	+char *
135	+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
136	+{
137	+ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
138	+}
139	+
140	+char *
141	+key_fingerprint_prefix(void)
142	+{
143	+ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
144	+}
145	+
146	/*
147	* Reads a multiple-precision integer in decimal from the buffer, and advances
148	* the pointer. The integer must already be initialized. This function is
149	diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
150	--- openssh-5.8p1/key.h.fingerprint 2010-11-05 00:19:49.000000000 +0100
151	+++ openssh-5.8p1/key.h 2011-02-25 09:17:18.000000000 +0100
152	@@ -96,6 +96,9 @@ int key_equal_public(const Key *, cons
153	int key_equal(const Key , const Key );
154	char key_fingerprint(Key , enum fp_type, enum fp_rep);
155	u_char key_fingerprint_raw(Key , enum fp_type, u_int *);
156	+enum fp_type key_fingerprint_selection(void);
157	+char key_selected_fingerprint(Key , enum fp_rep);
158	+char *key_fingerprint_prefix(void);
159	const char key_type(const Key );
160	const char key_cert_type(const Key );
161	int key_write(const Key , FILE );
162	diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
163	--- openssh-5.8p1/ssh-add.c.fingerprint 2010-11-11 04:17:02.000000000 +0100
164	+++ openssh-5.8p1/ssh-add.c 2011-02-25 09:17:18.000000000 +0100
165	@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
166	key = ssh_get_next_identity(ac, &comment, version)) {
167	had_identities = 1;
168	if (do_fp) {
169	- fp = key_fingerprint(key, SSH_FP_MD5,
170	- SSH_FP_HEX);
171	- printf("%d %s %s (%s)\n",
172	- key_size(key), fp, comment, key_type(key));
173	+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
174	+ printf("%d %s%s %s (%s)\n",
175	+ key_size(key), key_fingerprint_prefix(),
176	+ fp, comment, key_type(key));
177	xfree(fp);
178	} else {
179	if (!key_write(key, stdout))
180	diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
181	--- openssh-5.8p1/ssh-agent.c.fingerprint 2010-12-01 01:50:35.000000000 +0100
182	+++ openssh-5.8p1/ssh-agent.c 2011-02-25 09:17:18.000000000 +0100
183	@@ -199,9 +199,9 @@ confirm_key(Identity *id)
184	char *p;
185	int ret = -1;
186
187	- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
188	- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
189	- id->comment, p))
190	+ p = key_selected_fingerprint(id->key, SSH_FP_HEX);
191	+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
192	+ id->comment, key_fingerprint_prefix(), p))
193	ret = 0;
194	xfree(p);
195
196	diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
197	--- openssh-5.8p1/sshconnect2.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
198	+++ openssh-5.8p1/sshconnect2.c 2011-02-25 09:17:18.000000000 +0100
199	@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
200	key->type, pktype);
201	goto done;
202	}
203	- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
204	- debug2("input_userauth_pk_ok: fp %s", fp);
205	+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
206	+ debug2("input_userauth_pk_ok: fp %s%s",
207	+ key_fingerprint_prefix(), fp);
208	xfree(fp);
209
210	/*
211	@@ -1203,8 +1204,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
212	int have_sig = 1;
213	char *fp;
214
215	- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
216	- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
217	+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
218	+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
219	+ key_fingerprint_prefix(), fp);
220	xfree(fp);
221
222	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
223	diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
224	--- openssh-5.8p1/sshconnect.c.fingerprint 2011-01-16 13:17:59.000000000 +0100
225	+++ openssh-5.8p1/sshconnect.c 2011-02-25 09:17:18.000000000 +0100
226	@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
227	"key for IP address '%.128s' to the list "
228	"of known hosts.", type, ip);
229	} else if (options.visual_host_key) {
230	- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
231	- ra = key_fingerprint(host_key, SSH_FP_MD5,
232	- SSH_FP_RANDOMART);
233	- logit("Host key fingerprint is %s\n%s\n", fp, ra);
234	+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
235	+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
236	+ logit("Host key fingerprint is %s%s\n%s\n",
237	+ key_fingerprint_prefix(), fp, ra);
238	xfree(ra);
239	xfree(fp);
240	}
241	@@ -838,9 +838,8 @@ check_host_key(char *hostname, struct so
242	else
243	snprintf(msg1, sizeof(msg1), ".");
244	/* The default */
245	- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
246	- ra = key_fingerprint(host_key, SSH_FP_MD5,
247	- SSH_FP_RANDOMART);
248	+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
249	+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
250	msg2[0] = '\0';
251	if (options.verify_host_key_dns) {
252	if (matching_host_key_dns)
253	@@ -855,10 +854,11 @@ check_host_key(char *hostname, struct so
254	snprintf(msg, sizeof(msg),
255	"The authenticity of host '%.200s (%s)' can't be "
256	"established%s\n"
257	- "%s key fingerprint is %s.%s%s\n%s"
258	+ "%s key fingerprint is %s%s.%s%s\n%s"
259	"Are you sure you want to continue connecting "
260	"(yes/no)? ",
261	- host, ip, msg1, type, fp,
262	+ host, ip, msg1, type,
263	+ key_fingerprint_prefix(), fp,
264	options.visual_host_key ? "\n" : "",
265	options.visual_host_key ? ra : "",
266	msg2);
267	@@ -1104,8 +1104,9 @@ verify_host_key(char *host, struct socka
268	int flags = 0;
269	char *fp;
270
271	- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
272	- debug("Server host key: %s %s", key_type(host_key), fp);
273	+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
274	+ debug("Server host key: %s %s%s", key_type(host_key),
275	+ key_fingerprint_prefix(), fp);
276	xfree(fp);
277
278	/* XXX certs are not yet supported for DNS */
279	@@ -1214,14 +1215,15 @@ show_other_keys(struct hostkeys *hostkey
280	continue;
281	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
282	continue;
283	- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
284	- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
285	+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
286	+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
287	logit("WARNING: %s key found for host %s\n"
288	"in %s:%lu\n"
289	- "%s key fingerprint %s.",
290	+ "%s key fingerprint %s%s.",
291	key_type(found->key),
292	found->host, found->file, found->line,
293	- key_type(found->key), fp);
294	+ key_type(found->key),
295	+ key_fingerprint_prefix(), fp);
296	if (options.visual_host_key)
297	logit("%s", ra);
298	xfree(ra);
299	@@ -1236,7 +1238,7 @@ warn_changed_key(Key *host_key)
300	{
301	char *fp;
302
303	- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
304	+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
305
306	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
307	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
308	@@ -1244,8 +1246,8 @@ warn_changed_key(Key *host_key)
309	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
310	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
311	error("It is also possible that a host key has just been changed.");
312	- error("The fingerprint for the %s key sent by the remote host is\n%s.",
313	- key_type(host_key), fp);
314	+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
315	+ key_type(host_key),key_fingerprint_prefix(), fp);
316	error("Please contact your system administrator.");
317
318	xfree(fp);
319	diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
320	--- openssh-5.8p1/ssh-keygen.c.fingerprint 2011-01-11 07:20:31.000000000 +0100
321	+++ openssh-5.8p1/ssh-keygen.c 2011-02-25 09:17:18.000000000 +0100
322	@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
323	{
324	FILE *f;
325	Key *public;
326	- char comment = NULL, cp, ep, line[161024], fp, ra;
327	+ char comment = NULL, cp, ep, line[161024], fp, ra, *pfx;
328	int i, skip = 0, num = 0, invalid = 1;
329	enum fp_rep rep;
330	enum fp_type fptype;
331	struct stat st;
332
333	- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
334	+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
335	+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
336	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
337
338	if (!have_identity)
339	@@ -732,8 +733,8 @@ do_fingerprint(struct passwd *pw)
340	public = key_load_public(identity_file, &comment);
341	if (public != NULL) {
342	fp = key_fingerprint(public, fptype, rep);
343	- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
344	- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
345	+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
346	+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
347	key_type(public));
348	if (log_level >= SYSLOG_LEVEL_VERBOSE)
349	printf("%s\n", ra);
350	@@ -798,8 +799,8 @@ do_fingerprint(struct passwd *pw)
351	}
352	comment = *cp ? cp : comment;
353	fp = key_fingerprint(public, fptype, rep);
354	- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
355	- printf("%u %s %s (%s)\n", key_size(public), fp,
356	+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
357	+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
358	comment ? comment : "no comment", key_type(public));
359	if (log_level >= SYSLOG_LEVEL_VERBOSE)
360	printf("%s\n", ra);
361	@@ -823,13 +824,15 @@ printhost(FILE f, const char name, Key
362	if (print_fingerprint) {
363	enum fp_rep rep;
364	enum fp_type fptype;
365	- char fp, ra;
366	+ char fp, ra, *pfx;
367
368	- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
369	+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
370	+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
371	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
372	+
373	fp = key_fingerprint(public, fptype, rep);
374	- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
375	- printf("%u %s %s (%s)\n", key_size(public), fp, name,
376	+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
377	+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
378	key_type(public));
379	if (log_level >= SYSLOG_LEVEL_VERBOSE)
380	printf("%s\n", ra);
381	@@ -1695,16 +1698,17 @@ do_show_cert(struct passwd *pw)
382	fatal("%s is not a certificate", identity_file);
383	v00 = key->type == KEY_RSA_CERT_V00 \|\| key->type == KEY_DSA_CERT_V00;
384
385	- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
386	- ca_fp = key_fingerprint(key->cert->signature_key,
387	- SSH_FP_MD5, SSH_FP_HEX);
388	+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
389	+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
390
391	printf("%s:\n", identity_file);
392	printf(" Type: %s %s certificate\n", key_ssh_name(key),
393	key_cert_type(key));
394	- printf(" Public key: %s %s\n", key_type(key), key_fp);
395	- printf(" Signing CA: %s %s\n",
396	- key_type(key->cert->signature_key), ca_fp);
397	+ printf(" Public key: %s %s%s\n", key_type(key),
398	+ key_fingerprint_prefix(), key_fp);
399	+ printf(" Signing CA: %s %s%s\n",
400	+ key_type(key->cert->signature_key),
401	+ key_fingerprint_prefix(), ca_fp);
402	printf(" Key ID: \"%s\"\n", key->cert->key_id);
403	if (!v00) {
404	printf(" Serial: %llu\n",
405	@@ -2249,13 +2253,12 @@ passphrase_again:
406	fclose(f);
407
408	if (!quiet) {
409	- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
410	- char *ra = key_fingerprint(public, SSH_FP_MD5,
411	- SSH_FP_RANDOMART);
412	+ char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
413	+ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
414	printf("Your public key has been saved in %s.\n",
415	identity_file);
416	printf("The key fingerprint is:\n");
417	- printf("%s %s\n", fp, comment);
418	+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
419	printf("The key's randomart image is:\n");
420	printf("%s\n", ra);
421	xfree(ra);