1 files changed, 92 insertions, 61 deletions
diff --git a/ssh-keysign.c b/ssh-keysign.c
index d95bb7d9d..bcf897a05 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.42 2014/04/29 18:01:49 markus Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.47 2015/01/28 22:36:00 djm Exp $ */
 /*
 * Copyright (c) 2002 Markus Friedl.  All rights reserved.
 *
@@ -35,23 +35,29 @@
 #include <string.h>
 #include <unistd.h>
+#ifdef WITH_OPENSSL
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
+#endif
 #include "xmalloc.h"
 #include "log.h"
-#include "key.h"
+#include "sshkey.h"
 #include "ssh.h"
 #include "ssh2.h"
 #include "misc.h"
-#include "buffer.h"
+#include "sshbuf.h"
 #include "authfile.h"
 #include "msg.h"
 #include "canohost.h"
 #include "pathnames.h"
 #include "readconf.h"
 #include "uidswap.h"
+#include "sshkey.h"
+#include "ssherr.h"
+struct ssh *active_state = NULL; /* XXX needed for linking */
 /* XXX readconf.c needs these */
 uid_t original_real_uid;
@@ -59,62 +65,73 @@ uid_t original_real_uid;
 extern char *__progname;
 static int
-valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
+valid_request(struct passwd *pw, char *host, struct sshkey **ret,
-    u_int datalen)
+    u_char *data, size_t datalen)
 {
-        Buffer b;
+        struct sshbuf *b;
-        Key *key = NULL;
+        struct sshkey *key = NULL;
-        u_char *pkblob;
+        u_char type, *pkblob;
-        u_int blen, len;
+        char *p;
-        char *pkalg, *p;
+        size_t blen, len;
-        int pktype, fail;
+        char *pkalg, *luser;
+        int r, pktype, fail;
+        if (ret != NULL)
+                *ret = NULL;
        fail = 0;
-        buffer_init(&b);
+        if ((b = sshbuf_from(data, datalen)) == NULL)
-        buffer_append(&b, data, datalen);
+                fatal("%s: sshbuf_from failed", __func__);
        /* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */
-        p = buffer_get_string(&b, &len);
+        if ((r = sshbuf_get_string(b, NULL, &len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (len != 20 && len != 32)
                fail++;
-        free(p);
-        if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+        if ((r = sshbuf_get_u8(b, &type)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (type != SSH2_MSG_USERAUTH_REQUEST)
                fail++;
        /* server user */
-        buffer_skip_string(&b);
+        if ((r = sshbuf_skip_string(b)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        /* service */
-        p = buffer_get_string(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &p, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (strcmp("ssh-connection", p) != 0)
                fail++;
        free(p);
        /* method */
-        p = buffer_get_string(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &p, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (strcmp("hostbased", p) != 0)
                fail++;
        free(p);
        /* pubkey */
-        pkalg = buffer_get_string(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 ||
-        pkblob = buffer_get_string(&b, &blen);
+            (r = sshbuf_get_string(b, &pkblob, &blen)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        pktype = key_type_from_name(pkalg);
+        pktype = sshkey_type_from_name(pkalg);
        if (pktype == KEY_UNSPEC)
                fail++;
-        else if ((key = key_from_blob(pkblob, blen)) == NULL)
+        else if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+                error("%s: bad key blob: %s", __func__, ssh_err(r));
                fail++;
-        else if (key->type != pktype)
+        } else if (key->type != pktype)
                fail++;
        free(pkalg);
        free(pkblob);
        /* client host name, handle trailing dot */
-        p = buffer_get_string(&b, &len);
+        if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
-        debug2("valid_request: check expect chost %s got %s", host, p);
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        debug2("%s: check expect chost %s got %s", __func__, host, p);
        if (strlen(host) != len - 1)
                fail++;
        else if (p[len - 1] != '.')
@@ -124,21 +141,22 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
        free(p);
        /* local user */
-        p = buffer_get_string(&b, NULL);
+        if ((r = sshbuf_get_cstring(b, &luser, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        if (strcmp(pw->pw_name, p) != 0)
+        if (strcmp(pw->pw_name, luser) != 0)
                fail++;
-        free(p);
+        free(luser);
        /* end of message */
-        if (buffer_len(&b) != 0)
+        if (sshbuf_len(b) != 0)
                fail++;
-        buffer_free(&b);
+        sshbuf_free(b);
-        debug3("valid_request: fail %d", fail);
+        debug3("%s: fail %d", __func__, fail);
        if (fail && key != NULL)
-                key_free(key);
+                sshkey_free(key);
        else
                *ret = key;
@@ -148,16 +166,18 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
 int
 main(int argc, char **argv)
 {
-        Buffer b;
+        struct sshbuf *b;
        Options options;
 #define NUM_KEYTYPES 4
-        Key *keys[NUM_KEYTYPES], *key = NULL;
+        struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
        struct passwd *pw;
-        int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
+        int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
-        u_char *signature, *data;
+        u_char *signature, *data, rver;
        char *host, *fp;
-        u_int slen, dlen;
+        size_t slen, dlen;
+#ifdef WITH_OPENSSL
        u_int32_t rnd[256];
+#endif
        /* Ensure that stdin and stdout are connected */
        if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
@@ -187,7 +207,7 @@ main(int argc, char **argv)
        /* verify that ssh-keysign is enabled by the admin */
        initialize_options(&options);
-        (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0);
+        (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", &options, 0);
        fill_default_options(&options);
        if (options.enable_ssh_keysign != 1)
                fatal("ssh-keysign not enabled in %s",
@@ -200,39 +220,47 @@ main(int argc, char **argv)
        if (found == 0)
                fatal("could not open any host key");
+#ifdef WITH_OPENSSL
        OpenSSL_add_all_algorithms();
        arc4random_buf(rnd, sizeof(rnd));
        RAND_seed(rnd, sizeof(rnd));
+#endif
        found = 0;
        for (i = 0; i < NUM_KEYTYPES; i++) {
                keys[i] = NULL;
                if (key_fd[i] == -1)
                        continue;
-#ifdef WITH_OPENSSL
+                r = sshkey_load_private_type_fd(key_fd[i], KEY_UNSPEC,
-/* XXX wrong api */
+                    NULL, &key, NULL);
-                keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
-                    NULL, NULL);
-#endif
                close(key_fd[i]);
-                if (keys[i] != NULL)
+                if (r != 0)
+                        debug("parse key %d: %s", i, ssh_err(r));
+                else if (key != NULL) {
+                        keys[i] = key;
                        found = 1;
+                }
        }
        if (!found)
                fatal("no hostkey found");
-        buffer_init(&b);
+        if ((b = sshbuf_new()) == NULL)
-        if (ssh_msg_recv(STDIN_FILENO, &b) < 0)
+                fatal("%s: sshbuf_new failed", __func__);
+        if (ssh_msg_recv(STDIN_FILENO, b) < 0)
                fatal("ssh_msg_recv failed");
-        if (buffer_get_char(&b) != version)
+        if ((r = sshbuf_get_u8(b, &rver)) != 0)
-                fatal("bad version");
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-        fd = buffer_get_int(&b);
+        if (rver != version)
-        if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO))
+                fatal("bad version: received %d, expected %d", rver, version);
+        if ((r = sshbuf_get_u32(b, (u_int *)&fd)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (fd < 0 || fd == STDIN_FILENO || fd == STDOUT_FILENO)
                fatal("bad fd");
        if ((host = get_local_name(fd)) == NULL)
                fatal("cannot get local name for fd");
-        data = buffer_get_string(&b, &dlen);
+        if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
        if (valid_request(pw, host, &key, data, dlen) < 0)
                fatal("not a valid request");
        free(host);
@@ -240,25 +268,28 @@ main(int argc, char **argv)
        found = 0;
        for (i = 0; i < NUM_KEYTYPES; i++) {
                if (keys[i] != NULL &&
-                    key_equal_public(key, keys[i])) {
+                    sshkey_equal_public(key, keys[i])) {
                        found = 1;
                        break;
                }
        }
        if (!found) {
-                fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+                    SSH_FP_DEFAULT)) == NULL)
+                        fatal("%s: sshkey_fingerprint failed", __func__);
                fatal("no matching hostkey found for key %s %s",
-                    key_type(key), fp);
+                    sshkey_type(key), fp ? fp : "");
        }
-        if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
+        if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, 0)) != 0)
-                fatal("key_sign failed");
+                fatal("sshkey_sign failed: %s", ssh_err(r));
        free(data);
        /* send reply */
-        buffer_clear(&b);
+        sshbuf_reset(b);
-        buffer_put_string(&b, signature, slen);
+        if ((r = sshbuf_put_string(b, signature, slen)) != 0)
-        if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        if (ssh_msg_send(STDOUT_FILENO, version, b) == -1)
                fatal("ssh_msg_send failed");
        return (0);

diff --git a/ssh-keysign.c b/ssh-keysign.c index d95bb7d9d..bcf897a05 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-keysign.c,v 1.42 2014/04/29 18:01:49 markus Exp $ */	1	/* $OpenBSD: ssh-keysign.c,v 1.47 2015/01/28 22:36:00 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2002 Markus Friedl. All rights reserved.	3	* Copyright (c) 2002 Markus Friedl. All rights reserved.
4	*	4	*
@@ -35,23 +35,29 @@
35	#include <string.h>	35	#include <string.h>
36	#include <unistd.h>	36	#include <unistd.h>
37		37
		38	#ifdef WITH_OPENSSL
38	#include <openssl/evp.h>	39	#include <openssl/evp.h>
39	#include <openssl/rand.h>	40	#include <openssl/rand.h>
40	#include <openssl/rsa.h>	41	#include <openssl/rsa.h>
		42	#endif
41		43
42	#include "xmalloc.h"	44	#include "xmalloc.h"
43	#include "log.h"	45	#include "log.h"
44	#include "key.h"	46	#include "sshkey.h"
45	#include "ssh.h"	47	#include "ssh.h"
46	#include "ssh2.h"	48	#include "ssh2.h"
47	#include "misc.h"	49	#include "misc.h"
48	#include "buffer.h"	50	#include "sshbuf.h"
49	#include "authfile.h"	51	#include "authfile.h"
50	#include "msg.h"	52	#include "msg.h"
51	#include "canohost.h"	53	#include "canohost.h"
52	#include "pathnames.h"	54	#include "pathnames.h"
53	#include "readconf.h"	55	#include "readconf.h"
54	#include "uidswap.h"	56	#include "uidswap.h"
		57	#include "sshkey.h"
		58	#include "ssherr.h"
		59
		60	struct ssh active_state = NULL; / XXX needed for linking */
55		61
56	/* XXX readconf.c needs these */	62	/* XXX readconf.c needs these */
57	uid_t original_real_uid;	63	uid_t original_real_uid;
@@ -59,62 +65,73 @@ uid_t original_real_uid;
59	extern char *__progname;	65	extern char *__progname;
60		66
61	static int	67	static int
62	valid_request(struct passwd pw, char host, Key *ret, u_char data,	68	valid_request(struct passwd pw, char host, struct sshkey **ret,
63	u_int datalen)	69	u_char *data, size_t datalen)
64	{	70	{
65	Buffer b;	71	struct sshbuf *b;
66	Key *key = NULL;	72	struct sshkey *key = NULL;
67	u_char *pkblob;	73	u_char type, *pkblob;
68	u_int blen, len;	74	char *p;
69	char pkalg, p;	75	size_t blen, len;
70	int pktype, fail;	76	char pkalg, luser;
71		77	int r, pktype, fail;
		78
		79	if (ret != NULL)
		80	*ret = NULL;
72	fail = 0;	81	fail = 0;
73		82
74	buffer_init(&b);	83	if ((b = sshbuf_from(data, datalen)) == NULL)
75	buffer_append(&b, data, datalen);	84	fatal("%s: sshbuf_from failed", __func__);
76		85
77	/* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */	86	/* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */
78	p = buffer_get_string(&b, &len);	87	if ((r = sshbuf_get_string(b, NULL, &len)) != 0)
		88	fatal("%s: buffer error: %s", __func__, ssh_err(r));
79	if (len != 20 && len != 32)	89	if (len != 20 && len != 32)
80	fail++;	90	fail++;
81	free(p);
82		91
83	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)	92	if ((r = sshbuf_get_u8(b, &type)) != 0)
		93	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		94	if (type != SSH2_MSG_USERAUTH_REQUEST)
84	fail++;	95	fail++;
85		96
86	/* server user */	97	/* server user */
87	buffer_skip_string(&b);	98	if ((r = sshbuf_skip_string(b)) != 0)
		99	fatal("%s: buffer error: %s", __func__, ssh_err(r));
88		100
89	/* service */	101	/* service */
90	p = buffer_get_string(&b, NULL);	102	if ((r = sshbuf_get_cstring(b, &p, NULL)) != 0)
		103	fatal("%s: buffer error: %s", __func__, ssh_err(r));
91	if (strcmp("ssh-connection", p) != 0)	104	if (strcmp("ssh-connection", p) != 0)
92	fail++;	105	fail++;
93	free(p);	106	free(p);
94		107
95	/* method */	108	/* method */
96	p = buffer_get_string(&b, NULL);	109	if ((r = sshbuf_get_cstring(b, &p, NULL)) != 0)
		110	fatal("%s: buffer error: %s", __func__, ssh_err(r));
97	if (strcmp("hostbased", p) != 0)	111	if (strcmp("hostbased", p) != 0)
98	fail++;	112	fail++;
99	free(p);	113	free(p);
100		114
101	/* pubkey */	115	/* pubkey */
102	pkalg = buffer_get_string(&b, NULL);	116	if ((r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 \|\|
103	pkblob = buffer_get_string(&b, &blen);	117	(r = sshbuf_get_string(b, &pkblob, &blen)) != 0)
		118	fatal("%s: buffer error: %s", __func__, ssh_err(r));
104		119
105	pktype = key_type_from_name(pkalg);	120	pktype = sshkey_type_from_name(pkalg);
106	if (pktype == KEY_UNSPEC)	121	if (pktype == KEY_UNSPEC)
107	fail++;	122	fail++;
108	else if ((key = key_from_blob(pkblob, blen)) == NULL)	123	else if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
		124	error("%s: bad key blob: %s", __func__, ssh_err(r));
109	fail++;	125	fail++;
110	else if (key->type != pktype)	126	} else if (key->type != pktype)
111	fail++;	127	fail++;
112	free(pkalg);	128	free(pkalg);
113	free(pkblob);	129	free(pkblob);
114		130
115	/* client host name, handle trailing dot */	131	/* client host name, handle trailing dot */
116	p = buffer_get_string(&b, &len);	132	if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
117	debug2("valid_request: check expect chost %s got %s", host, p);	133	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		134	debug2("%s: check expect chost %s got %s", __func__, host, p);
118	if (strlen(host) != len - 1)	135	if (strlen(host) != len - 1)
119	fail++;	136	fail++;
120	else if (p[len - 1] != '.')	137	else if (p[len - 1] != '.')
@@ -124,21 +141,22 @@ valid_request(struct passwd pw, char host, Key *ret, u_char data,
124	free(p);	141	free(p);
125		142
126	/* local user */	143	/* local user */
127	p = buffer_get_string(&b, NULL);	144	if ((r = sshbuf_get_cstring(b, &luser, NULL)) != 0)
		145	fatal("%s: buffer error: %s", __func__, ssh_err(r));
128		146
129	if (strcmp(pw->pw_name, p) != 0)	147	if (strcmp(pw->pw_name, luser) != 0)
130	fail++;	148	fail++;
131	free(p);	149	free(luser);
132		150
133	/* end of message */	151	/* end of message */
134	if (buffer_len(&b) != 0)	152	if (sshbuf_len(b) != 0)
135	fail++;	153	fail++;
136	buffer_free(&b);	154	sshbuf_free(b);
137		155
138	debug3("valid_request: fail %d", fail);	156	debug3("%s: fail %d", __func__, fail);
139		157
140	if (fail && key != NULL)	158	if (fail && key != NULL)
141	key_free(key);	159	sshkey_free(key);
142	else	160	else
143	*ret = key;	161	*ret = key;
144		162
@@ -148,16 +166,18 @@ valid_request(struct passwd pw, char host, Key *ret, u_char data,
148	int	166	int
149	main(int argc, char **argv)	167	main(int argc, char **argv)
150	{	168	{
151	Buffer b;	169	struct sshbuf *b;
152	Options options;	170	Options options;
153	#define NUM_KEYTYPES 4	171	#define NUM_KEYTYPES 4
154	Key keys[NUM_KEYTYPES], key = NULL;	172	struct sshkey keys[NUM_KEYTYPES], key = NULL;
155	struct passwd *pw;	173	struct passwd *pw;
156	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;	174	int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
157	u_char signature, data;	175	u_char signature, data, rver;
158	char host, fp;	176	char host, fp;
159	u_int slen, dlen;	177	size_t slen, dlen;
		178	#ifdef WITH_OPENSSL
160	u_int32_t rnd[256];	179	u_int32_t rnd[256];
		180	#endif
161		181
162	/* Ensure that stdin and stdout are connected */	182	/* Ensure that stdin and stdout are connected */
163	if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)	183	if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
@@ -187,7 +207,7 @@ main(int argc, char **argv)
187		207
188	/* verify that ssh-keysign is enabled by the admin */	208	/* verify that ssh-keysign is enabled by the admin */
189	initialize_options(&options);	209	initialize_options(&options);
190	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0);	210	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", &options, 0);
191	fill_default_options(&options);	211	fill_default_options(&options);
192	if (options.enable_ssh_keysign != 1)	212	if (options.enable_ssh_keysign != 1)
193	fatal("ssh-keysign not enabled in %s",	213	fatal("ssh-keysign not enabled in %s",
@@ -200,39 +220,47 @@ main(int argc, char **argv)
200	if (found == 0)	220	if (found == 0)
201	fatal("could not open any host key");	221	fatal("could not open any host key");
202		222
		223	#ifdef WITH_OPENSSL
203	OpenSSL_add_all_algorithms();	224	OpenSSL_add_all_algorithms();
204	arc4random_buf(rnd, sizeof(rnd));	225	arc4random_buf(rnd, sizeof(rnd));
205	RAND_seed(rnd, sizeof(rnd));	226	RAND_seed(rnd, sizeof(rnd));
		227	#endif
206		228
207	found = 0;	229	found = 0;
208	for (i = 0; i < NUM_KEYTYPES; i++) {	230	for (i = 0; i < NUM_KEYTYPES; i++) {
209	keys[i] = NULL;	231	keys[i] = NULL;
210	if (key_fd[i] == -1)	232	if (key_fd[i] == -1)
211	continue;	233	continue;
212	#ifdef WITH_OPENSSL	234	r = sshkey_load_private_type_fd(key_fd[i], KEY_UNSPEC,
213	/* XXX wrong api */	235	NULL, &key, NULL);
214	keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
215	NULL, NULL);
216	#endif
217	close(key_fd[i]);	236	close(key_fd[i]);
218	if (keys[i] != NULL)	237	if (r != 0)
		238	debug("parse key %d: %s", i, ssh_err(r));
		239	else if (key != NULL) {
		240	keys[i] = key;
219	found = 1;	241	found = 1;
		242	}
220	}	243	}
221	if (!found)	244	if (!found)
222	fatal("no hostkey found");	245	fatal("no hostkey found");
223		246
224	buffer_init(&b);	247	if ((b = sshbuf_new()) == NULL)
225	if (ssh_msg_recv(STDIN_FILENO, &b) < 0)	248	fatal("%s: sshbuf_new failed", __func__);
		249	if (ssh_msg_recv(STDIN_FILENO, b) < 0)
226	fatal("ssh_msg_recv failed");	250	fatal("ssh_msg_recv failed");
227	if (buffer_get_char(&b) != version)	251	if ((r = sshbuf_get_u8(b, &rver)) != 0)
228	fatal("bad version");	252	fatal("%s: buffer error: %s", __func__, ssh_err(r));
229	fd = buffer_get_int(&b);	253	if (rver != version)
230	if ((fd == STDIN_FILENO) \|\| (fd == STDOUT_FILENO))	254	fatal("bad version: received %d, expected %d", rver, version);
		255	if ((r = sshbuf_get_u32(b, (u_int *)&fd)) != 0)
		256	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		257	if (fd < 0 \|\| fd == STDIN_FILENO \|\| fd == STDOUT_FILENO)
231	fatal("bad fd");	258	fatal("bad fd");
232	if ((host = get_local_name(fd)) == NULL)	259	if ((host = get_local_name(fd)) == NULL)
233	fatal("cannot get local name for fd");	260	fatal("cannot get local name for fd");
234		261
235	data = buffer_get_string(&b, &dlen);	262	if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
		263	fatal("%s: buffer error: %s", __func__, ssh_err(r));
236	if (valid_request(pw, host, &key, data, dlen) < 0)	264	if (valid_request(pw, host, &key, data, dlen) < 0)
237	fatal("not a valid request");	265	fatal("not a valid request");
238	free(host);	266	free(host);
@@ -240,25 +268,28 @@ main(int argc, char **argv)
240	found = 0;	268	found = 0;
241	for (i = 0; i < NUM_KEYTYPES; i++) {	269	for (i = 0; i < NUM_KEYTYPES; i++) {
242	if (keys[i] != NULL &&	270	if (keys[i] != NULL &&
243	key_equal_public(key, keys[i])) {	271	sshkey_equal_public(key, keys[i])) {
244	found = 1;	272	found = 1;
245	break;	273	break;
246	}	274	}
247	}	275	}
248	if (!found) {	276	if (!found) {
249	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	277	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
		278	SSH_FP_DEFAULT)) == NULL)
		279	fatal("%s: sshkey_fingerprint failed", __func__);
250	fatal("no matching hostkey found for key %s %s",	280	fatal("no matching hostkey found for key %s %s",
251	key_type(key), fp);	281	sshkey_type(key), fp ? fp : "");
252	}	282	}
253		283
254	if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)	284	if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, 0)) != 0)
255	fatal("key_sign failed");	285	fatal("sshkey_sign failed: %s", ssh_err(r));
256	free(data);	286	free(data);
257		287
258	/* send reply */	288	/* send reply */
259	buffer_clear(&b);	289	sshbuf_reset(b);
260	buffer_put_string(&b, signature, slen);	290	if ((r = sshbuf_put_string(b, signature, slen)) != 0)
261	if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1)	291	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		292	if (ssh_msg_send(STDOUT_FILENO, version, b) == -1)
262	fatal("ssh_msg_send failed");	293	fatal("ssh_msg_send failed");
263		294
264	return (0);	295	return (0);