Skip to content

Use SHA256 instead of MD5 for key fingerprints #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tobhe wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use SHA256 instead of MD5 for key fingerprints #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 39 additions & 5 deletions key.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,11 +281,8 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
*dgst_raw_length = 0;

switch (dgst_type) {
case SSH_FP_MD5:
md = EVP_md5();
break;
case SSH_FP_SHA1:
md = EVP_sha1();
case SSH_FP_SHA256:
md = EVP_sha256();
break;
default:
pamsshagentauth_fatal("key_fingerprint_raw: bad digest type %d",
Expand Down Expand Up @@ -337,6 +334,31 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
return retval;
}

static char *
key_fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
{
char *ret;
size_t plen = strlen(alg) + 1;
size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
int r;

if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
return NULL;
pamsshagentauth_strlcpy(ret, alg, rlen);
pamsshagentauth_strlcat(ret, ":", rlen);
if (dgst_raw_len == 0)
return ret;
if ((r = pamsshagentauth___b64_ntop(dgst_raw, dgst_raw_len,
ret + plen, rlen - plen)) == -1) {
explicit_bzero(ret, rlen);
free(ret);
return NULL;
}
/* Trim padding characters from end */
ret[strcspn(ret, "=")] = '\0';
return ret;
}

static char *
key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
{
Expand Down Expand Up @@ -405,6 +427,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
char *
pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
{
const char *dgst_name;
char *retval = NULL;
u_char *dgst_raw;
u_int dgst_raw_len;
Expand All @@ -416,6 +439,16 @@ pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_re
case SSH_FP_HEX:
retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
break;
case SSH_FP_BASE64:
switch (dgst_type) {
case SSH_FP_SHA256:
dgst_name = "SHA256";
break;
default:
goto done;
}
retval = key_fingerprint_b64(dgst_name, dgst_raw, dgst_raw_len);
break;
case SSH_FP_BUBBLEBABBLE:
retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
break;
Expand All @@ -424,6 +457,7 @@ pamsshagentauth_key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_re
dgst_rep);
break;
}
done:
memset(dgst_raw, 0, dgst_raw_len);
pamsshagentauth_xfree(dgst_raw);
return retval;
Expand Down
1 change: 1 addition & 0 deletions key.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ enum fp_type {
};
enum fp_rep {
SSH_FP_HEX,
SSH_FP_BASE64,
SSH_FP_BUBBLEBABBLE
};

Expand Down
2 changes: 1 addition & 1 deletion pam_user_key_allowed2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
found_key = 1;
pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
linenum);
fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
fp = pamsshagentauth_key_fingerprint(found, SSH_FP_SHA256, SSH_FP_BASE64);
pamsshagentauth_logit("Found matching %s key: %s",
pamsshagentauth_key_type(found), fp);
pamsshagentauth_xfree(fp);
Expand Down