version 1.270, 2015/04/24 01:36:01 |
version 1.274, 2015/05/28 07:37:31 |
|
|
#include "ssh-pkcs11.h" |
#include "ssh-pkcs11.h" |
#endif |
#endif |
|
|
|
#ifdef WITH_OPENSSL |
|
# define DEFAULT_KEY_TYPE_NAME "rsa" |
|
#else |
|
# define DEFAULT_KEY_TYPE_NAME "ed25519" |
|
#endif |
|
|
/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
#define DEFAULT_BITS 2048 |
#define DEFAULT_BITS 2048 |
#define DEFAULT_BITS_DSA 1024 |
#define DEFAULT_BITS_DSA 1024 |
|
|
|
|
char hostname[NI_MAXHOST]; |
char hostname[NI_MAXHOST]; |
|
|
|
#ifdef WITH_OPENSSL |
/* moduli.c */ |
/* moduli.c */ |
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); |
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); |
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, |
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, |
unsigned long); |
unsigned long); |
|
#endif |
|
|
static void |
static void |
type_bits_valid(int type, const char *name, u_int32_t *bitsp) |
type_bits_valid(int type, const char *name, u_int32_t *bitsp) |
{ |
{ |
|
#ifdef WITH_OPENSSL |
u_int maxbits, nid; |
u_int maxbits, nid; |
|
#endif |
|
|
if (type == KEY_UNSPEC) |
if (type == KEY_UNSPEC) |
fatal("unknown key type %s", key_type_name); |
fatal("unknown key type %s", key_type_name); |
if (*bitsp == 0) { |
if (*bitsp == 0) { |
|
#ifdef WITH_OPENSSL |
if (type == KEY_DSA) |
if (type == KEY_DSA) |
*bitsp = DEFAULT_BITS_DSA; |
*bitsp = DEFAULT_BITS_DSA; |
else if (type == KEY_ECDSA) { |
else if (type == KEY_ECDSA) { |
|
|
*bitsp = DEFAULT_BITS_ECDSA; |
*bitsp = DEFAULT_BITS_ECDSA; |
} |
} |
else |
else |
|
#endif |
*bitsp = DEFAULT_BITS; |
*bitsp = DEFAULT_BITS; |
} |
} |
|
#ifdef WITH_OPENSSL |
maxbits = (type == KEY_DSA) ? |
maxbits = (type == KEY_DSA) ? |
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
if (*bitsp > maxbits) |
if (*bitsp > maxbits) |
fatal("key bits exceeds maximum %d", maxbits); |
fatal("key bits exceeds maximum %d", maxbits); |
#ifdef WITH_OPENSSL |
|
if (type == KEY_DSA && *bitsp != 1024) |
if (type == KEY_DSA && *bitsp != 1024) |
fatal("DSA keys must be 1024 bits"); |
fatal("DSA keys must be 1024 bits"); |
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
|
|
known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx) |
known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx) |
{ |
{ |
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
|
enum sshkey_fp_rep rep; |
|
int fptype; |
|
char *fp; |
|
|
|
fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; |
|
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; |
|
|
if (l->status == HKF_STATUS_MATCHED) { |
if (l->status == HKF_STATUS_MATCHED) { |
if (delete_host) { |
if (delete_host) { |
if (l->marker != MRK_NONE) { |
if (l->marker != MRK_NONE) { |
|
|
} |
} |
if (hash_hosts) |
if (hash_hosts) |
known_hosts_hash(l, ctx); |
known_hosts_hash(l, ctx); |
else |
else if (print_fingerprint) { |
|
fp = sshkey_fingerprint(l->key, fptype, rep); |
|
printf("%s %s %s %s\n", ctx->host, |
|
sshkey_type(l->key), fp, l->comment); |
|
free(fp); |
|
} else |
fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
return 0; |
return 0; |
} |
} |
|
|
char *cp, tmp[PATH_MAX], old[PATH_MAX]; |
char *cp, tmp[PATH_MAX], old[PATH_MAX]; |
int r, fd, oerrno, inplace = 0; |
int r, fd, oerrno, inplace = 0; |
struct known_hosts_ctx ctx; |
struct known_hosts_ctx ctx; |
|
u_int foreach_options; |
|
|
if (!have_identity) { |
if (!have_identity) { |
cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); |
cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); |
|
|
} |
} |
|
|
/* XXX support identity_file == "-" for stdin */ |
/* XXX support identity_file == "-" for stdin */ |
|
foreach_options = find_host ? HKF_WANT_MATCH : 0; |
|
foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0; |
if ((r = hostkeys_foreach(identity_file, |
if ((r = hostkeys_foreach(identity_file, |
hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, |
hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, |
name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0) |
name, NULL, foreach_options)) != 0) |
fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); |
fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); |
|
|
if (inplace) |
if (inplace) |
|
|
" ssh-keygen -H [-f known_hosts_file]\n" |
" ssh-keygen -H [-f known_hosts_file]\n" |
" ssh-keygen -R hostname [-f known_hosts_file]\n" |
" ssh-keygen -R hostname [-f known_hosts_file]\n" |
" ssh-keygen -r hostname [-f input_keyfile] [-g]\n" |
" ssh-keygen -r hostname [-f input_keyfile] [-g]\n" |
|
#ifdef WITH_OPENSSL |
" ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" |
" ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" |
" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
" [-j start_line] [-K checkpt] [-W generator]\n" |
" [-j start_line] [-K checkpt] [-W generator]\n" |
|
#endif |
" ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" |
" ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" |
" [-O option] [-V validity_interval] [-z serial_number] file ...\n" |
" [-O option] [-V validity_interval] [-z serial_number] file ...\n" |
" ssh-keygen -L [-f input_keyfile]\n" |
" ssh-keygen -L [-f input_keyfile]\n" |
|
|
main(int argc, char **argv) |
main(int argc, char **argv) |
{ |
{ |
char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; |
char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; |
char *checkpoint = NULL; |
char *rr_hostname = NULL, *ep, *fp, *ra; |
char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra; |
|
struct sshkey *private, *public; |
struct sshkey *private, *public; |
struct passwd *pw; |
struct passwd *pw; |
struct stat st; |
struct stat st; |
int r, opt, type, fd; |
int r, opt, type, fd; |
|
int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; |
|
FILE *f; |
|
const char *errstr; |
|
#ifdef WITH_OPENSSL |
|
/* Moduli generation/screening */ |
|
char out_file[PATH_MAX], *checkpoint = NULL; |
u_int32_t memory = 0, generator_wanted = 0; |
u_int32_t memory = 0, generator_wanted = 0; |
int do_gen_candidates = 0, do_screen_candidates = 0; |
int do_gen_candidates = 0, do_screen_candidates = 0; |
int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; |
|
unsigned long start_lineno = 0, lines_to_process = 0; |
unsigned long start_lineno = 0, lines_to_process = 0; |
BIGNUM *start = NULL; |
BIGNUM *start = NULL; |
FILE *f; |
#endif |
const char *errstr; |
|
|
|
extern int optind; |
extern int optind; |
extern char *optarg; |
extern char *optarg; |
|
|
case 'I': |
case 'I': |
cert_key_id = optarg; |
cert_key_id = optarg; |
break; |
break; |
case 'J': |
|
lines_to_process = strtoul(optarg, NULL, 10); |
|
break; |
|
case 'j': |
|
start_lineno = strtoul(optarg, NULL, 10); |
|
break; |
|
case 'R': |
case 'R': |
delete_host = 1; |
delete_host = 1; |
rr_hostname = optarg; |
rr_hostname = optarg; |
|
|
change_comment = 1; |
change_comment = 1; |
break; |
break; |
case 'f': |
case 'f': |
if (strlcpy(identity_file, optarg, sizeof(identity_file)) >= |
if (strlcpy(identity_file, optarg, |
sizeof(identity_file)) |
sizeof(identity_file)) >= sizeof(identity_file)) |
fatal("Identity filename too long"); |
fatal("Identity filename too long"); |
have_identity = 1; |
have_identity = 1; |
break; |
break; |
|
|
case 'r': |
case 'r': |
rr_hostname = optarg; |
rr_hostname = optarg; |
break; |
break; |
case 'W': |
|
generator_wanted = (u_int32_t)strtonum(optarg, 1, |
|
UINT_MAX, &errstr); |
|
if (errstr) |
|
fatal("Desired generator has bad value: %s (%s)", |
|
optarg, errstr); |
|
break; |
|
case 'a': |
case 'a': |
rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr); |
rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr); |
if (errstr) |
if (errstr) |
fatal("Invalid number: %s (%s)", |
fatal("Invalid number: %s (%s)", |
optarg, errstr); |
optarg, errstr); |
break; |
break; |
case 'M': |
case 'V': |
memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); |
parse_cert_times(optarg); |
if (errstr) |
|
fatal("Memory limit is %s: %s", errstr, optarg); |
|
break; |
break; |
|
case 'z': |
|
errno = 0; |
|
cert_serial = strtoull(optarg, &ep, 10); |
|
if (*optarg < '0' || *optarg > '9' || *ep != '\0' || |
|
(errno == ERANGE && cert_serial == ULLONG_MAX)) |
|
fatal("Invalid serial number \"%s\"", optarg); |
|
break; |
|
#ifdef WITH_OPENSSL |
|
/* Moduli generation/screening */ |
case 'G': |
case 'G': |
do_gen_candidates = 1; |
do_gen_candidates = 1; |
if (strlcpy(out_file, optarg, sizeof(out_file)) >= |
if (strlcpy(out_file, optarg, sizeof(out_file)) >= |
sizeof(out_file)) |
sizeof(out_file)) |
fatal("Output filename too long"); |
fatal("Output filename too long"); |
break; |
break; |
case 'T': |
case 'J': |
do_screen_candidates = 1; |
lines_to_process = strtoul(optarg, NULL, 10); |
if (strlcpy(out_file, optarg, sizeof(out_file)) >= |
break; |
sizeof(out_file)) |
case 'j': |
fatal("Output filename too long"); |
start_lineno = strtoul(optarg, NULL, 10); |
break; |
break; |
case 'K': |
case 'K': |
if (strlen(optarg) >= PATH_MAX) |
if (strlen(optarg) >= PATH_MAX) |
fatal("Checkpoint filename too long"); |
fatal("Checkpoint filename too long"); |
checkpoint = xstrdup(optarg); |
checkpoint = xstrdup(optarg); |
break; |
break; |
|
case 'M': |
|
memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, |
|
&errstr); |
|
if (errstr) |
|
fatal("Memory limit is %s: %s", errstr, optarg); |
|
break; |
case 'S': |
case 'S': |
/* XXX - also compare length against bits */ |
/* XXX - also compare length against bits */ |
if (BN_hex2bn(&start, optarg) == 0) |
if (BN_hex2bn(&start, optarg) == 0) |
fatal("Invalid start point."); |
fatal("Invalid start point."); |
break; |
break; |
case 'V': |
case 'T': |
parse_cert_times(optarg); |
do_screen_candidates = 1; |
|
if (strlcpy(out_file, optarg, sizeof(out_file)) >= |
|
sizeof(out_file)) |
|
fatal("Output filename too long"); |
break; |
break; |
case 'z': |
case 'W': |
errno = 0; |
generator_wanted = (u_int32_t)strtonum(optarg, 1, |
cert_serial = strtoull(optarg, &ep, 10); |
UINT_MAX, &errstr); |
if (*optarg < '0' || *optarg > '9' || *ep != '\0' || |
if (errstr != NULL) |
(errno == ERANGE && cert_serial == ULLONG_MAX)) |
fatal("Desired generator invalid: %s (%s)", |
fatal("Invalid serial number \"%s\"", optarg); |
optarg, errstr); |
break; |
break; |
|
#endif /* WITH_OPENSSL */ |
case '?': |
case '?': |
default: |
default: |
usage(); |
usage(); |
|
|
} |
} |
} |
} |
|
|
|
#ifdef WITH_OPENSSL |
if (do_gen_candidates) { |
if (do_gen_candidates) { |
FILE *out = fopen(out_file, "w"); |
FILE *out = fopen(out_file, "w"); |
|
|
|
|
fatal("modulus screening failed"); |
fatal("modulus screening failed"); |
return (0); |
return (0); |
} |
} |
|
#endif |
|
|
if (gen_all_hostkeys) { |
if (gen_all_hostkeys) { |
do_gen_all_hostkeys(pw); |
do_gen_all_hostkeys(pw); |
|
|
} |
} |
|
|
if (key_type_name == NULL) |
if (key_type_name == NULL) |
key_type_name = "rsa"; |
key_type_name = DEFAULT_KEY_TYPE_NAME; |
|
|
type = sshkey_type_from_name(key_type_name); |
type = sshkey_type_from_name(key_type_name); |
type_bits_valid(type, key_type_name, &bits); |
type_bits_valid(type, key_type_name, &bits); |