From ef5540c185a21c06811a95bbec9941372c2552af Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sat, 13 Mar 2021 09:57:02 +0000 Subject: [PATCH] cmdgen: support configurable key fingerprint type. I've added the -E option, similar to ssh-keygen's, and cgtest checks it against the OpenSSH version to ensure they match. --- cgtest.c | 60 +++++++++++++++++++++++++++++++++----------------------- cmdgen.c | 17 ++++++++++++++-- 2 files changed, 50 insertions(+), 27 deletions(-) diff --git a/cgtest.c b/cgtest.c index 6de22019..ba87892c 100644 --- a/cgtest.c +++ b/cgtest.c @@ -371,7 +371,7 @@ int main(int argc, char **argv) char filename[128], osfilename[128], scfilename[128]; char pubfilename[128], tmpfilename1[128], tmpfilename2[128]; - char *fp = NULL; + char *fps[SSH_N_FPTYPES]; sprintf(filename, "test-%s.ppk", keytype->name); sprintf(pubfilename, "test-%s.pub", keytype->name); @@ -391,13 +391,14 @@ int main(int argc, char **argv) */ setup_passphrases(NULL); test(0, "puttygen", "-L", filename, "-o", pubfilename, NULL); - { + for (FingerprintType fptype = 0; fptype < SSH_N_FPTYPES; fptype++) { + const char *fpname = (fptype == SSH_FPTYPE_MD5 ? "md5" : "sha256"); char *cmdbuf; - fp = NULL; - cmdbuf = dupprintf("ssh-keygen -E md5 -l -f '%s' > '%s'", - pubfilename, tmpfilename1); + char *fp = NULL; + cmdbuf = dupprintf("ssh-keygen -E %s -l -f '%s' > '%s'", + fpname, pubfilename, tmpfilename1); if (cgtest_verbose) - printf("OpenSSH fp check: %s\n", cmdbuf); + printf("OpenSSH %s fp check: %s\n", fpname, cmdbuf); if (system(cmdbuf) || (fp = get_fp(tmpfilename1, CGT_SSH_KEYGEN | keytype->flags)) == NULL) { @@ -407,10 +408,11 @@ int main(int argc, char **argv) sfree(cmdbuf); if (fp && cgtest_verbose) { char *line = get_line(tmpfilename1); - printf("OpenSSH fp: %s\n", line); + printf("OpenSSH %s fp: %s\n", fpname, line); printf("Cleaned up: %s\n", fp); sfree(line); } + fps[fptype] = fp; } /* @@ -423,17 +425,22 @@ int main(int argc, char **argv) * List the fingerprint of the key. */ setup_passphrases(NULL); - test(0, "puttygen", "-l", filename, "-o", tmpfilename1, NULL); - if (!fp) { - /* - * If we can't test fingerprints against OpenSSH, we - * can at the very least test equality of all the - * fingerprints we generate of this key throughout - * testing. - */ - fp = get_fp(tmpfilename1, 0); - } else { - check_fp(tmpfilename1, fp, "%s initial fp", keytype->name); + for (FingerprintType fptype = 0; fptype < SSH_N_FPTYPES; fptype++) { + const char *fpname = (fptype == SSH_FPTYPE_MD5 ? "md5" : "sha256"); + test(0, "puttygen", "-E", fpname, "-l", filename, + "-o", tmpfilename1, NULL); + if (!fps[fptype]) { + /* + * If we can't test fingerprints against OpenSSH, we + * can at the very least test equality of all the + * fingerprints we generate of this key throughout + * testing. + */ + fps[fptype] = get_fp(tmpfilename1, 0); + } else { + check_fp(tmpfilename1, fps[fptype], "%s initial %s fp", + keytype->name, fpname); + } } /* @@ -486,7 +493,8 @@ int main(int argc, char **argv) */ setup_passphrases(NULL); test(0, "puttygen", "-l", osfilename, "-o", tmpfilename1, NULL); - check_fp(tmpfilename1, fp, "%s openssh clear fp", keytype->name); + check_fp(tmpfilename1, fps[SSH_FPTYPE_DEFAULT], + "%s openssh clear fp", keytype->name); /* * List the public half of the OpenSSH-formatted key in @@ -518,7 +526,8 @@ int main(int argc, char **argv) */ setup_passphrases(NULL); test(0, "puttygen", "-l", scfilename, "-o", tmpfilename1, NULL); - check_fp(tmpfilename1, fp, "%s ssh.com clear fp", keytype->name); + check_fp(tmpfilename1, fps[SSH_FPTYPE_DEFAULT], + "%s ssh.com clear fp", keytype->name); /* * List the public half of the ssh.com-formatted key in @@ -630,8 +639,8 @@ int main(int argc, char **argv) */ setup_passphrases("sponge2", NULL); test(0, "puttygen", "-l", osfilename, "-o", tmpfilename1, NULL); - check_fp(tmpfilename1, fp, "%s openssh encrypted fp", - keytype->name); + check_fp(tmpfilename1, fps[SSH_FPTYPE_DEFAULT], + "%s openssh encrypted fp", keytype->name); /* * List the public half of the OpenSSH-formatted key in @@ -671,8 +680,8 @@ int main(int argc, char **argv) */ setup_passphrases("sponge2", NULL); test(0, "puttygen", "-l", scfilename, "-o", tmpfilename1, NULL); - check_fp(tmpfilename1, fp, "%s ssh.com encrypted fp", - keytype->name); + check_fp(tmpfilename1, fps[SSH_FPTYPE_DEFAULT], + "%s ssh.com encrypted fp", keytype->name); /* * List the public half of the ssh.com-formatted key in @@ -762,7 +771,8 @@ int main(int argc, char **argv) setup_passphrases(NULL); test(1, "puttygen", "-C", "spurious-new-comment", pubfilename, NULL); - sfree(fp); + for (FingerprintType fptype = 0; fptype < SSH_N_FPTYPES; fptype++) + sfree(fps[fptype]); if (remove_files) { remove(filename); diff --git a/cmdgen.c b/cmdgen.c index b500afca..096282ad 100644 --- a/cmdgen.c +++ b/cmdgen.c @@ -244,6 +244,7 @@ int main(int argc, char **argv) const PrimeGenerationPolicy *primegen = &primegen_probabilistic; bool strong_rsa = false; ppk_save_parameters params = ppk_save_default_parameters; + FingerprintType fptype = SSH_FPTYPE_DEFAULT; if (is_interactive()) progress_fp = stderr; @@ -507,6 +508,7 @@ int main(int argc, char **argv) case 'C': case 'O': case 'o': + case 'E': /* * Option requiring parameter. */ @@ -575,6 +577,17 @@ int main(int argc, char **argv) case 'o': outfile = p; break; + case 'E': + if (!strcmp(p, "md5")) + fptype = SSH_FPTYPE_MD5; + else if (!strcmp(p, "sha256")) + fptype = SSH_FPTYPE_SHA256; + else { + fprintf(stderr, "puttygen: unknown fingerprint " + "type `%s'\n", p); + errs = true; + } + break; } p = NULL; /* prevent continued processing */ break; @@ -1182,11 +1195,11 @@ int main(int argc, char **argv) fingerprint = rsa_ssh1_fingerprint(ssh1key); } else { if (ssh2key) { - fingerprint = ssh2_fingerprint(ssh2key->key, SSH_FPTYPE_DEFAULT); + fingerprint = ssh2_fingerprint(ssh2key->key, fptype); } else { assert(ssh2blob); fingerprint = ssh2_fingerprint_blob( - ptrlen_from_strbuf(ssh2blob), SSH_FPTYPE_DEFAULT); + ptrlen_from_strbuf(ssh2blob), fptype); } }