src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.247 and 1.253

version 1.247, 2014/06/24 01:13:21

version 1.253, 2015/01/16 06:40:12

Line 15

#include <sys/types.h>

#include <sys/socket.h>

#include <sys/stat.h>

#include <sys/param.h>

#include <openssl/evp.h>

#include <openssl/pem.h>

#include <errno.h>

#include <fcntl.h>

#include <netdb.h>

#include <pwd.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <limits.h>

#include "xmalloc.h"

#include "key.h"

#include "sshkey.h"

#include "rsa.h"

#include "authfile.h"

#include "uuencode.h"

#include "buffer.h"

#include "sshbuf.h"

#include "pathnames.h"

#include "log.h"

#include "misc.h"

Line 42

Line 43

#include "dns.h"

#include "ssh.h"

#include "ssh2.h"

#include "ssherr.h"

#include "atomicio.h"

#include "krl.h"

#include "digest.h"

#ifdef ENABLE_PKCS11

#include "ssh-pkcs11.h"

Line 85

Line 88

int print_fingerprint = 0;

int print_bubblebabble = 0;

/* Hash algorithm to use for fingerprints. */

int fingerprint_hash = SSH_FP_HASH_DEFAULT;

/* The identity file name, given on the command line or entered by the user. */

char identity_file[1024];

int have_identity = 0;

Line 160

Line 166

/* argv0 */

extern char *__progname;

char hostname[MAXHOSTNAMELEN];

char hostname[NI_MAXHOST];

/* moduli.c */

int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

Line 195

Line 201

fatal("DSA keys must be 1024 bits");

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)

fatal("Key must at least be 768 bits");

else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)

else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

fatal("Invalid ECDSA key length - valid lengths are "

"256, 384 or 521 bits");

#endif

Line 210

Line 216

if (key_type_name == NULL)

name = _PATH_SSH_CLIENT_ID_RSA;

else {

switch (key_type_from_name(key_type_name)) {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA1:

name = _PATH_SSH_CLIENT_IDENTITY;

break;

Line 248

Line 254

have_identity = 1;

}

static Key *

static struct sshkey *

load_identity(char *filename)

{

char *pass;

Key *prv;

struct sshkey *prv;

int r;

prv = key_load_private(filename, "", NULL);

if ((r = sshkey_load_private(filename, "", &prv, NULL)) == 0)

if (prv == NULL) {

return prv;

if (identity_passphrase)

if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)

pass = xstrdup(identity_passphrase);

fatal("Load key \"%s\": %s", filename, ssh_err(r));

else

if (identity_passphrase)

pass = read_passphrase("Enter passphrase: ",

pass = xstrdup(identity_passphrase);

RP_ALLOW_STDIN);

else

prv = key_load_private(filename, pass, NULL);

pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN);

explicit_bzero(pass, strlen(pass));

r = sshkey_load_private(filename, pass, &prv, NULL);

free(pass);

explicit_bzero(pass, strlen(pass));

}

free(pass);

if (r != 0)

fatal("Load key \"%s\": %s", filename, ssh_err(r));

return prv;

}

Line 275

Line 284

#ifdef WITH_OPENSSL

static void

do_convert_to_ssh2(struct passwd *pw, Key *k)

do_convert_to_ssh2(struct passwd *pw, struct sshkey *k)

{

u_int len;

size_t len;

u_char *blob;

char comment[61];

int r;

if (k->type == KEY_RSA1) {

fprintf(stderr, "version 1 keys are not supported\n");

exit(1);

}

if (key_to_blob(k, &blob, &len) <= 0) {

if ((r = sshkey_to_blob(k, &blob, &len)) != 0) {

fprintf(stderr, "key_to_blob failed\n");

fprintf(stderr, "key_to_blob failed: %s\n", ssh_err(r));

exit(1);

}

/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */

snprintf(comment, sizeof(comment),

"%u-bit %s, converted by %s@%s from OpenSSH",

key_size(k), key_type(k),

sshkey_size(k), sshkey_type(k),

pw->pw_name, hostname);

fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);

fprintf(stdout, "Comment: \"%s\"\n", comment);

dump_base64(stdout, blob, len);

fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);

key_free(k);

sshkey_free(k);

free(blob);

exit(0);

}

static void

do_convert_to_pkcs8(Key *k)

do_convert_to_pkcs8(struct sshkey *k)

{

switch (key_type_plain(k->type)) {

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))

Line 322

Line 332

fatal("PEM_write_EC_PUBKEY failed");

break;

default:

fatal("%s: unsupported key type %s", __func__, key_type(k));

fatal("%s: unsupported key type %s", __func__, sshkey_type(k));

}

exit(0);

}

static void

do_convert_to_pem(Key *k)

do_convert_to_pem(struct sshkey *k)

{

switch (key_type_plain(k->type)) {

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSAPublicKey(stdout, k->rsa))

Line 344

Line 354

#endif

/* XXX ECDSA? */

default:

fatal("%s: unsupported key type %s", __func__, key_type(k));

fatal("%s: unsupported key type %s", __func__, sshkey_type(k));

}

exit(0);

}

Line 352

Line 362

static void

do_convert_to(struct passwd *pw)

{

Key *k;

struct sshkey *k;

struct stat st;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((k = key_load_public(identity_file, NULL)) == NULL) {

if ((r = sshkey_load_public(identity_file, &k, NULL)) != 0)

if ((k = load_identity(identity_file)) == NULL) {

k = load_identity(identity_file);

fprintf(stderr, "load failed\n");

exit(1);

}

switch (convert_format) {

case FMT_RFC4716:

do_convert_to_ssh2(pw, k);

Line 382

Line 388

exit(0);

}

* This is almost exactly the bignum1 encoding, but with 32 bit for length

* instead of 16.

static void

buffer_get_bignum_bits(Buffer *b, BIGNUM *value)

buffer_get_bignum_bits(struct sshbuf *b, BIGNUM *value)

{

u_int bignum_bits = buffer_get_int(b);

u_int bytes, bignum_bits;

u_int bytes = (bignum_bits + 7) / 8;

int r;

if (buffer_len(b) < bytes)

if ((r = sshbuf_get_u32(b, &bignum_bits)) != 0)

fatal("buffer_get_bignum_bits: input buffer too small: "

fatal("%s: buffer error: %s", __func__, ssh_err(r));

"need %d have %d", bytes, buffer_len(b));

bytes = (bignum_bits + 7) / 8;

if (BN_bin2bn(buffer_ptr(b), bytes, value) == NULL)

if (sshbuf_len(b) < bytes)

fatal("buffer_get_bignum_bits: BN_bin2bn failed");

fatal("%s: input buffer too small: need %d have %zu",

buffer_consume(b, bytes);

__func__, bytes, sshbuf_len(b));

if (BN_bin2bn(sshbuf_ptr(b), bytes, value) == NULL)

fatal("%s: BN_bin2bn failed", __func__);

if ((r = sshbuf_consume(b, bytes)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

}

static Key *

static struct sshkey *

do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)

{

Buffer b;

struct sshbuf *b;

Key *key = NULL;

struct sshkey *key = NULL;

char *type, *cipher;

u_char *sig = NULL, data[] = "abcde12345";

u_char e1, e2, e3, *sig = NULL, data[] = "abcde12345";

int magic, rlen, ktype, i1, i2, i3, i4;

int r, rlen, ktype;

u_int slen;

u_int magic, i1, i2, i3, i4;

size_t slen;

u_long e;

buffer_init(&b);

if ((b = sshbuf_from(blob, blen)) == NULL)

buffer_append(&b, blob, blen);

fatal("%s: sshbuf_from failed", __func__);

if ((r = sshbuf_get_u32(b, &magic)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

magic = buffer_get_int(&b);

if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {

error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);

error("bad magic 0x%x != 0x%x", magic,

buffer_free(&b);

SSH_COM_PRIVATE_KEY_MAGIC);

sshbuf_free(b);

return NULL;

}

i1 = buffer_get_int(&b);

if ((r = sshbuf_get_u32(b, &i1)) != 0 ||

type = buffer_get_string(&b, NULL);

(r = sshbuf_get_cstring(b, &type, NULL)) != 0 ||

cipher = buffer_get_string(&b, NULL);

(r = sshbuf_get_cstring(b, &cipher, NULL)) != 0 ||

i2 = buffer_get_int(&b);

(r = sshbuf_get_u32(b, &i2)) != 0 ||

i3 = buffer_get_int(&b);

(r = sshbuf_get_u32(b, &i3)) != 0 ||

i4 = buffer_get_int(&b);

(r = sshbuf_get_u32(b, &i4)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

debug("ignore (%d %d %d %d)", i1, i2, i3, i4);

if (strcmp(cipher, "none") != 0) {

error("unsupported cipher %s", cipher);

free(cipher);

buffer_free(&b);

sshbuf_free(b);

free(type);

return NULL;

}

Line 437

Line 455

} else if (strstr(type, "rsa")) {

ktype = KEY_RSA;

} else {

buffer_free(&b);

sshbuf_free(b);

free(type);

return NULL;

}

key = key_new_private(ktype);

if ((key = sshkey_new_private(ktype)) == NULL)

fatal("key_new_private failed");

free(type);

switch (key->type) {

case KEY_DSA:

buffer_get_bignum_bits(&b, key->dsa->p);

buffer_get_bignum_bits(b, key->dsa->p);

buffer_get_bignum_bits(&b, key->dsa->g);

buffer_get_bignum_bits(b, key->dsa->g);

buffer_get_bignum_bits(&b, key->dsa->q);

buffer_get_bignum_bits(b, key->dsa->q);

buffer_get_bignum_bits(&b, key->dsa->pub_key);

buffer_get_bignum_bits(b, key->dsa->pub_key);

buffer_get_bignum_bits(&b, key->dsa->priv_key);

buffer_get_bignum_bits(b, key->dsa->priv_key);

break;

case KEY_RSA:

e = buffer_get_char(&b);

if ((r = sshbuf_get_u8(b, &e1)) != 0 ||

(e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) ||

(e1 < 30 && (r = sshbuf_get_u8(b, &e3)) != 0))

fatal("%s: buffer error: %s", __func__, ssh_err(r));

e = e1;

debug("e %lx", e);

if (e < 30) {

e <<= 8;

e += buffer_get_char(&b);

e += e2;

debug("e %lx", e);

e <<= 8;

e += buffer_get_char(&b);

e += e3;

debug("e %lx", e);

}

if (!BN_set_word(key->rsa->e, e)) {

buffer_free(&b);

sshbuf_free(b);

key_free(key);

sshkey_free(key);

return NULL;

}

buffer_get_bignum_bits(&b, key->rsa->d);

buffer_get_bignum_bits(b, key->rsa->d);

buffer_get_bignum_bits(&b, key->rsa->n);

buffer_get_bignum_bits(b, key->rsa->n);

buffer_get_bignum_bits(&b, key->rsa->iqmp);

buffer_get_bignum_bits(b, key->rsa->iqmp);

buffer_get_bignum_bits(&b, key->rsa->q);

buffer_get_bignum_bits(b, key->rsa->q);

buffer_get_bignum_bits(&b, key->rsa->p);

buffer_get_bignum_bits(b, key->rsa->p);

if (rsa_generate_additional_parameters(key->rsa) != 0)

if ((r = rsa_generate_additional_parameters(key->rsa)) != 0)

fatal("%s: rsa_generate_additional_parameters "

fatal("generate RSA parameters failed: %s", ssh_err(r));

"error", __func__);

break;

}

rlen = buffer_len(&b);

rlen = sshbuf_len(b);

if (rlen != 0)

error("do_convert_private_ssh2_from_blob: "

"remaining bytes in key blob %d", rlen);

buffer_free(&b);

sshbuf_free(b);

/* try the key */

key_sign(key, &sig, &slen, data, sizeof(data));

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 ||

key_verify(key, sig, slen, data, sizeof(data));

sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) {

sshkey_free(key);

free(sig);

return NULL;

}

free(sig);

return key;

}

Line 522

Line 548

}

static void

do_convert_from_ssh2(struct passwd *pw, Key **k, int *private)

do_convert_from_ssh2(struct passwd *pw, struct sshkey **k, int *private)

{

int blen;

int r, blen, escaped = 0;

u_int len;

char line[1024];

u_char blob[8096];

char encoded[8096];

int escaped = 0;

FILE *fp;

if ((fp = fopen(identity_file, "r")) == NULL)

Line 566

Line 591

fprintf(stderr, "uudecode failed.\n");

exit(1);

}

*k = *private ?

if (*private)

do_convert_private_ssh2_from_blob(blob, blen) :

*k = do_convert_private_ssh2_from_blob(blob, blen);

key_from_blob(blob, blen);

else if ((r = sshkey_from_blob(blob, blen, k)) != 0) {

if (*k == NULL) {

fprintf(stderr, "decode blob failed: %s\n", ssh_err(r));

fprintf(stderr, "decode blob failed.\n");

exit(1);

}

fclose(fp);

}

static void

do_convert_from_pkcs8(Key **k, int *private)

do_convert_from_pkcs8(struct sshkey **k, int *private)

{

EVP_PKEY *pubkey;

FILE *fp;

Line 591

Line 615

fclose(fp);

switch (EVP_PKEY_type(pubkey->type)) {

case EVP_PKEY_RSA:

*k = key_new(KEY_UNSPEC);

if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

(*k)->type = KEY_RSA;

(*k)->rsa = EVP_PKEY_get1_RSA(pubkey);

break;

case EVP_PKEY_DSA:

*k = key_new(KEY_UNSPEC);

if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

(*k)->type = KEY_DSA;

(*k)->dsa = EVP_PKEY_get1_DSA(pubkey);

break;

case EVP_PKEY_EC:

*k = key_new(KEY_UNSPEC);

if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

(*k)->type = KEY_ECDSA;

(*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey);

(*k)->ecdsa_nid = key_ecdsa_key_to_nid((*k)->ecdsa);

(*k)->ecdsa_nid = sshkey_ecdsa_key_to_nid((*k)->ecdsa);

break;

default:

fatal("%s: unsupported pubkey type %d", __func__,

Line 615

Line 642

}

static void

do_convert_from_pem(Key **k, int *private)

do_convert_from_pem(struct sshkey **k, int *private)

{

FILE *fp;

RSA *rsa;

Line 626

Line 653

if ((fp = fopen(identity_file, "r")) == NULL)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL)) != NULL) {

*k = key_new(KEY_UNSPEC);

if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

(*k)->type = KEY_RSA;

(*k)->rsa = rsa;

fclose(fp);

Line 635

Line 663

#if notyet /* OpenSSH 0.9.8 lacks this function */

rewind(fp);

if ((dsa = PEM_read_DSAPublicKey(fp, NULL, NULL, NULL)) != NULL) {

*k = key_new(KEY_UNSPEC);

if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

(*k)->type = KEY_DSA;

(*k)->dsa = dsa;

fclose(fp);

Line 649

Line 678

static void

do_convert_from(struct passwd *pw)

{

Key *k = NULL;

struct sshkey *k = NULL;

int private = 0, ok = 0;

int r, private = 0, ok = 0;

struct stat st;

if (!have_identity)

Line 673

Line 702

}

if (!private)

ok = key_write(k, stdout);

if ((r = sshkey_write(k, stdout)) == 0)

ok = 1;

if (ok)

fprintf(stdout, "\n");

else {

Line 692

Line 722

break;

default:

fatal("%s: unsupported key type %s", __func__,

key_type(k));

sshkey_type(k));

}

Line 700

Line 730

fprintf(stderr, "key write failed\n");

exit(1);

}

key_free(k);

sshkey_free(k);

exit(0);

}

#endif

Line 708

Line 738

static void

do_print_public(struct passwd *pw)

{

Key *prv;

struct sshkey *prv;

struct stat st;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

Line 718

Line 749

exit(1);

}

prv = load_identity(identity_file);

if (prv == NULL) {

if ((r = sshkey_write(prv, stdout)) != 0)

fprintf(stderr, "load failed\n");

fprintf(stderr, "key_write failed: %s", ssh_err(r));

exit(1);

sshkey_free(prv);

}

if (!key_write(prv, stdout))

fprintf(stderr, "key_write failed");

key_free(prv);

fprintf(stdout, "\n");

exit(0);

}

Line 733

Line 760

do_download(struct passwd *pw)

{

#ifdef ENABLE_PKCS11

Key **keys = NULL;

struct sshkey **keys = NULL;

int i, nkeys;

enum fp_rep rep;

enum sshkey_fp_rep rep;

enum fp_type fptype;

int fptype;

char *fp, *ra;

fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

pkcs11_init(0);

nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);

Line 748

Line 775

fatal("cannot read public key from pkcs11");

for (i = 0; i < nkeys; i++) {

if (print_fingerprint) {

fp = key_fingerprint(keys[i], fptype, rep);

fp = sshkey_fingerprint(keys[i], fptype, rep);

ra = key_fingerprint(keys[i], SSH_FP_MD5,

ra = sshkey_fingerprint(keys[i], fingerprint_hash,

SSH_FP_RANDOMART);

printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),

printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),

fp, key_type(keys[i]));

fp, sshkey_type(keys[i]));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

} else {

key_write(keys[i], stdout);

(void) sshkey_write(keys[i], stdout); /* XXX check */

fprintf(stdout, "\n");

}

key_free(keys[i]);

sshkey_free(keys[i]);

}

free(keys);

pkcs11_terminate();

Line 775

Line 802

do_fingerprint(struct passwd *pw)

{

FILE *f;

Key *public;

struct sshkey *public;

char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;

int i, skip = 0, num = 0, invalid = 1;

int r, i, skip = 0, num = 0, invalid = 1;

enum fp_rep rep;

enum sshkey_fp_rep rep;

enum fp_type fptype;

int fptype;

struct stat st;

fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0) {

perror(identity_file);

exit(1);

}

public = key_load_public(identity_file, &comment);

if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0)

if (public != NULL) {

error("Error loading public key \"%s\": %s",

fp = key_fingerprint(public, fptype, rep);

identity_file, ssh_err(r));

ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);

else {

printf("%u %s %s (%s)\n", key_size(public), fp, comment,

fp = sshkey_fingerprint(public, fptype, rep);

key_type(public));

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,

sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

key_free(public);

sshkey_free(public);

free(comment);

free(ra);

free(fp);

Line 848

Line 877

*cp++ = '\0';

}

ep = cp;

public = key_new(KEY_RSA1);

if ((public = sshkey_new(KEY_RSA1)) == NULL)

if (key_read(public, &cp) != 1) {

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

cp = ep;

key_free(public);

sshkey_free(public);

public = key_new(KEY_UNSPEC);

if ((public = sshkey_new(KEY_UNSPEC)) == NULL)

if (key_read(public, &cp) != 1) {

fatal("sshkey_new failed");

key_free(public);

if ((r = sshkey_read(public, &cp)) != 0) {

sshkey_free(public);

continue;

}

comment = *cp ? cp : comment;

fp = key_fingerprint(public, fptype, rep);

fp = sshkey_fingerprint(public, fptype, rep);

ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);

ra = sshkey_fingerprint(public, fingerprint_hash,

printf("%u %s %s (%s)\n", key_size(public), fp,

SSH_FP_RANDOMART);

comment ? comment : "no comment", key_type(public));

printf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

key_free(public);

sshkey_free(public);

invalid = 0;

}

fclose(f);

Line 897

Line 929

int first = 0;

struct stat st;

Key *private, *public;

struct sshkey *private, *public;

char comment[1024];

int i, type, fd;

int i, type, fd, r;

FILE *f;

for (i = 0; key_types[i].key_type; i++) {

Line 918

Line 950

}

printf("%s ", key_types[i].key_type_display);

fflush(stdout);

type = key_type_from_name(key_types[i].key_type);

type = sshkey_type_from_name(key_types[i].key_type);

strlcpy(identity_file, key_types[i].path, sizeof(identity_file));

bits = 0;

type_bits_valid(type, &bits);

private = key_generate(type, bits);

if ((r = sshkey_generate(type, bits, &private)) != 0) {

if (private == NULL) {

fprintf(stderr, "key_generate failed: %s\n",

fprintf(stderr, "key_generate failed\n");

ssh_err(r));

first = 0;

continue;

}

public = key_from_private(private);

if ((r = sshkey_from_private(private, &public)) != 0)

fatal("sshkey_from_private failed: %s", ssh_err(r));

snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,

hostname);

if (!key_save_private(private, identity_file, "", comment,

if ((r = sshkey_save_private(private, identity_file, "",

use_new_format, new_format_cipher, rounds)) {

comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving the key failed: %s.\n", identity_file);

printf("Saving key \"%s\" failed: %s\n", identity_file,

key_free(private);

ssh_err(r));

key_free(public);

sshkey_free(private);

sshkey_free(public);

first = 0;

continue;

}

key_free(private);

sshkey_free(private);

strlcat(identity_file, ".pub", sizeof(identity_file));

fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);

if (fd == -1) {

printf("Could not save your public key in %s\n",

identity_file);

key_free(public);

sshkey_free(public);

first = 0;

continue;

}

f = fdopen(fd, "w");

if (f == NULL) {

printf("fdopen %s failed\n", identity_file);

key_free(public);

close(fd);

sshkey_free(public);

first = 0;

continue;

}

if (!key_write(public, f)) {

if (!sshkey_write(public, f)) {

fprintf(stderr, "write key failed\n");

key_free(public);

fclose(f);

sshkey_free(public);

first = 0;

continue;

}

fprintf(f, " %s\n", comment);

fclose(f);

key_free(public);

sshkey_free(public);

}

if (first != 0)

Line 972

Line 1008

}

static void

printhost(FILE *f, const char *name, Key *public, int ca, int hash)

printhost(FILE *f, const char *name, struct sshkey *public,

int ca, int revoked, int hash)

{

if (print_fingerprint) {

enum fp_rep rep;

enum sshkey_fp_rep rep;

enum fp_type fptype;

int fptype;

char *fp, *ra;

fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;

fptype = print_bubblebabble ?

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;

SSH_DIGEST_SHA1 : fingerprint_hash;

fp = key_fingerprint(public, fptype, rep);

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);

fp = sshkey_fingerprint(public, fptype, rep);

printf("%u %s %s (%s)\n", key_size(public), fp, name,

ra = sshkey_fingerprint(public, fingerprint_hash,

key_type(public));

SSH_FP_RANDOMART);

printf("%u %s %s (%s)\n", sshkey_size(public), fp, name,

sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

} else {

int r;

if (hash && (name = host_hash(name, NULL, 0)) == NULL)

fatal("hash_host failed");

fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name);

fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",

if (!key_write(public, f))

revoked ? REVOKE_MARKER " " : "" , name);

fatal("key_write failed");

if ((r = sshkey_write(public, f)) != 0)

fatal("key_write failed: %s", ssh_err(r));

fprintf(f, "\n");

}

Line 1003

Line 1045

do_known_hosts(struct passwd *pw, const char *name)

{

FILE *in, *out = stdout;

Key *pub;

struct sshkey *pub;

char *cp, *cp2, *kp, *kp2;

char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];

char line[16*1024], tmp[PATH_MAX], old[PATH_MAX];

int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;

int ca;

int r, ca, revoked;

int found_key = 0;

if (!have_identity) {

Line 1021

Line 1063

if ((in = fopen(identity_file, "r")) == NULL)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

/* XXX this code is a mess; refactor -djm */

* Find hosts goes to stdout, hash and deletions happen in-place

* A corner case is ssh-keygen -HF foo, which should go to stdout

Line 1064

Line 1107

fprintf(out, "%s\n", cp);

continue;

}

/* Check whether this is a CA key */

/* Check whether this is a CA key or revocation marker */

if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&

(cp[sizeof(CA_MARKER) - 1] == ' ' ||

cp[sizeof(CA_MARKER) - 1] == '\t')) {

Line 1072

Line 1115

cp += sizeof(CA_MARKER);

} else

ca = 0;

if (strncasecmp(cp, REVOKE_MARKER,

sizeof(REVOKE_MARKER) - 1) == 0 &&

(cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||

cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {

revoked = 1;

cp += sizeof(REVOKE_MARKER);

} else

revoked = 0;

/* Find the end of the host name portion. */

for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)

Line 1086

Line 1137

*kp++ = '\0';

kp2 = kp;

pub = key_new(KEY_RSA1);

if ((pub = sshkey_new(KEY_RSA1)) == NULL)

if (key_read(pub, &kp) != 1) {

fatal("sshkey_new failed");

if ((r = sshkey_read(pub, &kp)) != 0) {

kp = kp2;

key_free(pub);

sshkey_free(pub);

pub = key_new(KEY_UNSPEC);

if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)

if (key_read(pub, &kp) != 1) {

fatal("sshkey_new failed");

if ((r = sshkey_read(pub, &kp)) != 0) {

error("line %d invalid key: %.40s...",

num, line);

key_free(pub);

sshkey_free(pub);

invalid = 1;

continue;

}

Line 1114

Line 1167

if (!quiet)

printf("# Host %s found: "

"line %d type %s%s\n", name,

num, key_type(pub),

num, sshkey_type(pub),

ca ? " (CA key)" : "");

ca ? " (CA key)" :

printhost(out, cp, pub, ca, 0);

revoked? " (revoked)" : "");

printhost(out, cp, pub, ca, revoked, 0);

found_key = 1;

}

if (delete_host) {

if (!c && !ca)

if (!c || ca || revoked) {

printhost(out, cp, pub, ca, 0);

printhost(out, cp, pub,

else

ca, revoked, 0);

} else {

printf("# Host %s found: "

"line %d type %s\n", name,

num, key_type(pub));

num, sshkey_type(pub));

}

} else if (hash_hosts)

printhost(out, cp, pub, ca, 0);

printhost(out, cp, pub, ca, revoked, 0);

} else {

if (find_host || delete_host) {

c = (match_hostname(name, cp,

Line 1137

Line 1193

if (!quiet)

printf("# Host %s found: "

"line %d type %s%s\n", name,

num, key_type(pub),

num, sshkey_type(pub),

ca ? " (CA key)" : "");

printhost(out, name, pub,

printhost(out, name, pub, ca, revoked,

ca, hash_hosts && !ca);

hash_hosts && !(ca || revoked));

found_key = 1;

}

if (delete_host) {

if (!c && !ca)

if (!c || ca || revoked) {

printhost(out, cp, pub, ca, 0);

printhost(out, cp, pub,

else

ca, revoked, 0);

} else {

printf("# Host %s found: "

"line %d type %s\n", name,

num, key_type(pub));

num, sshkey_type(pub));

}

} else if (hash_hosts && (ca || revoked)) {

/* Don't hash CA and revoked keys' hostnames */

printhost(out, cp, pub, ca, revoked, 0);

has_unhashed = 1;

} else if (hash_hosts) {

/* Hash each hostname separately */

for (cp2 = strsep(&cp, ",");

cp2 != NULL && *cp2 != '\0';

cp2 = strsep(&cp, ",")) {

if (ca) {

if (strcspn(cp2, "*?!") !=

fprintf(stderr, "Warning: "

"ignoring CA key for host: "

"%.64s\n", cp2);

printhost(out, cp2, pub, ca, 0);

} else if (strcspn(cp2, "*?!") !=

strlen(cp2)) {

fprintf(stderr, "Warning: "

"ignoring host name with "

"metacharacters: %.64s\n",

cp2);

printhost(out, cp2, pub, ca, 0);

printhost(out, cp2, pub, ca,

} else

revoked, 0);

printhost(out, cp2, pub, ca, 1);

has_unhashed = 1;

} else {

printhost(out, cp2, pub, ca,

revoked, 1);

}

has_unhashed = 1;

}

key_free(pub);

sshkey_free(pub);

}

fclose(in);

Line 1230

Line 1291

char *comment;

char *old_passphrase, *passphrase1, *passphrase2;

struct stat st;

Key *private;

struct sshkey *private;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

Line 1239

Line 1301

exit(1);

}

/* Try to load the file with empty passphrase. */

private = key_load_private(identity_file, "", &comment);

r = sshkey_load_private(identity_file, "", &private, &comment);

if (private == NULL) {

if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) {

if (identity_passphrase)

old_passphrase = xstrdup(identity_passphrase);

else

old_passphrase =

read_passphrase("Enter old passphrase: ",

RP_ALLOW_STDIN);

private = key_load_private(identity_file, old_passphrase,

r = sshkey_load_private(identity_file, old_passphrase,

&comment);

&private, &comment);

explicit_bzero(old_passphrase, strlen(old_passphrase));

free(old_passphrase);

if (private == NULL) {

if (r != 0)

printf("Bad passphrase.\n");

goto badkey;

exit(1);

} else if (r != 0) {

}

badkey:

fprintf(stderr, "Failed to load key \"%s\": %s\n",

identity_file, ssh_err(r));

exit(1);

}

printf("Key has comment '%s'\n", comment);

Line 1284

Line 1349

}

/* Save the file using the new passphrase. */

if (!key_save_private(private, identity_file, passphrase1, comment,

if ((r = sshkey_save_private(private, identity_file, passphrase1,

use_new_format, new_format_cipher, rounds)) {

comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving the key failed: %s.\n", identity_file);

printf("Saving key \"%s\" failed: %s.\n",

identity_file, ssh_err(r));

explicit_bzero(passphrase1, strlen(passphrase1));

free(passphrase1);

key_free(private);

sshkey_free(private);

free(comment);

exit(1);

}

/* Destroy the passphrase and the copy of the key in memory. */

explicit_bzero(passphrase1, strlen(passphrase1));

free(passphrase1);

key_free(private); /* Destroys contents */

sshkey_free(private); /* Destroys contents */

free(comment);

printf("Your identification has been saved with the new passphrase.\n");

Line 1309

Line 1375

static int

do_print_resource_record(struct passwd *pw, char *fname, char *hname)

{

Key *public;

struct sshkey *public;

char *comment = NULL;

struct stat st;

int r;

if (fname == NULL)

fatal("%s: no filename", __func__);

Line 1321

Line 1388

perror(fname);

exit(1);

}

public = key_load_public(fname, &comment);

if ((r = sshkey_load_public(fname, &public, &comment)) != 0) {

if (public != NULL) {

printf("Failed to read v2 public key from \"%s\": %s.\n",

export_dns_rr(hname, public, stdout, print_generic);

fname, ssh_err(r));

key_free(public);

exit(1);

free(comment);

return 1;

}

if (comment)

export_dns_rr(hname, public, stdout, print_generic);

free(comment);

sshkey_free(public);

free(comment);

printf("failed to read v2 public key from %s.\n", fname);

return 1;

exit(1);

}

Line 1342

Line 1406

do_change_comment(struct passwd *pw)

{

char new_comment[1024], *comment, *passphrase;

Key *private;

struct sshkey *private;

Key *public;

struct sshkey *public;

struct stat st;

FILE *f;

int fd;

int r, fd;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

Line 1354

Line 1418

perror(identity_file);

exit(1);

}

private = key_load_private(identity_file, "", &comment);

if ((r = sshkey_load_private(identity_file, "",

if (private == NULL) {

&private, &comment)) == 0)

passphrase = xstrdup("");

else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) {

printf("Cannot load private key \"%s\": %s.\n",

identity_file, ssh_err(r));

exit(1);

} else {

if (identity_passphrase)

passphrase = xstrdup(identity_passphrase);

else if (identity_new_passphrase)

Line 1364

Line 1434

passphrase = read_passphrase("Enter passphrase: ",

RP_ALLOW_STDIN);

/* Try to load using the passphrase. */

private = key_load_private(identity_file, passphrase, &comment);

if ((r = sshkey_load_private(identity_file, passphrase,

if (private == NULL) {

&private, &comment)) != 0) {

explicit_bzero(passphrase, strlen(passphrase));

free(passphrase);

printf("Bad passphrase.\n");

printf("Cannot load private key \"%s\": %s.\n",

identity_file, ssh_err(r));

exit(1);

}

} else {

passphrase = xstrdup("");

}

if (private->type != KEY_RSA1) {

fprintf(stderr, "Comments are only supported for RSA1 keys.\n");

key_free(private);

sshkey_free(private);

exit(1);

}

printf("Key now has comment '%s'\n", comment);

Line 1388

Line 1457

fflush(stdout);

if (!fgets(new_comment, sizeof(new_comment), stdin)) {

explicit_bzero(passphrase, strlen(passphrase));

key_free(private);

sshkey_free(private);

exit(1);

}

new_comment[strcspn(new_comment, "\n")] = '\0';

}

/* Save the file using the new passphrase. */

if (!key_save_private(private, identity_file, passphrase, new_comment,

if ((r = sshkey_save_private(private, identity_file, passphrase,

use_new_format, new_format_cipher, rounds)) {

new_comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving the key failed: %s.\n", identity_file);

printf("Saving key \"%s\" failed: %s\n",

identity_file, ssh_err(r));

explicit_bzero(passphrase, strlen(passphrase));

free(passphrase);

key_free(private);

sshkey_free(private);

free(comment);

exit(1);

}

explicit_bzero(passphrase, strlen(passphrase));

free(passphrase);

public = key_from_private(private);

if ((r = sshkey_from_private(private, &public)) != 0)

key_free(private);

fatal("key_from_private failed: %s", ssh_err(r));

sshkey_free(private);

strlcat(identity_file, ".pub", sizeof(identity_file));

fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);

Line 1420

Line 1491

printf("fdopen %s failed\n", identity_file);

exit(1);

}

if (!key_write(public, f))

if ((r = sshkey_write(public, f)) != 0)

fprintf(stderr, "write key failed\n");

fprintf(stderr, "write key failed: %s\n", ssh_err(r));

key_free(public);

sshkey_free(public);

fprintf(f, " %s\n", new_comment);

fclose(f);

Line 1471

Line 1542

}

static void

add_flag_option(Buffer *c, const char *name)

add_flag_option(struct sshbuf *c, const char *name)

{

int r;

debug3("%s: %s", __func__, name);

buffer_put_cstring(c, name);

if ((r = sshbuf_put_cstring(c, name)) != 0 ||

buffer_put_string(c, NULL, 0);

(r = sshbuf_put_string(c, NULL, 0)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

}

static void

add_string_option(Buffer *c, const char *name, const char *value)

add_string_option(struct sshbuf *c, const char *name, const char *value)

{

Buffer b;

struct sshbuf *b;

int r;

debug3("%s: %s=%s", __func__, name, value);

buffer_init(&b);

if ((b = sshbuf_new()) == NULL)

buffer_put_cstring(&b, value);

fatal("%s: sshbuf_new failed", __func__);

if ((r = sshbuf_put_cstring(b, value)) != 0 ||

(r = sshbuf_put_cstring(c, name)) != 0 ||

(r = sshbuf_put_stringb(c, b)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

buffer_put_cstring(c, name);

sshbuf_free(b);

buffer_put_string(c, buffer_ptr(&b), buffer_len(&b));

buffer_free(&b);

}

#define OPTIONS_CRITICAL 1

#define OPTIONS_EXTENSIONS 2

static void

prepare_options_buf(Buffer *c, int which)

prepare_options_buf(struct sshbuf *c, int which)

{

buffer_clear(c);

sshbuf_reset(c);

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_command != NULL)

add_string_option(c, "force-command", certflags_command);

Line 1522

Line 1598

add_string_option(c, "source-address", certflags_src_addr);

}

static Key *

static struct sshkey *

load_pkcs11_key(char *path)

{

#ifdef ENABLE_PKCS11

Key **keys = NULL, *public, *private = NULL;

struct sshkey **keys = NULL, *public, *private = NULL;

int i, nkeys;

int r, i, nkeys;

if ((public = key_load_public(path, NULL)) == NULL)

if ((r = sshkey_load_public(path, &public, NULL)) != 0)

fatal("Couldn't load CA public key \"%s\"", path);

fatal("Couldn't load CA public key \"%s\": %s",

path, ssh_err(r));

nkeys = pkcs11_add_provider(pkcs11provider, identity_passphrase, &keys);

debug3("%s: %d keys", __func__, nkeys);

if (nkeys <= 0)

fatal("cannot read public key from pkcs11");

for (i = 0; i < nkeys; i++) {

if (key_equal_public(public, keys[i])) {

if (sshkey_equal_public(public, keys[i])) {

private = keys[i];

continue;

}

key_free(keys[i]);

sshkey_free(keys[i]);

}

free(keys);

key_free(public);

sshkey_free(public);

return private;

#else

fatal("no pkcs11 support");

Line 1554

Line 1631

static void

do_ca_sign(struct passwd *pw, int argc, char **argv)

{

int i, fd;

int r, i, fd;

u_int n;

Key *ca, *public;

struct sshkey *ca, *public;

char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

FILE *f;

int v00 = 0; /* legacy keys */

if (key_type_name != NULL) {

switch (key_type_from_name(key_type_name)) {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA_CERT_V00:

case KEY_DSA_CERT_V00:

v00 = 1;

Line 1587

Line 1664

if (pkcs11provider != NULL) {

if ((ca = load_pkcs11_key(tmp)) == NULL)

fatal("No PKCS#11 key matching %s found", ca_key_path);

} else if ((ca = load_identity(tmp)) == NULL)

} else

fatal("Couldn't load CA key \"%s\"", tmp);

ca = load_identity(tmp);

free(tmp);

for (i = 0; i < argc; i++) {

Line 1606

Line 1683

}

tmp = tilde_expand_filename(argv[i], pw->pw_uid);

if ((public = key_load_public(tmp, &comment)) == NULL)

if ((r = sshkey_load_public(tmp, &public, &comment)) != 0)

fatal("%s: unable to open \"%s\"", __func__, tmp);

fatal("%s: unable to open \"%s\": %s",

__func__, tmp, ssh_err(r));

if (public->type != KEY_RSA && public->type != KEY_DSA &&

public->type != KEY_ECDSA && public->type != KEY_ED25519)

fatal("%s: key \"%s\" type %s cannot be certified",

__func__, tmp, key_type(public));

__func__, tmp, sshkey_type(public));

/* Prepare certificate to sign */

if (key_to_certified(public, v00) != 0)

if ((r = sshkey_to_certified(public, v00)) != 0)

fatal("Could not upgrade key %s to certificate", tmp);

fatal("Could not upgrade key %s to certificate: %s",

tmp, ssh_err(r));

public->cert->type = cert_key_type;

public->cert->serial = (u_int64_t)cert_serial;

public->cert->key_id = xstrdup(cert_key_id);

Line 1632

Line 1711

prepare_options_buf(public->cert->extensions,

OPTIONS_EXTENSIONS);

}

public->cert->signature_key = key_from_private(ca);

if ((r = sshkey_from_private(ca,

&public->cert->signature_key)) != 0)

fatal("key_from_private (ca key): %s", ssh_err(r));

if (key_certify(public, ca) != 0)

if (sshkey_certify(public, ca) != 0)

fatal("Couldn't not certify key %s", tmp);

if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)

Line 1647

Line 1728

strerror(errno));

if ((f = fdopen(fd, "w")) == NULL)

fatal("%s: fdopen: %s", __func__, strerror(errno));

if (!key_write(public, f))

if ((r = sshkey_write(public, f)) != 0)

fatal("Could not write certified key to %s", out);

fatal("Could not write certified key to %s: %s",

out, ssh_err(r));

fprintf(f, " %s\n", comment);

fclose(f);

if (!quiet) {

logit("Signed %s key %s: id \"%s\" serial %llu%s%s "

"valid %s", key_cert_type(public),

"valid %s", sshkey_cert_type(public),

out, public->cert->key_id,

(unsigned long long)public->cert->serial,

cert_principals != NULL ? " for " : "",

Line 1662

Line 1744

fmt_validity(cert_valid_from, cert_valid_to));

}

key_free(public);

sshkey_free(public);

free(out);

}

#ifdef ENABLE_PKCS11

Line 1813

Line 1895

}

static void

show_options(const Buffer *optbuf, int v00, int in_critical)

show_options(struct sshbuf *optbuf, int v00, int in_critical)

{

char *name, *arg;

const u_char *data;

struct sshbuf *options, *option = NULL;

u_int dlen;

int r;

Buffer options, option;

buffer_init(&options);

if ((options = sshbuf_fromb(optbuf)) == NULL)

buffer_append(&options, buffer_ptr(optbuf), buffer_len(optbuf));

fatal("%s: sshbuf_fromb failed", __func__);

while (sshbuf_len(options) != 0) {

buffer_init(&option);

sshbuf_free(option);

while (buffer_len(&options) != 0) {

option = NULL;

name = buffer_get_string(&options, NULL);

if ((r = sshbuf_get_cstring(options, &name, NULL)) != 0 ||

data = buffer_get_string_ptr(&options, &dlen);

(r = sshbuf_froms(options, &option)) != 0)

buffer_append(&option, data, dlen);

fatal("%s: buffer error: %s", __func__, ssh_err(r));

printf(" %s", name);

if ((v00 || !in_critical) &&

(strcmp(name, "permit-X11-forwarding") == 0 ||

Line 1839

Line 1920

else if ((v00 || in_critical) &&

(strcmp(name, "force-command") == 0 ||

strcmp(name, "source-address") == 0)) {

arg = buffer_get_cstring(&option, NULL);

if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)

fatal("%s: buffer error: %s",

__func__, ssh_err(r));

printf(" %s\n", arg);

free(arg);

} else {

printf(" UNKNOWN OPTION (len %u)\n",

printf(" UNKNOWN OPTION (len %zu)\n",

buffer_len(&option));

sshbuf_len(option));

buffer_clear(&option);

sshbuf_reset(option);

}

free(name);

if (buffer_len(&option) != 0)

if (sshbuf_len(option) != 0)

fatal("Option corrupt: extra data at end");

}

buffer_free(&option);

sshbuf_free(option);

buffer_free(&options);

sshbuf_free(options);

}

static void

do_show_cert(struct passwd *pw)

{

Key *key;

struct sshkey *key;

struct stat st;

char *key_fp, *ca_fp;

u_int i, v00;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((key = key_load_public(identity_file, NULL)) == NULL)

if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)

fatal("%s is not a public key", identity_file);

fatal("Cannot load public key \"%s\": %s",

if (!key_is_cert(key))

identity_file, ssh_err(r));

if (!sshkey_is_cert(key))

fatal("%s is not a certificate", identity_file);

v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;

key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);

key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);

ca_fp = key_fingerprint(key->cert->signature_key,

ca_fp = sshkey_fingerprint(key->cert->signature_key,

SSH_FP_MD5, SSH_FP_HEX);

fingerprint_hash, SSH_FP_DEFAULT);

printf("%s:\n", identity_file);

printf(" Type: %s %s certificate\n", key_ssh_name(key),

printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),

key_cert_type(key));

sshkey_cert_type(key));

printf(" Public key: %s %s\n", key_type(key), key_fp);

printf(" Public key: %s %s\n", sshkey_type(key), key_fp);

printf(" Signing CA: %s %s\n",

key_type(key->cert->signature_key), ca_fp);

sshkey_type(key->cert->signature_key), ca_fp);

printf(" Key ID: \"%s\"\n", key->cert->key_id);

if (!v00) {

printf(" Serial: %llu\n",

Line 1900

Line 1985

printf("\n");

}

printf(" Critical Options: ");

if (buffer_len(key->cert->critical) == 0)

if (sshbuf_len(key->cert->critical) == 0)

printf("(none)\n");

else {

printf("\n");

Line 1908

Line 1993

}

if (!v00) {

printf(" Extensions: ");

if (buffer_len(key->cert->extensions) == 0)

if (sshbuf_len(key->cert->extensions) == 0)

printf("(none)\n");

else {

printf("\n");

Line 1922

Line 2007

static void

load_krl(const char *path, struct ssh_krl **krlp)

{

Buffer krlbuf;

struct sshbuf *krlbuf;

int fd;

int r, fd;

buffer_init(&krlbuf);

if ((krlbuf = sshbuf_new()) == NULL)

fatal("sshbuf_new failed");

if ((fd = open(path, O_RDONLY)) == -1)

fatal("open %s: %s", path, strerror(errno));

if (!key_load_file(fd, path, &krlbuf))

if ((r = sshkey_load_file(fd, krlbuf)) != 0)

fatal("Unable to load KRL");

fatal("Unable to load KRL: %s", ssh_err(r));

close(fd);

/* XXX check sigs */

if (ssh_krl_from_blob(&krlbuf, krlp, NULL, 0) != 0 ||

if ((r = ssh_krl_from_blob(krlbuf, krlp, NULL, 0)) != 0 ||

*krlp == NULL)

fatal("Invalid KRL file");

fatal("Invalid KRL file: %s", ssh_err(r));

buffer_free(&krlbuf);

sshbuf_free(krlbuf);

}

static void

update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,

update_krl_from_file(struct passwd *pw, const char *file,

struct ssh_krl *krl)

const struct sshkey *ca, struct ssh_krl *krl)

{

Key *key = NULL;

struct sshkey *key = NULL;

u_long lnum = 0;

char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];

unsigned long long serial, serial2;

Line 2041

Line 2127

* Parsing will fail if it isn't.

}

if ((key = key_new(KEY_UNSPEC)) == NULL)

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

if (key_read(key, &cp) != 1)

if ((r = sshkey_read(key, &cp)) != 0)

fatal("%s:%lu: invalid key", path, lnum);

fatal("%s:%lu: invalid key: %s",

path, lnum, ssh_err(r));

if (was_explicit_key)

r = ssh_krl_revoke_key_explicit(krl, key);

else if (was_sha1)

Line 2052

Line 2139

else

r = ssh_krl_revoke_key(krl, key);

if (r != 0)

fatal("%s: revoke key failed", __func__);

fatal("%s: revoke key failed: %s",

key_free(key);

__func__, ssh_err(r));

sshkey_free(key);

}

if (strcmp(path, "-") != 0)

Line 2066

Line 2154

{

struct ssh_krl *krl;

struct stat sb;

Key *ca = NULL;

struct sshkey *ca = NULL;

int fd, i;

int fd, i, r;

char *tmp;

Buffer kbuf;

struct sshbuf *kbuf;

if (*identity_file == '\0')

fatal("KRL generation requires an output file");

Line 2082

Line 2170

}

if (ca_key_path != NULL) {

tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);

if ((ca = key_load_public(tmp, NULL)) == NULL)

if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)

fatal("Cannot load CA public key %s", tmp);

fatal("Cannot load CA public key %s: %s",

tmp, ssh_err(r));

free(tmp);

}

Line 2100

Line 2189

for (i = 0; i < argc; i++)

update_krl_from_file(pw, argv[i], ca, krl);

buffer_init(&kbuf);

if ((kbuf = sshbuf_new()) == NULL)

if (ssh_krl_to_blob(krl, &kbuf, NULL, 0) != 0)

fatal("sshbuf_new failed");

if (ssh_krl_to_blob(krl, kbuf, NULL, 0) != 0)

fatal("Couldn't generate KRL");

if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)

fatal("open %s: %s", identity_file, strerror(errno));

if (atomicio(vwrite, fd, buffer_ptr(&kbuf), buffer_len(&kbuf)) !=

if (atomicio(vwrite, fd, (void *)sshbuf_ptr(kbuf), sshbuf_len(kbuf)) !=

buffer_len(&kbuf))

sshbuf_len(kbuf))

fatal("write %s: %s", identity_file, strerror(errno));

close(fd);

buffer_free(&kbuf);

sshbuf_free(kbuf);

ssh_krl_free(krl);

if (ca != NULL)

key_free(ca);

sshkey_free(ca);

}

static void

Line 2121

Line 2211

int i, r, ret = 0;

char *comment;

struct ssh_krl *krl;

Key *k;

struct sshkey *k;

if (*identity_file == '\0')

fatal("KRL checking requires an input file");

load_krl(identity_file, &krl);

for (i = 0; i < argc; i++) {

if ((k = key_load_public(argv[i], &comment)) == NULL)

if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)

fatal("Cannot load public key %s", argv[i]);

fatal("Cannot load public key %s: %s",

argv[i], ssh_err(r));

r = ssh_krl_check_key(krl, k);

printf("%s%s%s%s: %s\n", argv[i],

*comment ? " (" : "", comment, *comment ? ")" : "",

r == 0 ? "ok" : "REVOKED");

if (r != 0)

ret = 1;

key_free(k);

sshkey_free(k);

free(comment);

}

ssh_krl_free(krl);

Line 2154

Line 2245

" ssh-keygen -e [-m key_format] [-f input_keyfile]\n"

" ssh-keygen -y [-f input_keyfile]\n"

" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"

" ssh-keygen -l [-f input_keyfile]\n"

" ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"

" ssh-keygen -B [-f input_keyfile]\n");

#ifdef ENABLE_PKCS11

fprintf(stderr,

Line 2184

Line 2275

int

main(int argc, char **argv)

{

char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;

char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;

char *checkpoint = NULL;

char out_file[MAXPATHLEN], *ep, *rr_hostname = NULL;

char out_file[PATH_MAX], *rr_hostname = NULL, *ep;

Key *private, *public;

struct sshkey *private, *public;

struct passwd *pw;

struct stat st;

int opt, type, fd;

int r, opt, type, fd;

u_int32_t memory = 0, generator_wanted = 0;

int do_gen_candidates = 0, do_screen_candidates = 0;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

Line 2219

Line 2310

exit(1);

}

/* Remaining characters: EUYdw */

/* Remaining characters: UYdw */

while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"

"C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {

"C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"

"a:b:f:g:j:m:n:r:s:t:z:")) != -1) {

switch (opt) {

case 'A':

gen_all_hostkeys = 1;

Line 2232

Line 2324

fatal("Bits has bad value %s (%s)",

optarg, errstr);

break;

case 'E':

fingerprint_hash = ssh_digest_alg_by_name(optarg);

if (fingerprint_hash == -1)

fatal("Invalid hash algorithm \"%s\"", optarg);

break;

case 'F':

find_host = 1;

rr_hostname = optarg;

Line 2393

Line 2490

fatal("Output filename too long");

break;

case 'K':

if (strlen(optarg) >= MAXPATHLEN)

if (strlen(optarg) >= PATH_MAX)

fatal("Checkpoint filename too long");

checkpoint = xstrdup(optarg);

break;

Line 2551

Line 2648

if (key_type_name == NULL)

key_type_name = "rsa";

type = key_type_from_name(key_type_name);

type = sshkey_type_from_name(key_type_name);

type_bits_valid(type, &bits);

if (!quiet)

printf("Generating public/private %s key pair.\n", key_type_name);

printf("Generating public/private %s key pair.\n",

private = key_generate(type, bits);

key_type_name);

if (private == NULL) {

if ((r = sshkey_generate(type, bits, &private)) != 0) {

fprintf(stderr, "key_generate failed\n");

exit(1);

}

public = key_from_private(private);

if ((r = sshkey_from_private(private, &public)) != 0) {

fprintf(stderr, "key_from_private failed: %s\n", ssh_err(r));

exit(1);

}

if (!have_identity)

ask_filename(pw, "Enter file in which to save the key");

Line 2629

Line 2729

}

/* Save the key with the given passphrase and comment. */

if (!key_save_private(private, identity_file, passphrase1, comment,

if ((r = sshkey_save_private(private, identity_file, passphrase1,

use_new_format, new_format_cipher, rounds)) {

comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving the key failed: %s.\n", identity_file);

printf("Saving key \"%s\" failed: %s\n",

identity_file, ssh_err(r));

explicit_bzero(passphrase1, strlen(passphrase1));

free(passphrase1);

exit(1);

Line 2641

Line 2742

free(passphrase1);

/* Clear the private key and the random number generator. */

key_free(private);

sshkey_free(private);

if (!quiet)

printf("Your identification has been saved in %s.\n", identity_file);

Line 2657

Line 2758

printf("fdopen %s failed\n", identity_file);

exit(1);

}

if (!key_write(public, f))

if ((r = sshkey_write(public, f)) != 0)

fprintf(stderr, "write key failed\n");

fprintf(stderr, "write key failed: %s\n", ssh_err(r));

fprintf(f, " %s\n", comment);

fclose(f);

if (!quiet) {

char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);

char *fp = sshkey_fingerprint(public, fingerprint_hash,

char *ra = key_fingerprint(public, SSH_FP_MD5,

SSH_FP_DEFAULT);

char *ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

printf("Your public key has been saved in %s.\n",

identity_file);

Line 2676

Line 2778

free(fp);

}

key_free(public);

sshkey_free(public);

exit(0);

}