src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.212 and 1.226

version 1.212, 2011/10/16 15:02:41

version 1.226, 2013/04/19 01:01:00

Line 40

#include "match.h"

#include "hostfile.h"

#include "dns.h"

#include "ssh.h"

#include "ssh2.h"

#include "atomicio.h"

#include "krl.h"

#ifdef ENABLE_PKCS11

#include "ssh-pkcs11.h"

Line 99

Line 102

char *ca_key_path = NULL;

/* Certificate serial number */

long long cert_serial = 0;

unsigned long long cert_serial = 0;

/* Key type when certifying */

u_int cert_key_type = SSH2_CERT_TYPE_USER;

Line 149

Line 152

/* moduli.c */

int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *);

int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,

unsigned long);

static void

type_bits_valid(int type, u_int32_t *bitsp)

Line 258

Line 262

u_char *blob;

char comment[61];

if (k->type == KEY_RSA1) {

fprintf(stderr, "version 1 keys are not supported\n");

exit(1);

}

if (key_to_blob(k, &blob, &len) <= 0) {

fprintf(stderr, "key_to_blob failed\n");

exit(1);

Line 281

Line 289

do_convert_to_pkcs8(Key *k)

{

switch (key_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))

fatal("PEM_write_RSA_PUBKEY failed");

Line 303

Line 312

do_convert_to_pem(Key *k)

{

switch (key_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSAPublicKey(stdout, k->rsa))

fatal("PEM_write_RSAPublicKey failed");

Line 336

Line 346

exit(1);

}

if (k->type == KEY_RSA1) {

fprintf(stderr, "version 1 keys are not supported\n");

exit(1);

}

switch (convert_format) {

case FMT_RFC4716:

Line 707

Line 713

#ifdef ENABLE_PKCS11

Key **keys = NULL;

int i, nkeys;

enum fp_rep rep;

enum fp_type fptype;

char *fp, *ra;

fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;

pkcs11_init(0);

nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);

if (nkeys <= 0)

fatal("cannot read public key from pkcs11");

for (i = 0; i < nkeys; i++) {

key_write(keys[i], stdout);

if (print_fingerprint) {

fp = key_fingerprint(keys[i], fptype, rep);

ra = key_fingerprint(keys[i], SSH_FP_MD5,

SSH_FP_RANDOMART);

printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),

fp, key_type(keys[i]));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

xfree(ra);

xfree(fp);

} else {

key_write(keys[i], stdout);

fprintf(stdout, "\n");

}

key_free(keys[i]);

fprintf(stdout, "\n");

}

xfree(keys);

pkcs11_terminate();

Line 1070

Line 1094

ca ? " (CA key)" : "");

printhost(out, cp, pub, ca, 0);

}

if (delete_host && !c && !ca)

if (delete_host) {

printhost(out, cp, pub, ca, 0);

if (!c && !ca)

printhost(out, cp, pub, ca, 0);

else

printf("# Host %s found: "

"line %d type %s\n", name,

num, key_type(pub));

}

} else if (hash_hosts)

printhost(out, cp, pub, ca, 0);

} else {

Line 1086

Line 1116

printhost(out, name, pub,

ca, hash_hosts && !ca);

}

if (delete_host && !c && !ca)

if (delete_host) {

printhost(out, cp, pub, ca, 0);

if (!c && !ca)

printhost(out, cp, pub, ca, 0);

else

printf("# Host %s found: "

"line %d type %s\n", name,

num, key_type(pub));

}

} else if (hash_hosts) {

for (cp2 = strsep(&cp, ",");

cp2 != NULL && *cp2 != '\0';

Line 1849

Line 1885

}

static void

load_krl(const char *path, struct ssh_krl **krlp)

{

Buffer krlbuf;

int fd;

buffer_init(&krlbuf);

if ((fd = open(path, O_RDONLY)) == -1)

fatal("open %s: %s", path, strerror(errno));

if (!key_load_file(fd, path, &krlbuf))

fatal("Unable to load KRL");

close(fd);

/* XXX check sigs */

if (ssh_krl_from_blob(&krlbuf, krlp, NULL, 0) != 0 ||

*krlp == NULL)

fatal("Invalid KRL file");

buffer_free(&krlbuf);

}

static void

update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,

struct ssh_krl *krl)

{

Key *key = NULL;

u_long lnum = 0;

char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];

unsigned long long serial, serial2;

int i, was_explicit_key, was_sha1, r;

FILE *krl_spec;

path = tilde_expand_filename(file, pw->pw_uid);

if (strcmp(path, "-") == 0) {

krl_spec = stdin;

free(path);

path = xstrdup("(standard input)");

} else if ((krl_spec = fopen(path, "r")) == NULL)

fatal("fopen %s: %s", path, strerror(errno));

if (!quiet)

printf("Revoking from %s\n", path);

while (read_keyfile_line(krl_spec, path, line, sizeof(line),

&lnum) == 0) {

was_explicit_key = was_sha1 = 0;

cp = line + strspn(line, " \t");

/* Trim trailing space, comments and strip \n */

for (i = 0, r = -1; cp[i] != '\0'; i++) {

if (cp[i] == '#' || cp[i] == '\n') {

cp[i] = '\0';

break;

}

if (cp[i] == ' ' || cp[i] == '\t') {

/* Remember the start of a span of whitespace */

if (r == -1)

r = i;

} else

r = -1;

}

if (r != -1)

cp[r] = '\0';

if (*cp == '\0')

continue;

if (strncasecmp(cp, "serial:", 7) == 0) {

if (ca == NULL) {

fatal("revoking certificated by serial number "

"requires specification of a CA key");

}

cp += 7;

cp = cp + strspn(cp, " \t");

errno = 0;

serial = strtoull(cp, &ep, 0);

if (*cp == '\0' || (*ep != '\0' && *ep != '-'))

fatal("%s:%lu: invalid serial \"%s\"",

path, lnum, cp);

if (errno == ERANGE && serial == ULLONG_MAX)

fatal("%s:%lu: serial out of range",

path, lnum);

serial2 = serial;

if (*ep == '-') {

cp = ep + 1;

errno = 0;

serial2 = strtoull(cp, &ep, 0);

if (*cp == '\0' || *ep != '\0')

fatal("%s:%lu: invalid serial \"%s\"",

path, lnum, cp);

if (errno == ERANGE && serial2 == ULLONG_MAX)

fatal("%s:%lu: serial out of range",

path, lnum);

if (serial2 <= serial)

fatal("%s:%lu: invalid serial range "

"%llu:%llu", path, lnum,

(unsigned long long)serial,

(unsigned long long)serial2);

}

if (ssh_krl_revoke_cert_by_serial_range(krl,

ca, serial, serial2) != 0) {

fatal("%s: revoke serial failed",

__func__);

}

} else if (strncasecmp(cp, "id:", 3) == 0) {

if (ca == NULL) {

fatal("revoking certificated by key ID "

"requires specification of a CA key");

}

cp += 3;

cp = cp + strspn(cp, " \t");

if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0)

fatal("%s: revoke key ID failed", __func__);

} else {

if (strncasecmp(cp, "key:", 4) == 0) {

cp += 4;

cp = cp + strspn(cp, " \t");

was_explicit_key = 1;

} else if (strncasecmp(cp, "sha1:", 5) == 0) {

cp += 5;

cp = cp + strspn(cp, " \t");

was_sha1 = 1;

} else {

* Just try to process the line as a key.

* Parsing will fail if it isn't.

}

if ((key = key_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

if (key_read(key, &cp) != 1)

fatal("%s:%lu: invalid key", path, lnum);

if (was_explicit_key)

r = ssh_krl_revoke_key_explicit(krl, key);

else if (was_sha1)

r = ssh_krl_revoke_key_sha1(krl, key);

else

r = ssh_krl_revoke_key(krl, key);

if (r != 0)

fatal("%s: revoke key failed", __func__);

key_free(key);

}

if (strcmp(path, "-") != 0)

fclose(krl_spec);

free(path);

}

static void

do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)

{

struct ssh_krl *krl;

struct stat sb;

Key *ca = NULL;

int fd, i;

char *tmp;

Buffer kbuf;

if (*identity_file == '\0')

fatal("KRL generation requires an output file");

if (stat(identity_file, &sb) == -1) {

if (errno != ENOENT)

fatal("Cannot access KRL \"%s\": %s",

identity_file, strerror(errno));

if (updating)

fatal("KRL \"%s\" does not exist", identity_file);

}

if (ca_key_path != NULL) {

tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);

if ((ca = key_load_public(tmp, NULL)) == NULL)

fatal("Cannot load CA public key %s", tmp);

xfree(tmp);

}

if (updating)

load_krl(identity_file, &krl);

else if ((krl = ssh_krl_init()) == NULL)

fatal("couldn't create KRL");

if (cert_serial != 0)

ssh_krl_set_version(krl, cert_serial);

if (identity_comment != NULL)

ssh_krl_set_comment(krl, identity_comment);

for (i = 0; i < argc; i++)

update_krl_from_file(pw, argv[i], ca, krl);

buffer_init(&kbuf);

if (ssh_krl_to_blob(krl, &kbuf, NULL, 0) != 0)

fatal("Couldn't generate KRL");

if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)

fatal("open %s: %s", identity_file, strerror(errno));

if (atomicio(vwrite, fd, buffer_ptr(&kbuf), buffer_len(&kbuf)) !=

buffer_len(&kbuf))

fatal("write %s: %s", identity_file, strerror(errno));

close(fd);

buffer_free(&kbuf);

ssh_krl_free(krl);

if (ca != NULL)

key_free(ca);

}

static void

do_check_krl(struct passwd *pw, int argc, char **argv)

{

int i, r, ret = 0;

char *comment;

struct ssh_krl *krl;

Key *k;

if (*identity_file == '\0')

fatal("KRL checking requires an input file");

load_krl(identity_file, &krl);

for (i = 0; i < argc; i++) {

if ((k = key_load_public(argv[i], &comment)) == NULL)

fatal("Cannot load public key %s", argv[i]);

r = ssh_krl_check_key(krl, k);

printf("%s%s%s%s: %s\n", argv[i],

*comment ? " (" : "", comment, *comment ? ")" : "",

r == 0 ? "ok" : "REVOKED");

if (r != 0)

ret = 1;

key_free(k);

free(comment);

}

ssh_krl_free(krl);

exit(ret);

}

static void

usage(void)

{

fprintf(stderr, "usage: %s [options]\n", __progname);

Line 1871

Line 2130

fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n");

fprintf(stderr, " -I key_id Key identifier to include in certificate.\n");

fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n");

fprintf(stderr, " -J number Screen this number of moduli lines.\n");

fprintf(stderr, " -j number Start screening moduli at specified line.\n");

fprintf(stderr, " -K checkpt Write checkpoints to this file.\n");

fprintf(stderr, " -k Generate a KRL file.\n");

fprintf(stderr, " -L Print the contents of a certificate.\n");

fprintf(stderr, " -l Show fingerprint of key file.\n");

fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");

Line 1881

Line 2143

fprintf(stderr, " -O option Specify a certificate option.\n");

fprintf(stderr, " -P phrase Provide old passphrase.\n");

fprintf(stderr, " -p Change passphrase of private key file.\n");

fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n");

fprintf(stderr, " -q Quiet.\n");

fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");

fprintf(stderr, " -r hostname Print DNS resource record.\n");

Line 1888

Line 2151

fprintf(stderr, " -s ca_key Certify keys with CA key.\n");

fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");

fprintf(stderr, " -t type Specify type of key to create.\n");

fprintf(stderr, " -u Update KRL rather than creating a new one.\n");

fprintf(stderr, " -V from:to Specify certificate validity interval.\n");

fprintf(stderr, " -v Verbose.\n");

fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");

Line 1905

Line 2169

{

char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;

char *checkpoint = NULL;

char out_file[MAXPATHLEN], *rr_hostname = NULL;

char out_file[MAXPATHLEN], *ep, *rr_hostname = NULL;

Key *private, *public;

struct passwd *pw;

struct stat st;

int opt, type, fd;

u_int32_t memory = 0, generator_wanted = 0, trials = 100;

int do_gen_candidates = 0, do_screen_candidates = 0;

int gen_all_hostkeys = 0;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

unsigned long start_lineno = 0, lines_to_process = 0;

BIGNUM *start = NULL;

FILE *f;

const char *errstr;

Line 1937

Line 2202

exit(1);

}

while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:K:P:m:N:n:"

while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy"

"O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {

"C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {

switch (opt) {

case 'A':

gen_all_hostkeys = 1;

Line 1959

Line 2224

case 'I':

cert_key_id = optarg;

break;

case 'J':

lines_to_process = strtoul(optarg, NULL, 10);

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'R':

delete_host = 1;

rr_hostname = optarg;

Line 2011

Line 2282

case 'N':

identity_new_passphrase = optarg;

break;

case 'Q':

check_krl = 1;

break;

case 'O':

add_cert_option(optarg);

break;

Line 2029

Line 2303

cert_key_type = SSH2_CERT_TYPE_HOST;

certflags_flags = 0;

break;

case 'k':

gen_krl = 1;

break;

case 'i':

case 'X':

/* import key */

Line 2046

Line 2323

case 'D':

pkcs11provider = optarg;

break;

case 'u':

update_krl = 1;

break;

case 'v':

if (log_level == SYSLOG_LEVEL_INFO)

log_level = SYSLOG_LEVEL_DEBUG1;

Line 2102

Line 2382

parse_cert_times(optarg);

break;

case 'z':

cert_serial = strtonum(optarg, 0, LLONG_MAX, &errstr);

errno = 0;

if (errstr)

cert_serial = strtoull(optarg, &ep, 10);

fatal("Invalid serial number: %s", errstr);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Invalid serial number \"%s\"", optarg);

break;

case '?':

default:

Line 2119

Line 2401

argc -= optind;

if (ca_key_path != NULL) {

if (argc < 1) {

if (argc < 1 && !gen_krl) {

printf("Too few arguments.\n");

usage();

}

} else if (argc > 0) {

} else if (argc > 0 && !gen_krl && !check_krl) {

printf("Too many arguments.\n");

usage();

}

Line 2132

Line 2414

usage();

}

if (print_fingerprint && (delete_host || hash_hosts)) {

printf("Cannot use -l with -D or -R.\n");

printf("Cannot use -l with -H or -R.\n");

usage();

}

if (gen_krl) {

do_gen_krl(pw, update_krl, argc, argv);

return (0);

}

if (check_krl) {

do_check_krl(pw, argc, argv);

return (0);

}

if (ca_key_path != NULL) {

if (cert_key_id == NULL)

fatal("Must specify key id (-I) when certifying");

Line 2144

Line 2434

do_show_cert(pw);

if (delete_host || hash_hosts || find_host)

do_known_hosts(pw, rr_hostname);

if (pkcs11provider != NULL)

do_download(pw);

if (print_fingerprint || print_bubblebabble)

do_fingerprint(pw);

if (change_passphrase)

Line 2173

Line 2465

_PATH_HOST_RSA_KEY_FILE, rr_hostname);

n += do_print_resource_record(pw,

_PATH_HOST_DSA_KEY_FILE, rr_hostname);

n += do_print_resource_record(pw,

_PATH_HOST_ECDSA_KEY_FILE, rr_hostname);

if (n == 0)

fatal("no keys found.");

exit(0);

}

if (pkcs11provider != NULL)

do_download(pw);

if (do_gen_candidates) {

FILE *out = fopen(out_file, "w");

Line 2200

Line 2492

if (do_screen_candidates) {

FILE *in;

FILE *out = fopen(out_file, "w");

FILE *out = fopen(out_file, "a");

if (have_identity && strcmp(identity_file, "-") != 0) {

if ((in = fopen(identity_file, "r")) == NULL) {

Line 2215

Line 2507

fatal("Couldn't open moduli file \"%s\": %s",

out_file, strerror(errno));

}

if (prime_test(in, out, trials, generator_wanted, checkpoint)

if (prime_test(in, out, trials, generator_wanted, checkpoint,

!= 0)

start_lineno, lines_to_process) != 0)

fatal("modulus screening failed");

return (0);

}