From 525f2c482abb6bc2002eb878b03558fb43e6b004 Mon Sep 17 00:00:00 2001 From: Justus Winter Date: Wed, 24 May 2017 17:48:42 +0200 Subject: agent: Make digest algorithms for ssh fingerprints configurable. * agent/agent.h (opt): New field 'ssh_fingerprint_digest'. * agent/command-ssh.c (data_sign, ssh_identity_register): Honor the option for strings used to communicate with the user. * agent/findkey.c (agent_modify_description): Likewise. * agent/gpg-agent.c (cmd_and_opt_values): New value. (opts): New option '--ssh-fingerprint-digest'. (parse_rereadable_options): Set the default to MD5 for now. (main): Handle the new option. * doc/gpg-agent.texi: Document the new option. -- OpenSSH has transitioned from using MD5 to compute key fingerprints to SHA256. This patch makes the digest used when communicating key fingerprints to the user (e.g. in pinentry dialogs) configurable. For now this patch conservatively defaults to MD5. GnuPG-bug-id: 2106 Signed-off-by: Justus Winter --- agent/command-ssh.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'agent/command-ssh.c') diff --git a/agent/command-ssh.c b/agent/command-ssh.c index b8edd1a3f..e450aed30 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -2774,7 +2774,7 @@ data_sign (ctrl_t ctrl, ssh_key_type_spec_t *spec, err = agent_raw_key_from_file (ctrl, ctrl->keygrip, &key); if (err) goto out; - err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr); + err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &fpr); if (!err) { gcry_sexp_t tmpsxp = gcry_sexp_find_token (key, "comment", 0); @@ -3052,7 +3052,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, bin2hex (key_grip_raw, 20, key_grip); - err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &key_fpr); + err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &key_fpr); if (err) goto out; -- cgit v1.2.3