src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.270 and 1.278

version 1.270, 2015/04/24 01:36:01

version 1.278, 2015/11/13 04:34:15

Line 52

#include "ssh-pkcs11.h"

#endif

#ifdef WITH_OPENSSL

# define DEFAULT_KEY_TYPE_NAME "rsa"

#else

# define DEFAULT_KEY_TYPE_NAME "ed25519"

#endif

/* Number of bits in the RSA/DSA key. This value can be set on the command line. */

#define DEFAULT_BITS 2048

#define DEFAULT_BITS_DSA 1024

Line 168

Line 174

char hostname[NI_MAXHOST];

#ifdef WITH_OPENSSL

/* moduli.c */

int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,

unsigned long);

#endif

static void

type_bits_valid(int type, const char *name, u_int32_t *bitsp)

{

#ifdef WITH_OPENSSL

u_int maxbits, nid;

#endif

if (type == KEY_UNSPEC)

fatal("unknown key type %s", key_type_name);

if (*bitsp == 0) {

#ifdef WITH_OPENSSL

if (type == KEY_DSA)

*bitsp = DEFAULT_BITS_DSA;

else if (type == KEY_ECDSA) {

Line 191

Line 202

*bitsp = DEFAULT_BITS_ECDSA;

}

else

#endif

*bitsp = DEFAULT_BITS;

}

#ifdef WITH_OPENSSL

maxbits = (type == KEY_DSA) ?

OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;

if (*bitsp > maxbits)

fatal("key bits exceeds maximum %d", maxbits);

#ifdef WITH_OPENSSL

if (type == KEY_DSA && *bitsp != 1024)

fatal("DSA keys must be 1024 bits");

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)

fatal("Key must at least be 768 bits");

fatal("Key must at least be 1024 bits");

else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

fatal("Invalid ECDSA key length - valid lengths are "

"256, 384 or 521 bits");

Line 222

Line 234

name = _PATH_SSH_CLIENT_IDENTITY;

break;

case KEY_DSA_CERT:

case KEY_DSA_CERT_V00:

case KEY_DSA:

name = _PATH_SSH_CLIENT_ID_DSA;

break;

Line 231

Line 242

name = _PATH_SSH_CLIENT_ID_ECDSA;

break;

case KEY_RSA_CERT:

case KEY_RSA_CERT_V00:

case KEY_RSA:

name = _PATH_SSH_CLIENT_ID_RSA;

break;

Line 1059

Line 1069

known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)

{

struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;

enum sshkey_fp_rep rep;

int fptype;

char *fp;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

if (l->status == HKF_STATUS_MATCHED) {

if (delete_host) {

if (l->marker != MRK_NONE) {

Line 1087

Line 1103

}

if (hash_hosts)

known_hosts_hash(l, ctx);

else

else if (print_fingerprint) {

fp = sshkey_fingerprint(l->key, fptype, rep);

printf("%s %s %s %s\n", ctx->host,

sshkey_type(l->key), fp, l->comment);

free(fp);

} else

fprintf(ctx->out, "%s\n", l->line);

return 0;

}

Line 1108

Line 1129

char *cp, tmp[PATH_MAX], old[PATH_MAX];

int r, fd, oerrno, inplace = 0;

struct known_hosts_ctx ctx;

u_int foreach_options;

if (!have_identity) {

cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);

Line 1144

Line 1166

}

/* XXX support identity_file == "-" for stdin */

foreach_options = find_host ? HKF_WANT_MATCH : 0;

foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;

if ((r = hostkeys_foreach(identity_file,

hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,

name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0)

name, NULL, foreach_options)) != 0)

fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));

if (inplace)

Line 1162

Line 1186

exit(1);

} else if (delete_host && !ctx.found_key) {

logit("Host %s not found in %s", name, identity_file);

unlink(tmp);

if (inplace)

unlink(tmp);

} else if (inplace) {

/* Backup existing file */

if (unlink(old) == -1 && errno != ENOENT)

Line 1534

Line 1559

struct sshkey *ca, *public;

char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

FILE *f;

int v00 = 0; /* legacy keys */

if (key_type_name != NULL) {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA_CERT_V00:

case KEY_DSA_CERT_V00:

v00 = 1;

break;

case KEY_UNSPEC:

if (strcasecmp(key_type_name, "v00") == 0) {

v00 = 1;

break;

} else if (strcasecmp(key_type_name, "v01") == 0)

break;

/* FALLTHROUGH */

default:

fatal("unknown key type %s", key_type_name);

}

#ifdef ENABLE_PKCS11

pkcs11_init(1);

#endif

Line 1589

Line 1595

__func__, tmp, sshkey_type(public));

/* Prepare certificate to sign */

if ((r = sshkey_to_certified(public, v00)) != 0)

if ((r = sshkey_to_certified(public)) != 0)

fatal("Could not upgrade key %s to certificate: %s",

tmp, ssh_err(r));

public->cert->type = cert_key_type;

Line 1599

Line 1605

public->cert->principals = plist;

public->cert->valid_after = cert_valid_from;

public->cert->valid_before = cert_valid_to;

if (v00) {

prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);

prepare_options_buf(public->cert->critical,

prepare_options_buf(public->cert->extensions,

OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);

OPTIONS_EXTENSIONS);

} else {

prepare_options_buf(public->cert->critical,

OPTIONS_CRITICAL);

prepare_options_buf(public->cert->extensions,

OPTIONS_EXTENSIONS);

}

if ((r = sshkey_from_private(ca,

&public->cert->signature_key)) != 0)

fatal("key_from_private (ca key): %s", ssh_err(r));

Line 1792

}

static void

show_options(struct sshbuf *optbuf, int v00, int in_critical)

show_options(struct sshbuf *optbuf, int in_critical)

{

char *name, *arg;

struct sshbuf *options, *option = NULL;

Line 1807

(r = sshbuf_froms(options, &option)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

printf(" %s", name);

if ((v00 || !in_critical) &&

if (!in_critical &&

(strcmp(name, "permit-X11-forwarding") == 0 ||

strcmp(name, "permit-agent-forwarding") == 0 ||

strcmp(name, "permit-port-forwarding") == 0 ||

strcmp(name, "permit-pty") == 0 ||

strcmp(name, "permit-user-rc") == 0))

printf("\n");

else if ((v00 || in_critical) &&

else if (in_critical &&

(strcmp(name, "force-command") == 0 ||

strcmp(name, "source-address") == 0)) {

if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)

Line 1836

}

static void

do_show_cert(struct passwd *pw)

print_cert(struct sshkey *key)

{

struct sshkey *key;

struct stat st;

char *key_fp, *ca_fp;

u_int i, v00;

u_int i;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)

fatal("Cannot load public key \"%s\": %s",

identity_file, ssh_err(r));

if (!sshkey_is_cert(key))

fatal("%s is not a certificate", identity_file);

v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;

key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);

ca_fp = sshkey_fingerprint(key->cert->signature_key,

fingerprint_hash, SSH_FP_DEFAULT);

if (key_fp == NULL || ca_fp == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

printf("%s:\n", identity_file);

printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),

sshkey_cert_type(key));

printf(" Public key: %s %s\n", sshkey_type(key), key_fp);

printf(" Signing CA: %s %s\n",

sshkey_type(key->cert->signature_key), ca_fp);

printf(" Key ID: \"%s\"\n", key->cert->key_id);

if (!v00) {

printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);

printf(" Serial: %llu\n",

(unsigned long long)key->cert->serial);

}

printf(" Valid: %s\n",

fmt_validity(key->cert->valid_after, key->cert->valid_before));

printf(" Principals: ");

Line 1888

Line 1870

printf("(none)\n");

else {

printf("\n");

show_options(key->cert->critical, v00, 1);

show_options(key->cert->critical, 1);

}

if (!v00) {

printf(" Extensions: ");

if (sshbuf_len(key->cert->extensions) == 0)

printf("(none)\n");

else {

printf("\n");

show_options(key->cert->extensions, 0);

show_options(key->cert->extensions, v00, 0);

}

static void

do_show_cert(struct passwd *pw)

{

struct sshkey *key = NULL;

struct stat st;

int r, is_stdin = 0, ok = 0;

FILE *f;

char *cp, line[2048];

const char *path;

long int lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

path = identity_file;

if (strcmp(path, "-") == 0) {

f = stdin;

path = "(stdin)";

is_stdin = 1;

} else if ((f = fopen(identity_file, "r")) == NULL)

fatal("fopen %s: %s", identity_file, strerror(errno));

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

sshkey_free(key);

key = NULL;

/* Trim leading space and comments */

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

if ((r = sshkey_read(key, &cp)) != 0) {

error("%s:%lu: invalid key: %s", path,

lnum, ssh_err(r));

continue;

}

if (!sshkey_is_cert(key)) {

error("%s:%lu is not a certificate", path, lnum);

continue;

}

ok = 1;

if (!is_stdin && lnum == 1)

printf("%s:\n", path);

else

printf("%s:%lu:\n", path, lnum);

print_cert(key);

}

exit(0);

sshkey_free(key);

fclose(f);

exit(ok ? 0 : 1);

}

#ifdef WITH_OPENSSL

Line 2159

Line 2192

" ssh-keygen -H [-f known_hosts_file]\n"

" ssh-keygen -R hostname [-f known_hosts_file]\n"

" ssh-keygen -r hostname [-f input_keyfile] [-g]\n"

#ifdef WITH_OPENSSL

" ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n"

" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"

" [-j start_line] [-K checkpt] [-W generator]\n"

#endif

" ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"

" [-O option] [-V validity_interval] [-z serial_number] file ...\n"

" ssh-keygen -L [-f input_keyfile]\n"

Line 2179

Line 2214

main(int argc, char **argv)

{

char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;

char *checkpoint = NULL;

char *rr_hostname = NULL, *ep, *fp, *ra;

char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;

struct sshkey *private, *public;

struct passwd *pw;

struct stat st;

int r, opt, type, fd;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

FILE *f;

const char *errstr;

#ifdef WITH_OPENSSL

/* Moduli generation/screening */

char out_file[PATH_MAX], *checkpoint = NULL;

u_int32_t memory = 0, generator_wanted = 0;

int do_gen_candidates = 0, do_screen_candidates = 0;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

unsigned long start_lineno = 0, lines_to_process = 0;

BIGNUM *start = NULL;

FILE *f;

#endif

const char *errstr;

extern int optind;

extern char *optarg;

Line 2238

Line 2276

case 'I':

cert_key_id = optarg;

break;

case 'J':

lines_to_process = strtoul(optarg, NULL, 10);

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'R':

delete_host = 1;

rr_hostname = optarg;

Line 2285

Line 2317

change_comment = 1;

break;

case 'f':

if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=

if (strlcpy(identity_file, optarg,

sizeof(identity_file))

sizeof(identity_file)) >= sizeof(identity_file))

fatal("Identity filename too long");

have_identity = 1;

break;

Line 2358

Line 2390

case 'r':

rr_hostname = optarg;

break;

case 'W':

generator_wanted = (u_int32_t)strtonum(optarg, 1,

UINT_MAX, &errstr);

if (errstr)

fatal("Desired generator has bad value: %s (%s)",

optarg, errstr);

break;

case 'a':

rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr);

if (errstr)

fatal("Invalid number: %s (%s)",

optarg, errstr);

break;

case 'M':

case 'V':

memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);

parse_cert_times(optarg);

if (errstr)

fatal("Memory limit is %s: %s", errstr, optarg);

break;

case 'z':

errno = 0;

cert_serial = strtoull(optarg, &ep, 10);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Invalid serial number \"%s\"", optarg);

break;

#ifdef WITH_OPENSSL

/* Moduli generation/screening */

case 'G':

do_gen_candidates = 1;

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'T':

case 'J':

do_screen_candidates = 1;

lines_to_process = strtoul(optarg, NULL, 10);

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

break;

sizeof(out_file))

case 'j':

fatal("Output filename too long");

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'K':

if (strlen(optarg) >= PATH_MAX)

fatal("Checkpoint filename too long");

checkpoint = xstrdup(optarg);

break;

case 'M':

memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX,

&errstr);

if (errstr)

fatal("Memory limit is %s: %s", errstr, optarg);

break;

case 'S':

/* XXX - also compare length against bits */

if (BN_hex2bn(&start, optarg) == 0)

fatal("Invalid start point.");

break;

case 'V':

case 'T':

parse_cert_times(optarg);

do_screen_candidates = 1;

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'z':

case 'W':

errno = 0;

generator_wanted = (u_int32_t)strtonum(optarg, 1,

cert_serial = strtoull(optarg, &ep, 10);

UINT_MAX, &errstr);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

if (errstr != NULL)

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Desired generator invalid: %s (%s)",

fatal("Invalid serial number \"%s\"", optarg);

optarg, errstr);

break;

#endif /* WITH_OPENSSL */

case '?':

default:

usage();

Line 2497

Line 2539

}

#ifdef WITH_OPENSSL

if (do_gen_candidates) {

FILE *out = fopen(out_file, "w");

Line 2536

Line 2579

fatal("modulus screening failed");

return (0);

}

#endif

if (gen_all_hostkeys) {

do_gen_all_hostkeys(pw);

Line 2543

Line 2587

}

if (key_type_name == NULL)

key_type_name = "rsa";

key_type_name = DEFAULT_KEY_TYPE_NAME;

type = sshkey_type_from_name(key_type_name);

type_bits_valid(type, key_type_name, &bits);