自学教程：C++ sshkey_fingerprint函数代码示例

/* print all known host keys for a given host, but skip keys of given type */static intshow_other_keys(struct hostkeys *hostkeys, struct sshkey *key){	int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_ECDSA, -1};	int i, ret = 0;	char *fp, *ra;	const struct hostkey_entry *found;	for (i = 0; type[i] != -1; i++) {		if (type[i] == key->type)			continue;		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))			continue;		fp = sshkey_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);		ra = sshkey_fingerprint(found->key, SSH_FP_MD5,		    SSH_FP_RANDOMART);		logit("WARNING: %s key found for host %s/n"		    "in %s:%lu/n"		    "%s key fingerprint %s.",		    sshkey_type(found->key),		    found->host, found->file, found->line,		    sshkey_type(found->key), fp);		if (options.visual_host_key)			logit("%s", ra);		xfree(ra);		xfree(fp);		ret = 1;	}	return ret;}

/* * Formats any key left in authctxt->auth_method_key for inclusion in * auth_log()'s message. Also includes authxtct->auth_method_info if present. */static char *format_method_key(Authctxt *authctxt){	const struct sshkey *key = authctxt->auth_method_key;	const char *methinfo = authctxt->auth_method_info;	char *fp, *ret = NULL;	if (key == NULL)		return NULL;	if (sshkey_is_cert(key)) {		fp = sshkey_fingerprint(key->cert->signature_key,		    options.fingerprint_hash, SSH_FP_DEFAULT);		xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s",		    sshkey_type(key), key->cert->key_id,		    (unsigned long long)key->cert->serial,		    sshkey_type(key->cert->signature_key),		    fp == NULL ? "(null)" : fp,		    methinfo == NULL ? "" : ", ",		    methinfo == NULL ? "" : methinfo);		free(fp);	} else {		fp = sshkey_fingerprint(key, options.fingerprint_hash,		    SSH_FP_DEFAULT);		xasprintf(&ret, "%s %s%s%s", sshkey_type(key),		    fp == NULL ? "(null)" : fp,		    methinfo == NULL ? "" : ", ",		    methinfo == NULL ? "" : methinfo);		free(fp);	}	return ret;}

/* returns 0 if key verifies or -1 if key does NOT verify */intverify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key){	int flags = 0;	char *fp;	fp = sshkey_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	debug("Server host key: %s %s", sshkey_type(host_key), fp);	xfree(fp);	/* XXX certs are not yet supported for DNS */	if (!sshkey_is_cert(host_key) && options.verify_host_key_dns &&	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {		if (flags & DNS_VERIFY_FOUND) {			if (options.verify_host_key_dns == 1 &&			    flags & DNS_VERIFY_MATCH &&			    flags & DNS_VERIFY_SECURE)				return 0;			if (flags & DNS_VERIFY_MATCH) {				matching_host_key_dns = 1;			} else {				warn_changed_key(host_key);				error("Update the SSHFP RR in DNS with the new "				    "host key to get rid of this message.");			}		}	}	return check_host_key(host, hostaddr, options.port, host_key, RDRW,	    options.user_hostfiles, options.num_user_hostfiles,	    options.system_hostfiles, options.num_system_hostfiles);}

/* Authenticate a certificate key against TrustedUserCAKeys */static intuser_cert_trusted_ca(struct passwd *pw, Key *key){	char *ca_fp, *principals_file = NULL;	const char *reason;	int ret = 0, found_principal = 0, use_authorized_principals;	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)		return 0;	if ((ca_fp = sshkey_fingerprint(key->cert->signature_key,	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)		return 0;	if (sshkey_in_file(key->cert->signature_key,	    options.trusted_user_ca_keys, 1, 0) != 0) {		debug2("%s: CA %s %s is not listed in %s", __func__,		    key_type(key->cert->signature_key), ca_fp,		    options.trusted_user_ca_keys);		goto out;	}	/*	 * If AuthorizedPrincipals is in use, then compare the certificate	 * principals against the names in that file rather than matching	 * against the username.	 */	if ((principals_file = authorized_principals_file(pw)) != NULL) {		if (match_principals_file(principals_file, pw, key->cert))			found_principal = 1;	}	/* Try querying command if specified */	if (!found_principal && match_principals_command(pw, key->cert))		found_principal = 1;	/* If principals file or command is specified, then require a match */	use_authorized_principals = principals_file != NULL ||            options.authorized_principals_command != NULL;	if (!found_principal && use_authorized_principals) {		reason = "Certificate does not contain an authorized principal"; fail_reason:		error("%s", reason);		auth_debug_add("%s", reason);		goto out;	}	if (key_cert_check_authority(key, 0, 1,	    use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)		goto fail_reason;	if (auth_cert_options(key, pw) != 0)		goto out;	verbose("Accepted certificate ID /"%s/" signed by %s CA %s via %s",	    key->cert->key_id, key_type(key->cert->signature_key), ca_fp,	    options.trusted_user_ca_keys);	ret = 1; out:	free(principals_file);	free(ca_fp);	return ret;}

/* print all known host keys for a given host, but skip keys of given type */static intshow_other_keys(struct hostkeys *hostkeys, Key *key){	int type[] = {		KEY_RSA1,		KEY_RSA,		KEY_DSA,		KEY_ECDSA,		KEY_ED25519,		-1	};	int i, ret = 0;	char *fp, *ra;	const struct hostkey_entry *found;	for (i = 0; type[i] != -1; i++) {		if (type[i] == key->type)			continue;		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))			continue;		fp = sshkey_fingerprint(found->key,		    options.fingerprint_hash, SSH_FP_DEFAULT);		ra = sshkey_fingerprint(found->key,		    options.fingerprint_hash, SSH_FP_RANDOMART);		if (fp == NULL || ra == NULL)			fatal("%s: sshkey_fingerprint fail", __func__);		logit("WARNING: %s key found for host %s/n"		    "in %s:%lu/n"		    "%s key fingerprint %s.",		    key_type(found->key),		    found->host, found->file, found->line,		    key_type(found->key), fp);		if (options.visual_host_key)			logit("%s", ra);		free(ra);		free(fp);		ret = 1;	}	return ret;}

voidpubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...){	char *fp, *extra;	va_list ap;	int i;	extra = NULL;	if (fmt != NULL) {		va_start(ap, fmt);		i = vasprintf(&extra, fmt, ap);		va_end(ap);		if (i < 0 || extra == NULL)			fatal("%s: vasprintf failed", __func__);		}	if (key_is_cert(key)) {		fp = sshkey_fingerprint(key->cert->signature_key,		    options.fingerprint_hash, SSH_FP_DEFAULT);		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 		    key_type(key), key->cert->key_id,		    (unsigned long long)key->cert->serial,		    key_type(key->cert->signature_key),		    fp == NULL ? "(null)" : fp,		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);		free(fp);	} else {		fp = sshkey_fingerprint(key, options.fingerprint_hash,		    SSH_FP_DEFAULT);		auth_info(authctxt, "%s %s%s%s", key_type(key),		    fp == NULL ? "(null)" : fp,		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);		free(fp);	}	free(extra);}

/* * Performs the RSA authentication dialog with the client.  This returns * 0 if the client could not be authenticated, and 1 if authentication was * successful.  This may exit if there is a serious protocol violation. */intauth_rsa(Authctxt *authctxt, BIGNUM *client_n){	struct ssh *ssh = active_state;	struct sshkey *key;	char *fp;	struct passwd *pw = authctxt->pw;	/* no user given */	if (!authctxt->valid)		return 0;	if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {		auth_clear_options();		return (0);	}	/* Perform the challenge-response dialog for this key. */	if (!auth_rsa_challenge_dialog(key)) {		/* Wrong response. */		verbose("Wrong response to RSA authentication challenge.");		ssh_packet_send_debug(ssh,		    "Wrong response to RSA authentication challenge.");		/*		 * Break out of the loop. Otherwise we might send		 * another challenge and break the protocol.		 */		sshkey_free(key);		return (0);	}	/*	 * Correct response.  The client has been successfully	 * authenticated. Note that we have not yet processed the	 * options; this will be reset if the options cause the	 * authentication to be rejected.	 */	fp = sshkey_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	verbose("Found matching %s key: %s",	    sshkey_type(key), fp);	xfree(fp);	sshkey_free(key);	ssh_packet_send_debug(ssh, "RSA authentication accepted.");	return (1);}

static voidwarn_changed_key(struct sshkey *host_key){	char *fp;	fp = sshkey_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");	error("It is also possible that a host key has just been changed.");	error("The fingerprint for the %s key sent by the remote host is/n%s.",	    sshkey_type(host_key), fp);	error("Please contact your system administrator.");	xfree(fp);}

/* Checks whether a key has already been previously used for authentication */intauth2_key_already_used(Authctxt *authctxt, const struct sshkey *key){	u_int i;	char *fp;	for (i = 0; i < authctxt->nprev_keys; i++) {		if (sshkey_equal_public(key, authctxt->prev_keys[i])) {			fp = sshkey_fingerprint(authctxt->prev_keys[i],			    options.fingerprint_hash, SSH_FP_DEFAULT);			debug3("%s: key already used: %s %s", __func__,			    sshkey_type(authctxt->prev_keys[i]),			    fp == NULL ? "UNKNOWN" : fp);			free(fp);			return 1;		}	}	return 0;}

static voidwarn_changed_key(Key *host_key){	char *fp;	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,	    SSH_FP_DEFAULT);	if (fp == NULL)		fatal("%s: sshkey_fingerprint fail", __func__);	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");	error("It is also possible that a host key has just been changed.");	error("The fingerprint for the %s key sent by the remote host is/n%s.",	    key_type(host_key), fp);	error("Please contact your system administrator.");	free(fp);}

/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */intauth_key_is_revoked(struct sshkey *key){	char *fp = NULL;	int r;	if (options.revoked_keys_file == NULL)		return 0;	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,	    SSH_FP_DEFAULT)) == NULL) {		r = SSH_ERR_ALLOC_FAIL;		error("%s: fingerprint key: %s", __func__, ssh_err(r));		goto out;	}	r = sshkey_check_revoked(key, options.revoked_keys_file);	switch (r) {	case 0:		break; /* not revoked */	case SSH_ERR_KEY_REVOKED:		error("Authentication key %s %s revoked by file %s",		    sshkey_type(key), fp, options.revoked_keys_file);		goto out;	default:		error("Error checking authentication key %s %s in "		    "revoked keys file %s: %s", sshkey_type(key), fp,		    options.revoked_keys_file, ssh_err(r));		goto out;	}	/* Success */	r = 0; out:	free(fp);	return r == 0 ? 0 : 1;}

inthostfile_replace_entries(const char *filename, const char *host, const char *ip,    struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg){	int r, fd, oerrno = 0;	int loglevel = quiet ? SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_VERBOSE;	struct host_delete_ctx ctx;	char *fp, *temp = NULL, *back = NULL;	mode_t omask;	size_t i;	omask = umask(077);	memset(&ctx, 0, sizeof(ctx));	ctx.host = host;	ctx.quiet = quiet;	if ((ctx.skip_keys = calloc(nkeys, sizeof(*ctx.skip_keys))) == NULL)		return SSH_ERR_ALLOC_FAIL;	ctx.keys = keys;	ctx.nkeys = nkeys;	ctx.modified = 0;	/*	 * Prepare temporary file for in-place deletion.	 */	if ((r = asprintf(&temp, "%s.XXXXXXXXXXX", filename)) < 0 ||	    (r = asprintf(&back, "%s.old", filename)) < 0) {		r = SSH_ERR_ALLOC_FAIL;		goto fail;	}	if ((fd = mkstemp(temp)) == -1) {		oerrno = errno;		error("%s: mkstemp: %s", __func__, strerror(oerrno));		r = SSH_ERR_SYSTEM_ERROR;		goto fail;	}	if ((ctx.out = fdopen(fd, "w")) == NULL) {		oerrno = errno;		close(fd);		error("%s: fdopen: %s", __func__, strerror(oerrno));		r = SSH_ERR_SYSTEM_ERROR;		goto fail;	}	/* Remove all entries for the specified host from the file */	if ((r = hostkeys_foreach(filename, host_delete, &ctx, host, ip,	    HKF_WANT_PARSE_KEY)) != 0) {		error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));		goto fail;	}	/* Add the requested keys */	for (i = 0; i < nkeys; i++) {		if (ctx.skip_keys[i])			continue;		if ((fp = sshkey_fingerprint(keys[i], hash_alg,		    SSH_FP_DEFAULT)) == NULL) {			r = SSH_ERR_ALLOC_FAIL;			goto fail;		}		do_log2(loglevel, "%s%sAdding new key for %s to %s: %s %s",		    quiet ? __func__ : "", quiet ? ": " : "", host, filename,		    sshkey_ssh_name(keys[i]), fp);		free(fp);		if (!write_host_entry(ctx.out, host, ip, keys[i], store_hash)) {			r = SSH_ERR_INTERNAL_ERROR;			goto fail;		}		ctx.modified = 1;	}	fclose(ctx.out);	ctx.out = NULL;	if (ctx.modified) {		/* Backup the original file and replace it with the temporary */		if (unlink(back) == -1 && errno != ENOENT) {			oerrno = errno;			error("%s: unlink %.100s: %s", __func__,			    back, strerror(errno));			r = SSH_ERR_SYSTEM_ERROR;			goto fail;		}		if (link(filename, back) == -1) {			oerrno = errno;			error("%s: link %.100s to %.100s: %s", __func__,			    filename, back, strerror(errno));			r = SSH_ERR_SYSTEM_ERROR;			goto fail;		}		if (rename(temp, filename) == -1) {			oerrno = errno;			error("%s: rename /"%s/" to /"%s/": %s", __func__,			    temp, filename, strerror(errno));			r = SSH_ERR_SYSTEM_ERROR;			goto fail;		}	} else {		/* No changes made; just delete the temporary file */		if (unlink(temp) != 0)//.........这里部分代码省略.........

/* returns 0 if key verifies or -1 if key does NOT verify */intverify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key){	int r = -1, flags = 0;	char *fp = NULL;	struct sshkey *plain = NULL;	if ((fp = sshkey_fingerprint(host_key,	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {		error("%s: fingerprint host key: %s", __func__, ssh_err(r));		r = -1;		goto out;	}	debug("Server host key: %s %s",	    compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);	if (sshkey_equal(previous_host_key, host_key)) {		debug2("%s: server host key %s %s matches cached key",		    __func__, sshkey_type(host_key), fp);		r = 0;		goto out;	}	/* Check in RevokedHostKeys file if specified */	if (options.revoked_host_keys != NULL) {		r = sshkey_check_revoked(host_key, options.revoked_host_keys);		switch (r) {		case 0:			break; /* not revoked */		case SSH_ERR_KEY_REVOKED:			error("Host key %s %s revoked by file %s",			    sshkey_type(host_key), fp,			    options.revoked_host_keys);			r = -1;			goto out;		default:			error("Error checking host key %s %s in "			    "revoked keys file %s: %s", sshkey_type(host_key),			    fp, options.revoked_host_keys, ssh_err(r));			r = -1;			goto out;		}	}	if (options.verify_host_key_dns) {		/*		 * XXX certs are not yet supported for DNS, so downgrade		 * them and try the plain key.		 */		if ((r = sshkey_from_private(host_key, &plain)) != 0)			goto out;		if (sshkey_is_cert(plain))			sshkey_drop_cert(plain);		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {			if (flags & DNS_VERIFY_FOUND) {				if (options.verify_host_key_dns == 1 &&				    flags & DNS_VERIFY_MATCH &&				    flags & DNS_VERIFY_SECURE) {					r = 0;					goto out;				}				if (flags & DNS_VERIFY_MATCH) {					matching_host_key_dns = 1;				} else {					warn_changed_key(plain);					error("Update the SSHFP RR in DNS "					    "with the new host key to get rid "					    "of this message.");				}			}		}	}	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,	    options.user_hostfiles, options.num_user_hostfiles,	    options.system_hostfiles, options.num_system_hostfiles);out:	sshkey_free(plain);	free(fp);	if (r == 0 && host_key != NULL) {		key_free(previous_host_key);		previous_host_key = key_from_private(host_key);	}	return r;}

voidsshkey_file_tests(void){	struct sshkey *k1, *k2;	struct sshbuf *buf, *pw;	BIGNUM *a, *b, *c;	char *cp;	TEST_START("load passphrase");	pw = load_text_file("pw");	TEST_DONE();#ifdef WITH_SSH1	TEST_START("parse RSA1 from private");	buf = load_file("rsa1_1");	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa1_1",	    &k1, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k1, NULL);	a = load_bignum("rsa1_1.param.n");	ASSERT_BIGNUM_EQ(k1->rsa->n, a);	BN_free(a);	TEST_DONE();	TEST_START("parse RSA1 from private w/ passphrase");	buf = load_file("rsa1_1_pw");	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,	    (const char *)sshbuf_ptr(pw), "rsa1_1_pw", &k2, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("load RSA1 from public");	ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,	    NULL), 0);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("RSA1 key hex fingerprint");	buf = load_text_file("rsa1_1.fp");	cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);	ASSERT_PTR_NE(cp, NULL);	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));	sshbuf_free(buf);	free(cp);	TEST_DONE();	TEST_START("RSA1 key bubblebabble fingerprint");	buf = load_text_file("rsa1_1.fp.bb");	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);	ASSERT_PTR_NE(cp, NULL);	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));	sshbuf_free(buf);	free(cp);	TEST_DONE();	sshkey_free(k1);#endif	TEST_START("parse RSA from private");	buf = load_file("rsa_1");	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa_1",	    &k1, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k1, NULL);	a = load_bignum("rsa_1.param.n");	b = load_bignum("rsa_1.param.p");	c = load_bignum("rsa_1.param.q");	ASSERT_BIGNUM_EQ(k1->rsa->n, a);	ASSERT_BIGNUM_EQ(k1->rsa->p, b);	ASSERT_BIGNUM_EQ(k1->rsa->q, c);	BN_free(a);	BN_free(b);	BN_free(c);	TEST_DONE();	TEST_START("parse RSA from private w/ passphrase");	buf = load_file("rsa_1_pw");	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,	    (const char *)sshbuf_ptr(pw), "rsa_1_pw", &k2, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("parse RSA from new-format");	buf = load_file("rsa_n");	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,	    "", "rsa_n", &k2, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();//.........这里部分代码省略.........

/* returns 0 if key verifies or -1 if key does NOT verify */intverify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key){	u_int i;	int r = -1, flags = 0;	char valid[64], *fp = NULL, *cafp = NULL;	struct sshkey *plain = NULL;	if ((fp = sshkey_fingerprint(host_key,	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {		error("%s: fingerprint host key: %s", __func__, ssh_err(r));		r = -1;		goto out;	}	if (sshkey_is_cert(host_key)) {		if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {			error("%s: fingerprint CA key: %s",			    __func__, ssh_err(r));			r = -1;			goto out;		}		sshkey_format_cert_validity(host_key->cert,		    valid, sizeof(valid));		debug("Server host certificate: %s %s, serial %llu "		    "ID /"%s/" CA %s %s valid %s",		    sshkey_ssh_name(host_key), fp,		    (unsigned long long)host_key->cert->serial,		    host_key->cert->key_id,		    sshkey_ssh_name(host_key->cert->signature_key), cafp,		    valid);		for (i = 0; i < host_key->cert->nprincipals; i++) {			debug2("Server host certificate hostname: %s",			    host_key->cert->principals[i]);		}	} else {		debug("Server host key: %s %s", sshkey_ssh_name(host_key), fp);	}	if (sshkey_equal(previous_host_key, host_key)) {		debug2("%s: server host key %s %s matches cached key",		    __func__, sshkey_type(host_key), fp);		r = 0;		goto out;	}	/* Check in RevokedHostKeys file if specified */	if (options.revoked_host_keys != NULL) {		r = sshkey_check_revoked(host_key, options.revoked_host_keys);		switch (r) {		case 0:			break; /* not revoked */		case SSH_ERR_KEY_REVOKED:			error("Host key %s %s revoked by file %s",			    sshkey_type(host_key), fp,			    options.revoked_host_keys);			r = -1;			goto out;		default:			error("Error checking host key %s %s in "			    "revoked keys file %s: %s", sshkey_type(host_key),			    fp, options.revoked_host_keys, ssh_err(r));			r = -1;			goto out;		}	}	if (options.verify_host_key_dns) {		/*		 * XXX certs are not yet supported for DNS, so downgrade		 * them and try the plain key.		 */		if ((r = sshkey_from_private(host_key, &plain)) != 0)			goto out;		if (sshkey_is_cert(plain))			sshkey_drop_cert(plain);		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {			if (flags & DNS_VERIFY_FOUND) {				if (options.verify_host_key_dns == 1 &&				    flags & DNS_VERIFY_MATCH &&				    flags & DNS_VERIFY_SECURE) {					r = 0;					goto out;				}				if (flags & DNS_VERIFY_MATCH) {					matching_host_key_dns = 1;				} else {					warn_changed_key(plain);					error("Update the SSHFP RR in DNS "					    "with the new host key to get rid "					    "of this message.");				}			}		}	}	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,	    options.user_hostfiles, options.num_user_hostfiles,	    options.system_hostfiles, options.num_system_hostfiles);//.........这里部分代码省略.........

voidsshkey_file_tests(void){	struct sshkey *k1, *k2;	struct sshbuf *buf, *pw;	BIGNUM *a, *b, *c;	char *cp;	TEST_START("load passphrase");	pw = load_text_file("pw");	TEST_DONE();	TEST_START("parse RSA1 from private");	buf = load_file("rsa1_1");	ASSERT_INT_EQ(sshkey_parse_private(buf, "", "rsa1_1", &k1, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k1, NULL);	a = load_bignum("rsa1_1.param.n");	ASSERT_BIGNUM_EQ(k1->rsa->n, a);	BN_free(a);	TEST_DONE();	TEST_START("parse RSA from private w/ passphrase");	buf = load_file("rsa1_1_pw");	ASSERT_INT_EQ(sshkey_parse_private(buf, sshbuf_ptr(pw), "rsa1_1_pw",	    &k2, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("load RSA from public");	ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,	    NULL), 0);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("RSA key hex fingerprint");	buf = load_text_file("rsa1_1.fp");	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);	ASSERT_PTR_NE(cp, NULL);	ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));	sshbuf_free(buf);	free(cp);	TEST_DONE();	TEST_START("RSA key bubblebabble fingerprint");	buf = load_text_file("rsa1_1.fp.bb");	cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);	ASSERT_PTR_NE(cp, NULL);	ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));	sshbuf_free(buf);	free(cp);	TEST_DONE();	sshkey_free(k1);	TEST_START("parse RSA from private");	buf = load_file("rsa_1");	ASSERT_INT_EQ(sshkey_parse_private(buf, "", "rsa_1", &k1, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k1, NULL);	a = load_bignum("rsa_1.param.n");	b = load_bignum("rsa_1.param.p");	c = load_bignum("rsa_1.param.q");	ASSERT_BIGNUM_EQ(k1->rsa->n, a);	ASSERT_BIGNUM_EQ(k1->rsa->p, b);	ASSERT_BIGNUM_EQ(k1->rsa->q, c);	BN_free(a);	BN_free(b);	BN_free(c);	TEST_DONE();	TEST_START("parse RSA from private w/ passphrase");	buf = load_file("rsa_1_pw");	ASSERT_INT_EQ(sshkey_parse_private(buf, sshbuf_ptr(pw), "rsa_1_pw",	    &k2, NULL), 0);	sshbuf_free(buf);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("load RSA from public");	ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,	    NULL), 0);	ASSERT_PTR_NE(k2, NULL);	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);	sshkey_free(k2);	TEST_DONE();	TEST_START("RSA key hex fingerprint");	buf = load_text_file("rsa_1.fp");	cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);	ASSERT_PTR_NE(cp, NULL);	ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));	sshbuf_free(buf);//.........这里部分代码省略.........

/* * Checks whether key is allowed in authorized_keys-format file, * returns 1 if the key is allowed or 0 otherwise. */static intcheck_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw){	char line[SSH_MAX_PUBKEY_BYTES];	const char *reason;	int found_key = 0;	u_long linenum = 0;	Key *found;	char *fp;	found_key = 0;	found = NULL;	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {		char *cp, *key_options = NULL;		if (found != NULL)			key_free(found);		found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);		auth_clear_options();		/* Skip leading whitespace, empty and comment lines. */		for (cp = line; *cp == ' ' || *cp == '/t'; cp++)			;		if (!*cp || *cp == '/n' || *cp == '#')			continue;		if (key_read(found, &cp) != 1) {			/* no key?  check if there are options for this key */			int quoted = 0;			debug2("user_key_allowed: check options: '%s'", cp);			key_options = cp;			for (; *cp && (quoted || (*cp != ' ' && *cp != '/t')); cp++) {				if (*cp == '//' && cp[1] == '"')					cp++;	/* Skip both */				else if (*cp == '"')					quoted = !quoted;			}			/* Skip remaining whitespace. */			for (; *cp == ' ' || *cp == '/t'; cp++)				;			if (key_read(found, &cp) != 1) {				debug2("user_key_allowed: advance: '%s'", cp);				/* still no key?  advance to next line*/				continue;			}		}		if (key_is_cert(key)) {			if (!key_equal(found, key->cert->signature_key))				continue;			if (auth_parse_options(pw, key_options, file,			    linenum) != 1)				continue;			if (!key_is_cert_authority)				continue;			if ((fp = sshkey_fingerprint(found,			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)				continue;			debug("matching CA found: file %s, line %lu, %s %s",			    file, linenum, key_type(found), fp);			/*			 * If the user has specified a list of principals as			 * a key option, then prefer that list to matching			 * their username in the certificate principals list.			 */			if (authorized_principals != NULL &&			    !match_principals_option(authorized_principals,			    key->cert)) {				reason = "Certificate does not contain an "				    "authorized principal"; fail_reason:				free(fp);				error("%s", reason);				auth_debug_add("%s", reason);				continue;			}			if (key_cert_check_authority(key, 0, 0,			    authorized_principals == NULL ? pw->pw_name : NULL,			    &reason) != 0)				goto fail_reason;			if (auth_cert_options(key, pw) != 0) {				free(fp);				continue;			}			verbose("Accepted certificate ID /"%s/" "			    "signed by %s CA %s via %s", key->cert->key_id,			    key_type(found), fp, file);			free(fp);			found_key = 1;			break;		} else if (key_equal(found, key)) {			if (auth_parse_options(pw, key_options, file,			    linenum) != 1)				continue;			if (key_is_cert_authority)				continue;			if ((fp = sshkey_fingerprint(found,//.........这里部分代码省略.........

/* return 1 if given hostkey is allowed */inthostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,    struct sshkey *key){	struct ssh *ssh = active_state; /* XXX */	const char *resolvedname, *ipaddr, *lookup, *reason;	HostStatus host_status;	int len;	char *fp;	if (auth_key_is_revoked(key))		return 0;	resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);	ipaddr = ssh_remote_ipaddr(ssh);	debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,	    chost, resolvedname, ipaddr);	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {		debug2("stripping trailing dot from chost %s", chost);		chost[len - 1] = '/0';	}	if (options.hostbased_uses_name_from_packet_only) {		if (auth_rhosts2(pw, cuser, chost, chost) == 0) {			debug2("%s: auth_rhosts2 refused "			    "user /"%.100s/" host /"%.100s/" (from packet)",			    __func__, cuser, chost);			return 0;		}		lookup = chost;	} else {		if (strcasecmp(resolvedname, chost) != 0)			logit("userauth_hostbased mismatch: "			    "client sends %s, but we resolve %s to %s",			    chost, ipaddr, resolvedname);		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {			debug2("%s: auth_rhosts2 refused "			    "user /"%.100s/" host /"%.100s/" addr /"%.100s/"",			    __func__, cuser, resolvedname, ipaddr);			return 0;		}		lookup = resolvedname;	}	debug2("%s: access allowed by auth_rhosts2", __func__);	if (sshkey_is_cert(key) &&	    sshkey_cert_check_authority(key, 1, 0, lookup, &reason)) {		error("%s", reason);		auth_debug_add("%s", reason);		return 0;	}	host_status = check_key_in_hostfiles(pw, key, lookup,	    _PATH_SSH_SYSTEM_HOSTFILE,	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);	/* backward compat if no key has been found. */	if (host_status == HOST_NEW) {		host_status = check_key_in_hostfiles(pw, key, lookup,		    _PATH_SSH_SYSTEM_HOSTFILE2,		    options.ignore_user_known_hosts ? NULL :		    _PATH_SSH_USER_HOSTFILE2);	}	if (host_status == HOST_OK) {		if (sshkey_is_cert(key)) {			if ((fp = sshkey_fingerprint(key->cert->signature_key,			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)				fatal("%s: sshkey_fingerprint fail", __func__);			verbose("Accepted certificate ID /"%s/" signed by "			    "%s CA %s from %[email
C++ sshkey_free函数代码示例
C++ sshbuf_reset函数代码示例