src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.269 and 1.294

version 1.269, 2015/04/17 13:19:22

version 1.294, 2017/02/10 03:36:40

Line 28

#include <string.h>

#include <unistd.h>

#include <limits.h>

#include <locale.h>

#include "xmalloc.h"

#include "sshkey.h"

Line 47

Line 48

#include "atomicio.h"

#include "krl.h"

#include "digest.h"

#include "utf8.h"

#ifdef ENABLE_PKCS11

#include "ssh-pkcs11.h"

#endif

#ifdef WITH_OPENSSL

# define DEFAULT_KEY_TYPE_NAME "rsa"

#else

# define DEFAULT_KEY_TYPE_NAME "ed25519"

#endif

/* Number of bits in the RSA/DSA key. This value can be set on the command line. */

#define DEFAULT_BITS 2048

#define DEFAULT_BITS_DSA 1024

Line 168

Line 176

char hostname[NI_MAXHOST];

#ifdef WITH_OPENSSL

/* moduli.c */

int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,

unsigned long);

#endif

static void

type_bits_valid(int type, const char *name, u_int32_t *bitsp)

{

#ifdef WITH_OPENSSL

u_int maxbits, nid;

#endif

if (type == KEY_UNSPEC)

fatal("unknown key type %s", key_type_name);

if (*bitsp == 0) {

#ifdef WITH_OPENSSL

if (type == KEY_DSA)

*bitsp = DEFAULT_BITS_DSA;

else if (type == KEY_ECDSA) {

Line 189

Line 202

*bitsp = sshkey_curve_nid_to_bits(nid);

if (*bitsp == 0)

*bitsp = DEFAULT_BITS_ECDSA;

}

} else

else

#endif

*bitsp = DEFAULT_BITS;

}

#ifdef WITH_OPENSSL

maxbits = (type == KEY_DSA) ?

OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;

if (*bitsp > maxbits)

fatal("key bits exceeds maximum %d", maxbits);

#ifdef WITH_OPENSSL

if (type == KEY_DSA && *bitsp != 1024)

fatal("DSA keys must be 1024 bits");

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)

fatal("Key must at least be 768 bits");

fatal("Key must at least be 1024 bits");

else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

fatal("Invalid ECDSA key length - valid lengths are "

"256, 384 or 521 bits");

Line 222

Line 235

name = _PATH_SSH_CLIENT_IDENTITY;

break;

case KEY_DSA_CERT:

case KEY_DSA_CERT_V00:

case KEY_DSA:

name = _PATH_SSH_CLIENT_ID_DSA;

break;

Line 231

Line 243

name = _PATH_SSH_CLIENT_ID_ECDSA;

break;

case KEY_RSA_CERT:

case KEY_RSA_CERT_V00:

case KEY_RSA:

name = _PATH_SSH_CLIENT_ID_RSA;

break;

Line 504

Line 515

sshbuf_free(b);

/* try the key */

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 ||

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 ||

sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) {

sshkey_free(key);

free(sig);

Line 785

Line 796

#endif /* ENABLE_PKCS11 */

}

static struct sshkey *

try_read_key(char **cpp)

{

struct sshkey *ret;

int r;

if ((ret = sshkey_new(KEY_RSA1)) == NULL)

fatal("sshkey_new failed");

/* Try RSA1 */

if ((r = sshkey_read(ret, cpp)) == 0)

return ret;

/* Try modern */

sshkey_free(ret);

if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(ret, cpp)) == 0)

return ret;

/* Not a key */

sshkey_free(ret);

return NULL;

}

static void

do_fingerprint(struct passwd *pw)

fingerprint_one_key(const struct sshkey *public, const char *comment)

{

FILE *f;

char *fp = NULL, *ra = NULL;

struct sshkey *public;

char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;

int r, i, skip = 0, num = 0, invalid = 1;

enum sshkey_fp_rep rep;

int fptype;

struct stat st;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

if (!have_identity)

fp = sshkey_fingerprint(public, fptype, rep);

ask_filename(pw, "Enter file in which the key is");

ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint failed", __func__);

mprintf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

}

static void

fingerprint_private(const char *path)

{

struct stat st;

char *comment = NULL;

struct sshkey *public = NULL;

int r;

if (stat(identity_file, &st) < 0)

fatal("%s: %s", identity_file, strerror(errno));

fatal("%s: %s", path, strerror(errno));

if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0)

if ((r = sshkey_load_public(path, &public, &comment)) != 0) {

debug2("Error loading public key \"%s\": %s",

debug("load public \"%s\": %s", path, ssh_err(r));

identity_file, ssh_err(r));

if ((r = sshkey_load_private(path, NULL,

else {

&public, &comment)) != 0) {

fp = sshkey_fingerprint(public, fptype, rep);

debug("load private \"%s\": %s", path, ssh_err(r));

ra = sshkey_fingerprint(public, fingerprint_hash,

fatal("%s is not a key file.", path);

SSH_FP_RANDOMART);

}

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,

sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

sshkey_free(public);

free(comment);

free(ra);

free(fp);

exit(0);

}

if (comment) {

free(comment);

comment = NULL;

}

if ((f = fopen(identity_file, "r")) == NULL)

fingerprint_one_key(public, comment);

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

sshkey_free(public);

free(comment);

}

while (fgets(line, sizeof(line), f)) {

static void

if ((cp = strchr(line, '\n')) == NULL) {

do_fingerprint(struct passwd *pw)

error("line %d too long: %.40s...",

{

num + 1, line);

FILE *f;

skip = 1;

struct sshkey *public = NULL;

char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];

int i, invalid = 1;

const char *path;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

path = identity_file;

if (strcmp(identity_file, "-") == 0) {

f = stdin;

path = "(stdin)";

} else if ((f = fopen(path, "r")) == NULL)

fatal("%s: %s: %s", __progname, path, strerror(errno));

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

cp = line;

cp[strcspn(cp, "\n")] = '\0';

/* Trim leading space and comments */

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

* Input may be plain keys, private keys, authorized_keys

* or known_hosts.

* Try private keys first. Assume a key is private if

* "SSH PRIVATE KEY" appears on the first line and we're

* not reading from stdin (XXX support private keys on stdin).

if (lnum == 1 && strcmp(identity_file, "-") != 0 &&

strstr(cp, "PRIVATE KEY") != NULL) {

fclose(f);

fingerprint_private(path);

exit(0);

}

num++;

if (skip) {

skip = 0;

* If it's not a private key, then this must be prepared to

* accept a public key prefixed with a hostname or options.

* Try a bare key first, otherwise skip the leading stuff.

if ((public = try_read_key(&cp)) == NULL) {

i = strtol(cp, &ep, 10);

if (i == 0 || ep == NULL ||

(*ep != ' ' && *ep != '\t')) {

int quoted = 0;

comment = cp;

for (; *cp && (quoted || (*cp != ' ' &&

*cp != '\t')); cp++) {

if (*cp == '\\' && cp[1] == '"')

cp++; /* Skip both */

else if (*cp == '"')

quoted = !quoted;

}

if (!*cp)

continue;

*cp++ = '\0';

}

/* Retry after parsing leading hostname/key options */

if (public == NULL && (public = try_read_key(&cp)) == NULL) {

debug("%s:%lu: not a public key", path, lnum);

continue;

}

*cp = '\0';

/* Skip leading whitespace, empty and comment lines. */

/* Find trailing comment, if any */

for (cp = line; *cp == ' ' || *cp == '\t'; cp++)

for (; *cp == ' ' || *cp == '\t'; cp++)

;

if (!*cp || *cp == '\n' || *cp == '#')

if (*cp != '\0' && *cp != '#')

continue;

i = strtol(cp, &ep, 10);

if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {

int quoted = 0;

comment = cp;

for (; *cp && (quoted || (*cp != ' ' &&

*cp != '\t')); cp++) {

fingerprint_one_key(public, comment);

if (*cp == '\\' && cp[1] == '"')

cp++; /* Skip both */

else if (*cp == '"')

quoted = !quoted;

}

if (!*cp)

continue;

*cp++ = '\0';

}

ep = cp;

if ((public = sshkey_new(KEY_RSA1)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

cp = ep;

sshkey_free(public);

if ((public = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

sshkey_free(public);

continue;

}

comment = *cp ? cp : comment;

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

sshkey_free(public);

invalid = 0;

invalid = 0; /* One good key in the file is sufficient */

}

fclose(f);

if (invalid)

fatal("%s is not a public key file.", identity_file);

fatal("%s is not a public key file.", path);

exit(0);

}

Line 1059

Line 1116

known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)

{

struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;

enum sshkey_fp_rep rep;

int fptype;

char *fp;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

if (l->status == HKF_STATUS_MATCHED) {

if (delete_host) {

if (l->marker != MRK_NONE) {

Line 1087

Line 1150

}

if (hash_hosts)

known_hosts_hash(l, ctx);

else

else if (print_fingerprint) {

fp = sshkey_fingerprint(l->key, fptype, rep);

mprintf("%s %s %s %s\n", ctx->host,

sshkey_type(l->key), fp, l->comment);

free(fp);

} else

fprintf(ctx->out, "%s\n", l->line);

return 0;

}

Line 1108

Line 1176

char *cp, tmp[PATH_MAX], old[PATH_MAX];

int r, fd, oerrno, inplace = 0;

struct known_hosts_ctx ctx;

u_int foreach_options;

if (!have_identity) {

cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);

Line 1144

Line 1213

}

/* XXX support identity_file == "-" for stdin */

foreach_options = find_host ? HKF_WANT_MATCH : 0;

foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;

if ((r = hostkeys_foreach(identity_file,

hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,

name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0)

name, NULL, foreach_options)) != 0) {

if (inplace)

unlink(tmp);

fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));

}

if (inplace)

fclose(ctx.out);

Line 1162

Line 1236

exit(1);

} else if (delete_host && !ctx.found_key) {

logit("Host %s not found in %s", name, identity_file);

unlink(tmp);

if (inplace)

unlink(tmp);

} else if (inplace) {

/* Backup existing file */

if (unlink(old) == -1 && errno != ENOENT)

Line 1228

Line 1303

fatal("Failed to load key %s: %s", identity_file, ssh_err(r));

}

if (comment)

printf("Key has comment '%s'\n", comment);

mprintf("Key has comment '%s'\n", comment);

/* Ask the new passphrase (twice). */

if (identity_new_passphrase) {

Line 1343

Line 1418

identity_file, ssh_err(r));

}

/* XXX what about new-format keys? */

if (private->type != KEY_RSA1) {

if (private->type != KEY_RSA1 && private->type != KEY_ED25519 &&

error("Comments are only supported for RSA1 keys.");

!use_new_format) {

error("Comments are only supported for RSA1 or keys stored in "

"the new format (-o).");

explicit_bzero(passphrase, strlen(passphrase));

sshkey_free(private);

exit(1);

}

printf("Key now has comment '%s'\n", comment);

if (comment)

printf("Key now has comment '%s'\n", comment);

else

printf("Key now has no comment\n");

if (identity_comment) {

strlcpy(new_comment, identity_comment, sizeof(new_comment));

Line 1401

Line 1481

exit(0);

}

static const char *

fmt_validity(u_int64_t valid_from, u_int64_t valid_to)

{

char from[32], to[32];

static char ret[64];

time_t tt;

struct tm *tm;

*from = *to = '\0';

if (valid_from == 0 && valid_to == 0xffffffffffffffffULL)

return "forever";

if (valid_from != 0) {

/* XXX revisit INT_MAX in 2038 :) */

tt = valid_from > INT_MAX ? INT_MAX : valid_from;

tm = localtime(&tt);

strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);

}

if (valid_to != 0xffffffffffffffffULL) {

/* XXX revisit INT_MAX in 2038 :) */

tt = valid_to > INT_MAX ? INT_MAX : valid_to;

tm = localtime(&tt);

strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);

}

if (valid_from == 0) {

snprintf(ret, sizeof(ret), "before %s", to);

return ret;

}

if (valid_to == 0xffffffffffffffffULL) {

snprintf(ret, sizeof(ret), "after %s", from);

return ret;

}

snprintf(ret, sizeof(ret), "from %s to %s", from, to);

return ret;

}

static void

add_flag_option(struct sshbuf *c, const char *name)

{

Line 1532

Line 1574

int r, i, fd;

u_int n;

struct sshkey *ca, *public;

char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

FILE *f;

int v00 = 0; /* legacy keys */

if (key_type_name != NULL) {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA_CERT_V00:

case KEY_DSA_CERT_V00:

v00 = 1;

break;

case KEY_UNSPEC:

if (strcasecmp(key_type_name, "v00") == 0) {

v00 = 1;

break;

} else if (strcasecmp(key_type_name, "v01") == 0)

break;

/* FALLTHROUGH */

default:

fatal("unknown key type %s", key_type_name);

}

#ifdef ENABLE_PKCS11

pkcs11_init(1);

#endif

Line 1565

Line 1588

ca = load_identity(tmp);

free(tmp);

if (key_type_name != NULL &&

sshkey_type_from_name(key_type_name) != ca->type) {

fatal("CA key type %s doesn't match specified %s",

sshkey_ssh_name(ca), key_type_name);

}

for (i = 0; i < argc; i++) {

/* Split list of principals */

n = 0;

Line 1572

Line 1601

otmp = tmp = xstrdup(cert_principals);

plist = NULL;

for (; (cp = strsep(&tmp, ",")) != NULL; n++) {

plist = xrealloc(plist, n + 1, sizeof(*plist));

plist = xreallocarray(plist, n + 1, sizeof(*plist));

if (*(plist[n] = xstrdup(cp)) == '\0')

fatal("Empty principal name");

}

Line 1589

Line 1618

__func__, tmp, sshkey_type(public));

/* Prepare certificate to sign */

if ((r = sshkey_to_certified(public, v00)) != 0)

if ((r = sshkey_to_certified(public)) != 0)

fatal("Could not upgrade key %s to certificate: %s",

tmp, ssh_err(r));

public->cert->type = cert_key_type;

Line 1599

Line 1628

public->cert->principals = plist;

public->cert->valid_after = cert_valid_from;

public->cert->valid_before = cert_valid_to;

if (v00) {

prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);

prepare_options_buf(public->cert->critical,

prepare_options_buf(public->cert->extensions,

OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);

OPTIONS_EXTENSIONS);

} else {

prepare_options_buf(public->cert->critical,

OPTIONS_CRITICAL);

prepare_options_buf(public->cert->extensions,

OPTIONS_EXTENSIONS);

}

if ((r = sshkey_from_private(ca,

&public->cert->signature_key)) != 0)

fatal("key_from_private (ca key): %s", ssh_err(r));

if (sshkey_certify(public, ca) != 0)

if ((r = sshkey_certify(public, ca, key_type_name)) != 0)

fatal("Couldn't not certify key %s", tmp);

fatal("Couldn't certify key %s: %s", tmp, ssh_err(r));

if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)

*cp = '\0';

Line 1632

Line 1655

fclose(f);

if (!quiet) {

sshkey_format_cert_validity(public->cert,

valid, sizeof(valid));

logit("Signed %s key %s: id \"%s\" serial %llu%s%s "

"valid %s", sshkey_cert_type(public),

out, public->cert->key_id,

(unsigned long long)public->cert->serial,

cert_principals != NULL ? " for " : "",

cert_principals != NULL ? cert_principals : "",

fmt_validity(cert_valid_from, cert_valid_to));

valid);

}

sshkey_free(public);

Line 1672

Line 1697

char buf[32], *fmt;

* POSIX strptime says "The application shall ensure that there

* is white-space or other non-alphanumeric characters between

* any two conversion specifications" so arrange things this way.

Line 1792

Line 1817

}

static void

show_options(struct sshbuf *optbuf, int v00, int in_critical)

show_options(struct sshbuf *optbuf, int in_critical)

{

char *name, *arg;

struct sshbuf *options, *option = NULL;

Line 1807

Line 1832

(r = sshbuf_froms(options, &option)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

printf(" %s", name);

if ((v00 || !in_critical) &&

if (!in_critical &&

(strcmp(name, "permit-X11-forwarding") == 0 ||

strcmp(name, "permit-agent-forwarding") == 0 ||

strcmp(name, "permit-port-forwarding") == 0 ||

strcmp(name, "permit-pty") == 0 ||

strcmp(name, "permit-user-rc") == 0))

printf("\n");

else if ((v00 || in_critical) &&

else if (in_critical &&

(strcmp(name, "force-command") == 0 ||

strcmp(name, "source-address") == 0)) {

if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)

Line 1836

Line 1861

}

static void

do_show_cert(struct passwd *pw)

print_cert(struct sshkey *key)

{

struct sshkey *key;

char valid[64], *key_fp, *ca_fp;

struct stat st;

u_int i;

char *key_fp, *ca_fp;

u_int i, v00;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)

fatal("Cannot load public key \"%s\": %s",

identity_file, ssh_err(r));

if (!sshkey_is_cert(key))

fatal("%s is not a certificate", identity_file);

v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;

key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);

ca_fp = sshkey_fingerprint(key->cert->signature_key,

fingerprint_hash, SSH_FP_DEFAULT);

if (key_fp == NULL || ca_fp == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

sshkey_format_cert_validity(key->cert, valid, sizeof(valid));

printf("%s:\n", identity_file);

printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),

sshkey_cert_type(key));

printf(" Public key: %s %s\n", sshkey_type(key), key_fp);

printf(" Signing CA: %s %s\n",

sshkey_type(key->cert->signature_key), ca_fp);

printf(" Key ID: \"%s\"\n", key->cert->key_id);

if (!v00) {

printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);

printf(" Serial: %llu\n",

printf(" Valid: %s\n", valid);

(unsigned long long)key->cert->serial);

}

printf(" Valid: %s\n",

fmt_validity(key->cert->valid_after, key->cert->valid_before));

printf(" Principals: ");

if (key->cert->nprincipals == 0)

printf("(none)\n");

Line 1888

Line 1895

printf("(none)\n");

else {

printf("\n");

show_options(key->cert->critical, v00, 1);

show_options(key->cert->critical, 1);

}

if (!v00) {

printf(" Extensions: ");

if (sshbuf_len(key->cert->extensions) == 0)

printf("(none)\n");

else {

printf("\n");

show_options(key->cert->extensions, 0);

show_options(key->cert->extensions, v00, 0);

}

static void

do_show_cert(struct passwd *pw)

{

struct sshkey *key = NULL;

struct stat st;

int r, is_stdin = 0, ok = 0;

FILE *f;

char *cp, line[SSH_MAX_PUBKEY_BYTES];

const char *path;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

path = identity_file;

if (strcmp(path, "-") == 0) {

f = stdin;

path = "(stdin)";

is_stdin = 1;

} else if ((f = fopen(identity_file, "r")) == NULL)

fatal("fopen %s: %s", identity_file, strerror(errno));

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

sshkey_free(key);

key = NULL;

/* Trim leading space and comments */

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

if ((r = sshkey_read(key, &cp)) != 0) {

error("%s:%lu: invalid key: %s", path,

lnum, ssh_err(r));

continue;

}

if (!sshkey_is_cert(key)) {

error("%s:%lu is not a certificate", path, lnum);

continue;

}

ok = 1;

if (!is_stdin && lnum == 1)

printf("%s:\n", path);

else

printf("%s:%lu:\n", path, lnum);

print_cert(key);

}

exit(0);

sshkey_free(key);

fclose(f);

exit(ok ? 0 : 1);

}

#ifdef WITH_OPENSSL

Line 2104

Line 2162

close(fd);

sshbuf_free(kbuf);

ssh_krl_free(krl);

if (ca != NULL)

sshkey_free(ca);

}

static void

Line 2159

Line 2216

" ssh-keygen -H [-f known_hosts_file]\n"

" ssh-keygen -R hostname [-f known_hosts_file]\n"

" ssh-keygen -r hostname [-f input_keyfile] [-g]\n"

#ifdef WITH_OPENSSL

" ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n"

" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"

" [-j start_line] [-K checkpt] [-W generator]\n"

#endif

" ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"

" [-O option] [-V validity_interval] [-z serial_number] file ...\n"

" ssh-keygen -L [-f input_keyfile]\n"

Line 2179

Line 2238

main(int argc, char **argv)

{

char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;

char *checkpoint = NULL;

char *rr_hostname = NULL, *ep, *fp, *ra;

char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;

struct sshkey *private, *public;

struct passwd *pw;

struct stat st;

int r, opt, type, fd;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

FILE *f;

const char *errstr;

#ifdef WITH_OPENSSL

/* Moduli generation/screening */

char out_file[PATH_MAX], *checkpoint = NULL;

u_int32_t memory = 0, generator_wanted = 0;

int do_gen_candidates = 0, do_screen_candidates = 0;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

unsigned long start_lineno = 0, lines_to_process = 0;

BIGNUM *start = NULL;

FILE *f;

#endif

const char *errstr;

extern int optind;

extern char *optarg;

ssh_malloc_init(); /* must be called before any mallocs */

/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */

sanitise_stdfd();

OpenSSL_add_all_algorithms();

log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);

setlocale(LC_CTYPE, "");

/* we need this for the home * directory. */

pw = getpwuid(getuid());

if (!pw)

Line 2238

Line 2303

case 'I':

cert_key_id = optarg;

break;

case 'J':

lines_to_process = strtoul(optarg, NULL, 10);

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'R':

delete_host = 1;

rr_hostname = optarg;

Line 2285

Line 2344

change_comment = 1;

break;

case 'f':

if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=

if (strlcpy(identity_file, optarg,

sizeof(identity_file))

sizeof(identity_file)) >= sizeof(identity_file))

fatal("Identity filename too long");

have_identity = 1;

break;

Line 2358

Line 2417

case 'r':

rr_hostname = optarg;

break;

case 'W':

generator_wanted = (u_int32_t)strtonum(optarg, 1,

UINT_MAX, &errstr);

if (errstr)

fatal("Desired generator has bad value: %s (%s)",

optarg, errstr);

break;

case 'a':

rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr);

if (errstr)

fatal("Invalid number: %s (%s)",

optarg, errstr);

break;

case 'M':

case 'V':

memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);

parse_cert_times(optarg);

if (errstr)

fatal("Memory limit is %s: %s", errstr, optarg);

break;

case 'z':

errno = 0;

cert_serial = strtoull(optarg, &ep, 10);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Invalid serial number \"%s\"", optarg);

break;

#ifdef WITH_OPENSSL

/* Moduli generation/screening */

case 'G':

do_gen_candidates = 1;

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'T':

case 'J':

do_screen_candidates = 1;

lines_to_process = strtoul(optarg, NULL, 10);

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'K':

if (strlen(optarg) >= PATH_MAX)

fatal("Checkpoint filename too long");

checkpoint = xstrdup(optarg);

break;

case 'M':

memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX,

&errstr);

if (errstr)

fatal("Memory limit is %s: %s", errstr, optarg);

break;

case 'S':

/* XXX - also compare length against bits */

if (BN_hex2bn(&start, optarg) == 0)

fatal("Invalid start point.");

break;

case 'V':

case 'T':

parse_cert_times(optarg);

do_screen_candidates = 1;

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'z':

case 'W':

errno = 0;

generator_wanted = (u_int32_t)strtonum(optarg, 1,

cert_serial = strtoull(optarg, &ep, 10);

UINT_MAX, &errstr);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

if (errstr != NULL)

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Desired generator invalid: %s (%s)",

fatal("Invalid serial number \"%s\"", optarg);

optarg, errstr);

break;

#endif /* WITH_OPENSSL */

case '?':

default:

usage();

Line 2497

Line 2566

}

#ifdef WITH_OPENSSL

if (do_gen_candidates) {

FILE *out = fopen(out_file, "w");

Line 2536

Line 2606

fatal("modulus screening failed");

return (0);

}

#endif

if (gen_all_hostkeys) {

do_gen_all_hostkeys(pw);

Line 2543

Line 2614

}

if (key_type_name == NULL)

key_type_name = "rsa";

key_type_name = DEFAULT_KEY_TYPE_NAME;

type = sshkey_type_from_name(key_type_name);

type_bits_valid(type, key_type_name, &bits);