resolve: add converters for sshfp key types and algs

With the data center move in the Fedora project, the ssh keys have changed. The list with numerical values is hard to read… $ resolvectl -t sshfp query pkgs.fedoraproject.org Old: pkgs.fedoraproject.org IN SSHFP 1 1 18270c9131ef9664861f5aa675a981146573cce0 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP 1 2 b067e6eb4c3e2d0e8bb37d6799493b762131816fe979940bbe660470abe6efbb -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP 3 1 a1ad871a5eabe3027728d498a89895fb5bf5b290 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP 3 2 c3dc523f99bb5155ec87f40fd1aa198c68f349d75beeccf60e87b44c9b461907 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP 4 1 e1265f46012ee40967127e06cf5533b270568428 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP 4 2 acaa1ee6292d01f1ae7881fdf03aaf7d7b0814e34e94c3558a25e4d1aaab8f94 -- link: wlp0s20f3 New: pkgs.fedoraproject.org IN SSHFP RSA SHA-1 18270c9131ef9664861f5aa675a981146573cce0 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP RSA SHA-256 b067e6eb4c3e2d0e8bb37d6799493b762131816fe979940bbe660470abe6efbb -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP ECDSA SHA-1 a1ad871a5eabe3027728d498a89895fb5bf5b290 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP ECDSA SHA-256 c3dc523f99bb5155ec87f40fd1aa198c68f349d75beeccf60e87b44c9b461907 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP Ed25519 SHA-1 e1265f46012ee40967127e06cf5533b270568428 -- link: wlp0s20f3 pkgs.fedoraproject.org IN SSHFP Ed25519 SHA-256 acaa1ee6292d01f1ae7881fdf03aaf7d7b0814e34e94c3558a25e4d1aaab8f94 -- link: wlp0s20f3
2026-04-14 16:37:19 +09:00 · 2025-07-03 10:11:03 +02:00
parent f1a00fcb97
commit 867cba15bc
2 changed files with 59 additions and 6 deletions
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -1104,19 +1104,27 @@ const char* dns_resource_record_to_string(DnsResourceRecord *rr) {
                        return NULL;
                break;

-        case DNS_TYPE_SSHFP:
+        case DNS_TYPE_SSHFP: {
+                _cleanup_free_ char *alg = NULL, *key_type = NULL;
+
                t = hexmem(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size);
                if (!t)
                        return NULL;

-                r = asprintf(&s, "%s %u %u %s",
-                             k,
-                             rr->sshfp.algorithm,
-                             rr->sshfp.fptype,
-                             t);
+                r = sshfp_algorithm_to_string_alloc(rr->sshfp.algorithm, &alg);
+                if (r < 0)
+                        return NULL;
+
+                r = sshfp_key_type_to_string_alloc(rr->sshfp.fptype, &key_type);
+                if (r < 0)
+                        return NULL;
+
+                r = asprintf(&s, "%s "SSHFP_ALGORITHM_FMT" "SSHFP_KEY_TYPE_FMT" %s",
+                             k, alg, key_type, t);
                if (r < 0)
                        return NULL;
                break;
+        }

        case DNS_TYPE_DNSKEY: {
                _cleanup_free_ char *alg = NULL;
@@ -2517,3 +2525,18 @@ static const char* const dnssec_digest_table[_DNSSEC_DIGEST_MAX_DEFINED] = {
        [DNSSEC_DIGEST_SHA384]          = "SHA-384",
 };
 DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(dnssec_digest, int, 255);
+
+static const char* const sshfp_algorithm_table[_SSHFP_ALGORITHM_MAX_DEFINED] = {
+        [SSHFP_ALGORITHM_RSA]     = "RSA",     /* RFC 4255 */
+        [SSHFP_ALGORITHM_DSA]     = "DSA",     /* RFC 4255 */
+        [SSHFP_ALGORITHM_ECDSA]   = "ECDSA",   /* RFC 6594 */
+        [SSHFP_ALGORITHM_ED25519] = "Ed25519", /* RFC 7479 */
+        [SSHFP_ALGORITHM_ED448]   = "Ed448",   /* RFC 8709 */
+};
+DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(sshfp_algorithm, int, 255);
+
+static const char* const sshfp_key_type_table[_SSHFP_KEY_TYPE_MAX_DEFINED] = {
+        [SSHFP_KEY_TYPE_SHA1]     = "SHA-1",     /* RFC 4255 */
+        [SSHFP_KEY_TYPE_SHA256]   = "SHA-256",   /* RFC 4255 */
+};
+DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(sshfp_key_type, int, 255);
--- a/src/resolve/resolved-dns-rr.h
+++ b/src/resolve/resolved-dns-rr.h
@@ -57,6 +57,30 @@ enum {
        _NSEC3_ALGORITHM_MAX_DEFINED
 };

+/* SSHFP algorithm identifiers, see
+ * https://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xhtml */
+enum {
+        SSHFP_ALGORITHM_RSA     = 1,   /* RFC 4255 */
+        SSHFP_ALGORITHM_DSA     = 2,   /* RFC 4255 */
+        SSHFP_ALGORITHM_ECDSA   = 3,   /* RFC 6594 */
+        SSHFP_ALGORITHM_ED25519 = 4,   /* RFC 7479 */
+        /* unassigned */
+        SSHFP_ALGORITHM_ED448   = 6,   /* RFC 8709 */
+        _SSHFP_ALGORITHM_MAX_DEFINED
+};
+/* A helper to align printed output */
+#define SSHFP_ALGORITHM_FMT "%-7s"
+
+/* SSHFP key-type identifiers, see
+ * https://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xhtml */
+enum {
+        SSHFP_KEY_TYPE_SHA1     = 1,   /* RFC 4255 */
+        SSHFP_KEY_TYPE_SHA256   = 2,   /* RFC 4255 */
+        _SSHFP_KEY_TYPE_MAX_DEFINED
+};
+/* A helper to align printed output */
+#define SSHFP_KEY_TYPE_FMT "%-7s"
+
 typedef struct DnsResourceKey {
        unsigned n_ref; /* (unsigned -1) for const keys, see below */
        uint16_t class, type;
@@ -412,3 +436,9 @@ int dnssec_algorithm_from_string(const char *s) _pure_;

 int dnssec_digest_to_string_alloc(int i, char **ret);
 int dnssec_digest_from_string(const char *s) _pure_;
+
+int sshfp_algorithm_to_string_alloc(int i, char **ret);
+int sshfp_algorithm_from_string(const char *s) _pure_;
+
+int sshfp_key_type_to_string_alloc(int i, char **ret);
+int sshfp_key_type_from_string(const char *s) _pure_;