diff options
| -rw-r--r-- | agent/agent.h | 4 | ||||
| -rw-r--r-- | agent/command-ssh.c | 4 | ||||
| -rw-r--r-- | agent/findkey.c | 3 | ||||
| -rw-r--r-- | agent/gpg-agent.c | 9 | ||||
| -rw-r--r-- | doc/gpg-agent.texi | 7 |
5 files changed, 24 insertions, 3 deletions
diff --git a/agent/agent.h b/agent/agent.h index 01e675b52..b95df5700 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -167,6 +167,10 @@ struct gpg-agent.c: If the value is less than 2 the name has not yet been malloced. */ int browser_socket; + + /* The digest algorithm to use for ssh fingerprints when + * communicating with the user. */ + int ssh_fingerprint_digest; } opt; diff --git a/agent/command-ssh.c b/agent/command-ssh.c index b8edd1a3f..e450aed30 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -2774,7 +2774,7 @@ data_sign (ctrl_t ctrl, ssh_key_type_spec_t *spec, err = agent_raw_key_from_file (ctrl, ctrl->keygrip, &key); if (err) goto out; - err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr); + err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &fpr); if (!err) { gcry_sexp_t tmpsxp = gcry_sexp_find_token (key, "comment", 0); @@ -3052,7 +3052,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, bin2hex (key_grip_raw, 20, key_grip); - err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &key_fpr); + err = ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, &key_fpr); if (err) goto out; diff --git a/agent/findkey.c b/agent/findkey.c index 1f547b06d..cff0a7df8 100644 --- a/agent/findkey.c +++ b/agent/findkey.c @@ -412,7 +412,8 @@ agent_modify_description (const char *in, const char *comment, case 'F': /* SSH style fingerprint. */ if (!ssh_fpr && key) - ssh_get_fingerprint_string (key, GCRY_MD_MD5, &ssh_fpr); + ssh_get_fingerprint_string (key, opt.ssh_fingerprint_digest, + &ssh_fpr); if (ssh_fpr) { if (out) diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 6ec9b6708..77b811cbb 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -129,6 +129,7 @@ enum cmd_and_opt_values oKeepTTY, oKeepDISPLAY, oSSHSupport, + oSSHFingerprintDigest, oPuttySupport, oDisableScdaemon, oDisableCheckOwnSocket, @@ -232,6 +233,8 @@ static ARGPARSE_OPTS opts[] = { /* */ N_("allow passphrase to be prompted through Emacs")), ARGPARSE_s_n (oSSHSupport, "enable-ssh-support", N_("enable ssh support")), + ARGPARSE_s_s (oSSHFingerprintDigest, "ssh-fingerprint-digest", + N_("digest to use when communicating ssh fingerprints")), ARGPARSE_s_n (oPuttySupport, "enable-putty-support", #ifdef HAVE_W32_SYSTEM /* */ N_("enable putty support") @@ -800,6 +803,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.allow_emacs_pinentry = 0; opt.disable_scdaemon = 0; disable_check_own_socket = 0; + opt.ssh_fingerprint_digest = GCRY_MD_MD5; return 1; } @@ -1176,6 +1180,11 @@ main (int argc, char **argv ) case oSSHSupport: ssh_support = 1; break; + case oSSHFingerprintDigest: + opt.ssh_fingerprint_digest = gcry_md_map_name (pargs.r.ret_str); + if (opt.ssh_fingerprint_digest == 0) + log_error ("Unknown digest algorithm: %s\n", pargs.r.ret_str); + break; case oPuttySupport: # ifdef HAVE_W32_SYSTEM putty_support = 1; diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 6ed0ff87e..d61dc85ae 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -636,6 +636,13 @@ and allows the use of gpg-agent with the ssh implementation @command{putty}. This is similar to the regular ssh-agent support but makes use of Windows message queue as required by @command{putty}. +@anchor{option --ssh-fingerprint-digest} +@item --ssh-fingerprint-digest +@opindex ssh-fingerprint-digest + +Select the digest algorithm used to compute ssh fingerprints that are +communicated to the user, e.g. in pinentry dialogs. OpenSSH has +transitioned from using MD5 to the more secure SHA256. @end table |