upstream: let ssh-keygen and ssh-keyscan accept

-Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm
selection. bz3493 ok dtucker@

OpenBSD-Commit-ID: e6e07fe21318a873bd877f333e189eb963a11b3d

Author: djmdjm

dns.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.42 2022/02/01 23:32:51 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.43 2023/02/10 04:56:30 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -301,7 +301,8 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
  * Export the fingerprint of a key as a DNS resource record
  */
 int
-export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
+export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic,
+    int alg)
 {
 	u_int8_t rdata_pubkey_algorithm = 0;
 	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
@@ -311,6 +312,8 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
 	int success = 0;
 
 	for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
+		if (alg != -1 && dtype != alg)
+			continue;
 		rdata_digest_type = dtype;
 		if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
 		    &rdata_digest, &rdata_digest_len, key)) {

dns.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.19 2021/07/19 03:13:28 dtucker Exp $ */
+/* $OpenBSD: dns.h,v 1.20 2023/02/10 04:56:30 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -54,6 +54,6 @@ enum sshfp_hashes {
 
 int	verify_host_key_dns(const char *, struct sockaddr *,
     struct sshkey *, int *);
-int	export_dns_rr(const char *, struct sshkey *, FILE *, int);
+int	export_dns_rr(const char *, struct sshkey *, FILE *, int, int);
 
 #endif /* DNS_H */

ssh-keygen.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.226 2022/09/10 08:50:53 jsg Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.227 2023/02/10 04:56:30 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <[email protected]>
 .\" Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2022 $
+.Dd $Mdocdate: February 10 2023 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -518,6 +518,21 @@ suffixed with a Z character, which causes them to be interpreted in the
 UTC time zone.
 .El
 .Pp
+When generating SSHFP DNS records from public keys using the
+.Fl r
+flag, the following options are accepted:
+.Bl -tag -width Ds
+.It Cm hashalg Ns = Ns Ar algorithm
+Selects a hash algorithm to use when printing SSHFP records using the
+.Fl D
+flag.
+Valid algorithms are
+.Dq sha1
+and
+.Dq sha256.
+The default is to print both.
+.El
+.Pp
 The
 .Fl O
 option may be specified multiple times.

ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.461 2022/12/04 23:50:49 cheloha Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.462 2023/02/10 04:56:30 djm Exp $ */
 /*
  * Author: Tatu Ylonen <[email protected]>
  * Copyright (c) 1994 Tatu Ylonen <[email protected]>, Espoo, Finland
@@ -1479,13 +1479,23 @@ do_change_passphrase(struct passwd *pw)
  */
 static int
 do_print_resource_record(struct passwd *pw, char *fname, char *hname,
-    int print_generic)
+    int print_generic, char * const *opts, size_t nopts)
 {
 	struct sshkey *public;
 	char *comment = NULL;
 	struct stat st;
-	int r;
+	int r, hash = -1;
+	size_t i;
 
+	for (i = 0; i < nopts; i++) {
+		if (strncasecmp(opts[i], "hashalg=", 8) == 0) {
+			if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1)
+				fatal("Unsupported hash algorithm");
+		} else {
+			error("Invalid option \"%s\"", opts[i]);
+			return SSH_ERR_INVALID_ARGUMENT;
+		}
+	}
 	if (fname == NULL)
 		fatal_f("no filename");
 	if (stat(fname, &st) == -1) {
@@ -1495,7 +1505,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname,
 	}
 	if ((r = sshkey_load_public(fname, &public, &comment)) != 0)
 		fatal_r(r, "Failed to read v2 public key from \"%s\"", fname);
-	export_dns_rr(hname, public, stdout, print_generic);
+	export_dns_rr(hname, public, stdout, print_generic, hash);
 	sshkey_free(public);
 	free(comment);
 	return 1;
@@ -3725,27 +3735,27 @@ main(int argc, char **argv)
 
 		if (have_identity) {
 			n = do_print_resource_record(pw, identity_file,
-			    rr_hostname, print_generic);
+			    rr_hostname, print_generic, opts, nopts);
 			if (n == 0)
 				fatal("%s: %s", identity_file, strerror(errno));
 			exit(0);
 		} else {
 
 			n += do_print_resource_record(pw,
 			    _PATH_HOST_RSA_KEY_FILE, rr_hostname,
-			    print_generic);
+			    print_generic, opts, nopts);
 			n += do_print_resource_record(pw,
 			    _PATH_HOST_DSA_KEY_FILE, rr_hostname,
-			    print_generic);
+			    print_generic, opts, nopts);
 			n += do_print_resource_record(pw,
 			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
-			    print_generic);
+			    print_generic, opts, nopts);
 			n += do_print_resource_record(pw,
 			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname,
-			    print_generic);
+			    print_generic, opts, nopts);
 			n += do_print_resource_record(pw,
 			    _PATH_HOST_XMSS_KEY_FILE, rr_hostname,
-			    print_generic);
+			    print_generic, opts, nopts);
 			if (n == 0)
 				fatal("no keys found.");
 			exit(0);

ssh-keyscan.1

@@ -1,12 +1,12 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.47 2022/10/28 02:29:34 djm Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.48 2023/02/10 04:56:30 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <[email protected]>.
 .\"
 .\" Modification and redistribution in source and binary forms is
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: October 28 2022 $
+.Dd $Mdocdate: February 10 2023 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -16,6 +16,7 @@
 .Nm ssh-keyscan
 .Op Fl 46cDHv
 .Op Fl f Ar file
+.Op Fl O Ar option
 .Op Fl p Ar port
 .Op Fl T Ar timeout
 .Op Fl t Ar type
@@ -97,6 +98,20 @@ and
 .Xr sshd 8 ,
 but they do not reveal identifying information should the file's contents
 be disclosed.
+.It Fl O Ar option
+Specify a key/value option.
+At present, only a single option is supported:
+.Bl -tag -width Ds
+.It Cm hashalg Ns = Ns Ar algorithm
+Selects a hash algorithm to use when printing SSHFP records using the
+.Fl D
+flag.
+Valid algorithms are
+.Dq sha1
+and
+.Dq sha256.
+The default is to print both.
+.El
 .It Fl p Ar port
 Connect to
 .Ar port

ssh-keyscan.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.149 2022/12/26 19:16:03 jmc Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.150 2023/02/10 04:56:30 djm Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <[email protected]>.
  *
@@ -40,6 +40,7 @@
 #include "sshbuf.h"
 #include "sshkey.h"
 #include "cipher.h"
+#include "digest.h"
 #include "kex.h"
 #include "compat.h"
 #include "myproposal.h"
@@ -80,6 +81,8 @@ int print_sshfp = 0;		/* Print SSHFP records instead of known_hosts */
 
 int found_one = 0;		/* Successfully found a key */
 
+int hashalg = -1;		/* Hash for SSHFP records or -1 for all */
+
 #define MAXMAXFD 256
 
 /* The number of seconds after which to give up on a TCP connection */
@@ -314,7 +317,7 @@ keyprint_one(const char *host, struct sshkey *key)
 	found_one = 1;
 
 	if (print_sshfp) {
-		export_dns_rr(host, key, stdout, 0);
+		export_dns_rr(host, key, stdout, 0, hashalg);
 		return;
 	}
 
@@ -698,9 +701,8 @@ static void
 usage(void)
 {
 	fprintf(stderr,
-	    "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
-	    "\t\t   [host | addrlist namelist]\n",
-	    __progname);
+	    "usage: ssh-keyscan [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
+	    "                   [-O option] [host | addrlist namelist]\n");
 	exit(1);
 }
 
@@ -726,7 +728,7 @@ main(int argc, char **argv)
 	if (argc <= 1)
 		usage();
 
-	while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
+	while ((opt = getopt(argc, argv, "cDHv46O:p:T:t:f:")) != -1) {
 		switch (opt) {
 		case 'H':
 			hash_hosts = 1;
@@ -766,6 +768,14 @@ main(int argc, char **argv)
 				optarg = NULL;
 			argv[fopt_count++] = optarg;
 			break;
+		case 'O':
+			/* Maybe other misc options in the future too */
+			if (strncmp(optarg, "hashalg=", 8) != 0)
+				fatal("Unsupported -O option");
+			if ((hashalg = ssh_digest_alg_by_name(
+			    optarg + 8)) == -1)
+				fatal("Unsupported hash algorithm");
+			break;
 		case 't':
 			get_keytypes = 0;
 			tname = strtok(optarg, ",");