aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2016-01-12 23:43:20 -0800
committerSitaram Chamarty <sitaram@atc.tcs.com>2016-01-19 20:31:27 +0530
commit37d14c18be60bc0b460fd10994d61d7db81451d6 (patch)
treecdbd676348f1f7a71112601be20e7c2b62ad897b
parentallow pre-auto-gc also when adding repo specific hooks (diff)
downloadgitolite-gentoo-37d14c18be60bc0b460fd10994d61d7db81451d6.tar.gz
gitolite-gentoo-37d14c18be60bc0b460fd10994d61d7db81451d6.tar.bz2
gitolite-gentoo-37d14c18be60bc0b460fd10994d61d7db81451d6.zip
Add helper functions for SSH fingerprints.
New Gitolite::Common functions: ssh_fingerprint_file ssh_fingerprint_line The existing code for new-style fingerprint did not correctly match on some inputs, as it was not strict enough about the MD5-format fingerprint. Additionally, some places in the codebase had not been updated for new-style fingerprints at all. Two fingerprints both starting with 'SHA256:34' were matched by the old regex as '56:34', instead of a full MD5 fingerprint, and gitolite mistakenly thought they were identical. This held for ANY new form fingerprint where both the hashname ended with AND the hash content started with [0-9a-f]{2}. Be stricter about the form of the fingerprints instead: - MD5 can have a 'MD5:' prefix (new OpenSSH versions only). - MD5 has a known length (16 octets of hex digits, with colons) - Other hashes are more than just SHA256, but all follow the form '$HASHNAME:$base64_str' This commit introduces the new functions only. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rw-r--r--src/lib/Gitolite/Common.pm42
1 files changed, 42 insertions, 0 deletions
diff --git a/src/lib/Gitolite/Common.pm b/src/lib/Gitolite/Common.pm
index 5d6b749..d59118c 100644
--- a/src/lib/Gitolite/Common.pm
+++ b/src/lib/Gitolite/Common.pm
@@ -16,10 +16,14 @@ package Gitolite::Common;
dd
t_start
t_lap
+
+ ssh_fingerprint_file
+ ssh_fingerprint_line
);
#>>>
use Exporter 'import';
use File::Path qw(mkpath);
+use File::Temp qw(tempfile);
use Carp qw(carp cluck croak confess);
use strict;
@@ -333,6 +337,44 @@ sub logger_plus_stderr {
}
# ----------------------------------------------------------------------
+# Get the SSH fingerprint of a file
+# If the fingerprint cannot be parsed, it will be undef
+# In a scalar context, returns the fingerprint
+# In a list context, returns (fingerprint, output) where output
+# is the raw output of the ssh-keygen command
+sub ssh_fingerprint_file {
+ my $in = shift;
+ -f $in or die "file not found: $in\n";
+ my $fh;
+ open( $fh, "ssh-keygen -l -f $in |" ) or die "could not fork: $!\n";
+ my $output = <$fh>;
+ chomp $output;
+ # dbg("fp = $fp");
+ close $fh;
+ # Return a valid fingerprint or undef
+ my $fp = undef;
+ if($output =~ /((?:MD5:)?(?:[0-9a-f]{2}:){15}[0-9a-f]{2})/i or
+ $output =~ m{((?:RIPEMD|SHA)\d+:[A-ZA-z0-9+/=]+)}i) {
+ $fp = $1;
+ }
+ return wantarray ? ($fp, $output) : $fp;
+}
+
+# Get the SSH fingerprint of a line of text
+# If the fingerprint cannot be parsed, it will be undef
+# In a scalar context, returns the fingerprint
+# In a list context, returns (fingerprint, output) where output
+# is the raw output of the ssh-keygen command
+sub ssh_fingerprint_line {
+ my ( $fh, $fn ) = tempfile();
+ print $fh shift() . "\n";
+ close $fh;
+ my ($fp,$output) = ssh_fingerprint_file($fn);
+ unlink $fn;
+ return wantarray ? ($fp,$output) : $fp;
+}
+
+# ----------------------------------------------------------------------
# bare-minimum subset of 'Tsh' (see github.com/sitaramc/tsh)
{