src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.258 and 1.302

version 1.258, 2015/01/19 00:32:54

version 1.302, 2017/04/30 23:18:44

Line 28

#include <string.h>

#include <unistd.h>

#include <limits.h>

#include <locale.h>

#include "xmalloc.h"

#include "sshkey.h"

Line 47

Line 48

#include "atomicio.h"

#include "krl.h"

#include "digest.h"

#include "utf8.h"

#ifdef ENABLE_PKCS11

#include "ssh-pkcs11.h"

#endif

#ifdef WITH_OPENSSL

# define DEFAULT_KEY_TYPE_NAME "rsa"

#else

# define DEFAULT_KEY_TYPE_NAME "ed25519"

#endif

/* Number of bits in the RSA/DSA key. This value can be set on the command line. */

#define DEFAULT_BITS 2048

#define DEFAULT_BITS_DSA 1024

Line 135

Line 143

char *certflags_command = NULL;

char *certflags_src_addr = NULL;

/* Arbitrary extensions specified by user */

struct cert_userext {

char *key;

char *val;

int crit;

};

struct cert_userext *cert_userext;

size_t ncert_userext;

/* Conversion to/from various formats */

int convert_to = 0;

int convert_from = 0;

Line 168

Line 185

char hostname[NI_MAXHOST];

#ifdef WITH_OPENSSL

/* moduli.c */

int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,

unsigned long);

#endif

static void

type_bits_valid(int type, const char *name, u_int32_t *bitsp)

{

#ifdef WITH_OPENSSL

u_int maxbits, nid;

#endif

if (type == KEY_UNSPEC) {

if (type == KEY_UNSPEC)

fprintf(stderr, "unknown key type %s\n", key_type_name);

fatal("unknown key type %s", key_type_name);

exit(1);

}

if (*bitsp == 0) {

#ifdef WITH_OPENSSL

if (type == KEY_DSA)

*bitsp = DEFAULT_BITS_DSA;

else if (type == KEY_ECDSA) {

Line 191

Line 211

*bitsp = sshkey_curve_nid_to_bits(nid);

if (*bitsp == 0)

*bitsp = DEFAULT_BITS_ECDSA;

}

} else

else

#endif

*bitsp = DEFAULT_BITS;

}

#ifdef WITH_OPENSSL

maxbits = (type == KEY_DSA) ?

OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;

if (*bitsp > maxbits) {

if (*bitsp > maxbits)

fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);

fatal("key bits exceeds maximum %d", maxbits);

exit(1);

}

#ifdef WITH_OPENSSL

if (type == KEY_DSA && *bitsp != 1024)

fatal("DSA keys must be 1024 bits");

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)

fatal("Key must at least be 768 bits");

fatal("Key must at least be 1024 bits");

else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

fatal("Invalid ECDSA key length - valid lengths are "

"256, 384 or 521 bits");

Line 222

Line 240

name = _PATH_SSH_CLIENT_ID_RSA;

else {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA1:

name = _PATH_SSH_CLIENT_IDENTITY;

break;

case KEY_DSA_CERT:

case KEY_DSA_CERT_V00:

case KEY_DSA:

name = _PATH_SSH_CLIENT_ID_DSA;

break;

Line 235

Line 249

name = _PATH_SSH_CLIENT_ID_ECDSA;

break;

case KEY_RSA_CERT:

case KEY_RSA_CERT_V00:

case KEY_RSA:

name = _PATH_SSH_CLIENT_ID_RSA;

break;

Line 244

Line 257

name = _PATH_SSH_CLIENT_ID_ED25519;

break;

default:

fprintf(stderr, "bad key type\n");

fatal("bad key type");

exit(1);

break;

}

snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);

snprintf(identity_file, sizeof(identity_file),

fprintf(stderr, "%s (%s): ", prompt, identity_file);

"%s/%s", pw->pw_dir, name);

printf("%s (%s): ", prompt, identity_file);

fflush(stdout);

if (fgets(buf, sizeof(buf), stdin) == NULL)

exit(1);

buf[strcspn(buf, "\n")] = '\0';

Line 296

Line 309

char comment[61];

int r;

if (k->type == KEY_RSA1) {

if ((r = sshkey_to_blob(k, &blob, &len)) != 0)

fprintf(stderr, "version 1 keys are not supported\n");

fatal("key_to_blob failed: %s", ssh_err(r));

exit(1);

}

if ((r = sshkey_to_blob(k, &blob, &len)) != 0) {

fprintf(stderr, "key_to_blob failed: %s\n", ssh_err(r));

exit(1);

}

/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */

snprintf(comment, sizeof(comment),

"%u-bit %s, converted by %s@%s from OpenSSH",

Line 323

Line 330

do_convert_to_pkcs8(struct sshkey *k)

{

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))

fatal("PEM_write_RSA_PUBKEY failed");

Line 346

Line 352

do_convert_to_pem(struct sshkey *k)

{

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSAPublicKey(stdout, k->rsa))

fatal("PEM_write_RSAPublicKey failed");

Line 512

Line 517

sshbuf_free(b);

/* try the key */

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 ||

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 ||

sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) {

sshkey_free(key);

free(sig);

Line 530

Line 535

line[0] = '\0';

while ((c = fgetc(fp)) != EOF) {

if (pos >= len - 1) {

if (pos >= len - 1)

fprintf(stderr, "input line too long.\n");

fatal("input line too long.");

exit(1);

}

switch (c) {

case '\r':

c = fgetc(fp);

if (c != EOF && c != '\n' && ungetc(c, fp) == EOF) {

if (c != EOF && c != '\n' && ungetc(c, fp) == EOF)

fprintf(stderr, "unget: %s\n", strerror(errno));

fatal("unget: %s", strerror(errno));

exit(1);

}

return pos;

case '\n':

return pos;

Line 592

Line 593

(encoded[len-3] == '='))

encoded[len-3] = '\0';

blen = uudecode(encoded, blob, sizeof(blob));

if (blen < 0) {

if (blen < 0)

fprintf(stderr, "uudecode failed.\n");

fatal("uudecode failed.");

exit(1);

}

if (*private)

*k = do_convert_private_ssh2_from_blob(blob, blen);

else if ((r = sshkey_from_blob(blob, blen, k)) != 0) {

else if ((r = sshkey_from_blob(blob, blen, k)) != 0)

fprintf(stderr, "decode blob failed: %s\n", ssh_err(r));

fatal("decode blob failed: %s", ssh_err(r));

exit(1);

}

fclose(fp);

}

Line 706

Line 703

fatal("%s: unknown key format %d", __func__, convert_format);

}

if (!private)

if (!private) {

if ((r = sshkey_write(k, stdout)) == 0)

ok = 1;

if (ok)

fprintf(stdout, "\n");

else {

} else {

switch (k->type) {

case KEY_DSA:

ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,

Line 731

Line 728

}

if (!ok) {

if (!ok)

fprintf(stderr, "key write failed\n");

fatal("key write failed");

exit(1);

}

sshkey_free(k);

exit(0);

}

Line 749

Line 744

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0) {

if (stat(identity_file, &st) < 0)

perror(identity_file);

fatal("%s: %s", identity_file, strerror(errno));

exit(1);

}

prv = load_identity(identity_file);

if ((r = sshkey_write(prv, stdout)) != 0)

fprintf(stderr, "key_write failed: %s", ssh_err(r));

error("key_write failed: %s", ssh_err(r));

sshkey_free(prv);

fprintf(stdout, "\n");

exit(0);

Line 783

Line 776

fp = sshkey_fingerprint(keys[i], fptype, rep);

ra = sshkey_fingerprint(keys[i], fingerprint_hash,

SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),

fp, sshkey_type(keys[i]));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

Line 803

Line 798

#endif /* ENABLE_PKCS11 */

}

static struct sshkey *

try_read_key(char **cpp)

{

struct sshkey *ret;

int r;

if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(ret, cpp)) == 0)

return ret;

/* Not a key */

sshkey_free(ret);

return NULL;

}

static void

do_fingerprint(struct passwd *pw)

fingerprint_one_key(const struct sshkey *public, const char *comment)

{

FILE *f;

char *fp = NULL, *ra = NULL;

struct sshkey *public;

char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;

int r, i, skip = 0, num = 0, invalid = 1;

enum sshkey_fp_rep rep;

int fptype;

struct stat st;

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint failed", __func__);

mprintf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

}

static void

fingerprint_private(const char *path)

{

struct stat st;

char *comment = NULL;

struct sshkey *public = NULL;

int r;

if (stat(identity_file, &st) < 0)

fatal("%s: %s", path, strerror(errno));

if ((r = sshkey_load_public(path, &public, &comment)) != 0) {

debug("load public \"%s\": %s", path, ssh_err(r));

if ((r = sshkey_load_private(path, NULL,

&public, &comment)) != 0) {

debug("load private \"%s\": %s", path, ssh_err(r));

fatal("%s is not a key file.", path);

}

fingerprint_one_key(public, comment);

sshkey_free(public);

free(comment);

}

static void

do_fingerprint(struct passwd *pw)

{

FILE *f;

struct sshkey *public = NULL;

char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];

int i, invalid = 1;

const char *path;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0) {

path = identity_file;

perror(identity_file);

exit(1);

}

if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0)

error("Error loading public key \"%s\": %s",

identity_file, ssh_err(r));

else {

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,

sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

sshkey_free(public);

free(comment);

free(ra);

free(fp);

exit(0);

}

if (comment) {

free(comment);

comment = NULL;

}

if ((f = fopen(identity_file, "r")) == NULL)

if (strcmp(identity_file, "-") == 0) {

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

f = stdin;

path = "(stdin)";

} else if ((f = fopen(path, "r")) == NULL)

fatal("%s: %s: %s", __progname, path, strerror(errno));

while (fgets(line, sizeof(line), f)) {

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

if ((cp = strchr(line, '\n')) == NULL) {

cp = line;

error("line %d too long: %.40s...",

cp[strcspn(cp, "\n")] = '\0';

num + 1, line);

/* Trim leading space and comments */

skip = 1;

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

* Input may be plain keys, private keys, authorized_keys

* or known_hosts.

* Try private keys first. Assume a key is private if

* "SSH PRIVATE KEY" appears on the first line and we're

* not reading from stdin (XXX support private keys on stdin).

if (lnum == 1 && strcmp(identity_file, "-") != 0 &&

strstr(cp, "PRIVATE KEY") != NULL) {

fclose(f);

fingerprint_private(path);

exit(0);

}

num++;

if (skip) {

skip = 0;

* If it's not a private key, then this must be prepared to

* accept a public key prefixed with a hostname or options.

* Try a bare key first, otherwise skip the leading stuff.

if ((public = try_read_key(&cp)) == NULL) {

i = strtol(cp, &ep, 10);

if (i == 0 || ep == NULL ||

(*ep != ' ' && *ep != '\t')) {

int quoted = 0;

comment = cp;

for (; *cp && (quoted || (*cp != ' ' &&

*cp != '\t')); cp++) {

if (*cp == '\\' && cp[1] == '"')

cp++; /* Skip both */

else if (*cp == '"')

quoted = !quoted;

}

if (!*cp)

continue;

*cp++ = '\0';

}

/* Retry after parsing leading hostname/key options */

if (public == NULL && (public = try_read_key(&cp)) == NULL) {

debug("%s:%lu: not a public key", path, lnum);

continue;

}

*cp = '\0';

/* Skip leading whitespace, empty and comment lines. */

/* Find trailing comment, if any */

for (cp = line; *cp == ' ' || *cp == '\t'; cp++)

for (; *cp == ' ' || *cp == '\t'; cp++)

;

if (!*cp || *cp == '\n' || *cp == '#')

if (*cp != '\0' && *cp != '#')

continue;

i = strtol(cp, &ep, 10);

if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {

int quoted = 0;

comment = cp;

for (; *cp && (quoted || (*cp != ' ' &&

*cp != '\t')); cp++) {

fingerprint_one_key(public, comment);

if (*cp == '\\' && cp[1] == '"')

cp++; /* Skip both */

else if (*cp == '"')

quoted = !quoted;

}

if (!*cp)

continue;

*cp++ = '\0';

}

ep = cp;

if ((public = sshkey_new(KEY_RSA1)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

cp = ep;

sshkey_free(public);

if ((public = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(public, &cp)) != 0) {

sshkey_free(public);

continue;

}

comment = *cp ? cp : comment;

fp = sshkey_fingerprint(public, fptype, rep);

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

printf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

free(ra);

free(fp);

sshkey_free(public);

invalid = 0;

invalid = 0; /* One good key in the file is sufficient */

}

fclose(f);

if (invalid) {

if (invalid)

printf("%s is not a public key file.\n", identity_file);

fatal("%s is not a public key file.", path);

exit(1);

}

exit(0);

}

Line 924

Line 958

char *key_type_display;

char *path;

} key_types[] = {

{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },

#ifdef WITH_OPENSSL

{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },

{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },

{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },

#endif /* WITH_OPENSSL */

{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },

{ NULL, NULL, NULL }

};

Line 943

Line 978

if (stat(key_types[i].path, &st) == 0)

continue;

if (errno != ENOENT) {

printf("Could not stat %s: %s", key_types[i].path,

error("Could not stat %s: %s", key_types[i].path,

strerror(errno));

first = 0;

continue;

Line 960

Line 995

bits = 0;

type_bits_valid(type, NULL, &bits);

if ((r = sshkey_generate(type, bits, &private)) != 0) {

fprintf(stderr, "key_generate failed: %s\n",

error("key_generate failed: %s", ssh_err(r));

ssh_err(r));

first = 0;

continue;

}

Line 971

Line 1005

hostname);

if ((r = sshkey_save_private(private, identity_file, "",

comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving key \"%s\" failed: %s\n", identity_file,

error("Saving key \"%s\" failed: %s",

ssh_err(r));

identity_file, ssh_err(r));

sshkey_free(private);

sshkey_free(public);

first = 0;

Line 982

Line 1016

strlcat(identity_file, ".pub", sizeof(identity_file));

fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);

if (fd == -1) {

printf("Could not save your public key in %s\n",

error("Could not save your public key in %s",

identity_file);

sshkey_free(public);

first = 0;

Line 990

Line 1024

}

f = fdopen(fd, "w");

if (f == NULL) {

printf("fdopen %s failed\n", identity_file);

error("fdopen %s failed", identity_file);

close(fd);

sshkey_free(public);

first = 0;

continue;

}

if ((r = sshkey_write(public, f)) != 0) {

fprintf(stderr, "write key failed: %s\n", ssh_err(r));

error("write key failed: %s", ssh_err(r));

fclose(f);

sshkey_free(public);

first = 0;

Line 1026

Line 1060

struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;

char *hashed, *cp, *hosts, *ohosts;

int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);

int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM;

/* Retain invalid lines when hashing, but mark file as invalid. */

switch (l->status) {

if (l->status == HKF_STATUS_INVALID) {

case HKF_STATUS_OK:

case HKF_STATUS_MATCHED:

* Don't hash hosts already already hashed, with wildcard

* characters or a CA/revocation marker.

if (was_hashed || has_wild || l->marker != MRK_NONE) {

fprintf(ctx->out, "%s\n", l->line);

if (has_wild && !find_host) {

logit("%s:%lu: ignoring host name "

"with wildcard: %.64s", l->path,

l->linenum, l->hosts);

}

return 0;

}

* Split any comma-separated hostnames from the host list,

* hash and store separately.

ohosts = hosts = xstrdup(l->hosts);

while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {

lowercase(cp);

if ((hashed = host_hash(cp, NULL, 0)) == NULL)

fatal("hash_host failed");

fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);

ctx->has_unhashed = 1;

}

free(ohosts);

return 0;

case HKF_STATUS_INVALID:

/* Retain invalid lines, but mark file as invalid. */

ctx->invalid = 1;

fprintf(stderr, "%s:%ld: invalid line\n", l->path, l->linenum);

logit("%s:%lu: invalid line", l->path, l->linenum);

/* FALLTHROUGH */

default:

fprintf(ctx->out, "%s\n", l->line);

return 0;

}

/* NOTREACHED */

return -1;

* Don't hash hosts already already hashed, with wildcard characters

* or a CA/revocation marker.

if (l->was_hashed || has_wild || l->marker != MRK_NONE) {

fprintf(ctx->out, "%s\n", l->line);

if (has_wild && !find_host) {

fprintf(stderr, "%s:%ld: ignoring host name "

"with wildcard: %.64s\n", l->path,

l->linenum, l->hosts);

}

return 0;

}

* Split any comma-separated hostnames from the host list,

* hash and store separately.

ohosts = hosts = xstrdup(l->hosts);

while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {

if ((hashed = host_hash(cp, NULL, 0)) == NULL)

fatal("hash_host failed");

fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);

ctx->has_unhashed = 1;

}

free(ohosts);

return 0;

}

static int

known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)

{

struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;

enum sshkey_fp_rep rep;

int fptype;

char *fp;

if (l->status == HKF_STATUS_HOST_MATCHED) {

fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;

rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;

if (l->status == HKF_STATUS_MATCHED) {

if (delete_host) {

if (l->marker != MRK_NONE) {

/* Don't remove CA and revocation lines */

Line 1081

Line 1129

ctx->found_key = 1;

if (!quiet)

printf("# Host %s found: line %ld\n",

printf("# Host %s found: line %lu\n",

ctx->host, l->linenum);

}

return 0;

} else if (find_host) {

ctx->found_key = 1;

if (!quiet) {

printf("# Host %s found: line %ld %s\n",

printf("# Host %s found: line %lu %s\n",

ctx->host,

l->linenum, l->marker == MRK_CA ? "CA" :

(l->marker == MRK_REVOKE ? "REVOKED" : ""));

}

if (hash_hosts)

known_hosts_hash(l, ctx);

else

else if (print_fingerprint) {

fp = sshkey_fingerprint(l->key, fptype, rep);

mprintf("%s %s %s %s\n", ctx->host,

sshkey_type(l->key), fp, l->comment);

free(fp);

} else

fprintf(ctx->out, "%s\n", l->line);

return 0;

}

Line 1103

Line 1156

/* Retain non-matching hosts when deleting */

if (l->status == HKF_STATUS_INVALID) {

ctx->invalid = 1;

fprintf(stderr, "%s:%ld: invalid line\n",

logit("%s:%lu: invalid line", l->path, l->linenum);

l->path, l->linenum);

}

fprintf(ctx->out, "%s\n", l->line);

}

Line 1117

Line 1169

char *cp, tmp[PATH_MAX], old[PATH_MAX];

int r, fd, oerrno, inplace = 0;

struct known_hosts_ctx ctx;

u_int foreach_options;

if (!have_identity) {

cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);

Line 1153

Line 1206

}

/* XXX support identity_file == "-" for stdin */

foreach_options = find_host ? HKF_WANT_MATCH : 0;

foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;

if ((r = hostkeys_foreach(identity_file,

hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,

name, find_host ? HKF_WANT_MATCH_HOST : 0)) != 0)

name, NULL, foreach_options)) != 0) {

if (inplace)

unlink(tmp);

fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));

}

if (inplace)

fclose(ctx.out);

if (ctx.invalid) {

fprintf(stderr, "%s is not a valid known_hosts file.\n",

error("%s is not a valid known_hosts file.", identity_file);

identity_file);

if (inplace) {

fprintf(stderr, "Not replacing existing known_hosts "

error("Not replacing existing known_hosts "

"file because of errors\n");

"file because of errors");

unlink(tmp);

}

exit(1);

} else if (delete_host && !ctx.found_key) {

fprintf(stderr, "Host %s not found in %s\n",

logit("Host %s not found in %s", name, identity_file);

name, identity_file);

if (inplace)

unlink(tmp);

} else if (inplace) {

/* Backup existing file */

if (unlink(old) == -1 && errno != ENOENT)

Line 1190

Line 1247

exit(1);

}

fprintf(stderr, "%s updated.\n", identity_file);

printf("%s updated.\n", identity_file);

fprintf(stderr, "Original contents retained as %s\n", old);

printf("Original contents retained as %s\n", old);

if (ctx.has_unhashed) {

fprintf(stderr, "WARNING: %s contains unhashed "

logit("WARNING: %s contains unhashed entries", old);

"entries\n", old);

logit("Delete this file to ensure privacy "

fprintf(stderr, "Delete this file to ensure privacy "

"of hostnames");

"of hostnames\n");

}

Line 1218

Line 1274

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0) {

if (stat(identity_file, &st) < 0)

perror(identity_file);

fatal("%s: %s", identity_file, strerror(errno));

exit(1);

}

/* Try to load the file with empty passphrase. */

r = sshkey_load_private(identity_file, "", &private, &comment);

if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) {

Line 1239

Line 1293

goto badkey;

} else if (r != 0) {

badkey:

fprintf(stderr, "Failed to load key \"%s\": %s\n",

fatal("Failed to load key %s: %s", identity_file, ssh_err(r));

identity_file, ssh_err(r));

exit(1);

}

printf("Key has comment '%s'\n", comment);

if (comment)

mprintf("Key has comment '%s'\n", comment);

/* Ask the new passphrase (twice). */

if (identity_new_passphrase) {

Line 1273

Line 1326

/* Save the file using the new passphrase. */

if ((r = sshkey_save_private(private, identity_file, passphrase1,

comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving key \"%s\" failed: %s.\n",

error("Saving key \"%s\" failed: %s.",

identity_file, ssh_err(r));

explicit_bzero(passphrase1, strlen(passphrase1));

free(passphrase1);

Line 1307

Line 1360

if (stat(fname, &st) < 0) {

if (errno == ENOENT)

return 0;

perror(fname);

fatal("%s: %s", fname, strerror(errno));

exit(1);

}

if ((r = sshkey_load_public(fname, &public, &comment)) != 0) {

if ((r = sshkey_load_public(fname, &public, &comment)) != 0)

printf("Failed to read v2 public key from \"%s\": %s.\n",

fatal("Failed to read v2 public key from \"%s\": %s.",

fname, ssh_err(r));

exit(1);

}

export_dns_rr(hname, public, stdout, print_generic);

sshkey_free(public);

free(comment);

Line 1336

Line 1386

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0) {

if (stat(identity_file, &st) < 0)

perror(identity_file);

fatal("%s: %s", identity_file, strerror(errno));

exit(1);

}

if ((r = sshkey_load_private(identity_file, "",

&private, &comment)) == 0)

passphrase = xstrdup("");

else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) {

else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)

printf("Cannot load private key \"%s\": %s.\n",

fatal("Cannot load private key \"%s\": %s.",

identity_file, ssh_err(r));

exit(1);

else {

} else {

if (identity_passphrase)

passphrase = xstrdup(identity_passphrase);

else if (identity_new_passphrase)

Line 1360

Line 1407

&private, &comment)) != 0) {

explicit_bzero(passphrase, strlen(passphrase));

free(passphrase);

printf("Cannot load private key \"%s\": %s.\n",

fatal("Cannot load private key \"%s\": %s.",

identity_file, ssh_err(r));

exit(1);

}

if (private->type != KEY_RSA1) {

fprintf(stderr, "Comments are only supported for RSA1 keys.\n");

if (private->type != KEY_ED25519 && !use_new_format) {

error("Comments are only supported for keys stored in "

"the new format (-o).");

explicit_bzero(passphrase, strlen(passphrase));

sshkey_free(private);

exit(1);

}

printf("Key now has comment '%s'\n", comment);

if (comment)

printf("Key now has comment '%s'\n", comment);

else

printf("Key now has no comment\n");

if (identity_comment) {

strlcpy(new_comment, identity_comment, sizeof(new_comment));

Line 1388

Line 1440

/* Save the file using the new passphrase. */

if ((r = sshkey_save_private(private, identity_file, passphrase,

new_comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving key \"%s\" failed: %s\n",

error("Saving key \"%s\" failed: %s",

identity_file, ssh_err(r));

explicit_bzero(passphrase, strlen(passphrase));

free(passphrase);

Line 1404

Line 1456

strlcat(identity_file, ".pub", sizeof(identity_file));

fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);

if (fd == -1) {

if (fd == -1)

printf("Could not save your public key in %s\n", identity_file);

fatal("Could not save your public key in %s", identity_file);

exit(1);

}

f = fdopen(fd, "w");

if (f == NULL) {

if (f == NULL)

printf("fdopen %s failed\n", identity_file);

fatal("fdopen %s failed: %s", identity_file, strerror(errno));

exit(1);

}

if ((r = sshkey_write(public, f)) != 0)

fprintf(stderr, "write key failed: %s\n", ssh_err(r));

fatal("write key failed: %s", ssh_err(r));

sshkey_free(public);

fprintf(f, " %s\n", new_comment);

fclose(f);

Line 1425

Line 1473

exit(0);

}

static const char *

fmt_validity(u_int64_t valid_from, u_int64_t valid_to)

{

char from[32], to[32];

static char ret[64];

time_t tt;

struct tm *tm;

*from = *to = '\0';

if (valid_from == 0 && valid_to == 0xffffffffffffffffULL)

return "forever";

if (valid_from != 0) {

/* XXX revisit INT_MAX in 2038 :) */

tt = valid_from > INT_MAX ? INT_MAX : valid_from;

tm = localtime(&tt);

strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);

}

if (valid_to != 0xffffffffffffffffULL) {

/* XXX revisit INT_MAX in 2038 :) */

tt = valid_to > INT_MAX ? INT_MAX : valid_to;

tm = localtime(&tt);

strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);

}

if (valid_from == 0) {

snprintf(ret, sizeof(ret), "before %s", to);

return ret;

}

if (valid_to == 0xffffffffffffffffULL) {

snprintf(ret, sizeof(ret), "after %s", from);

return ret;

}

snprintf(ret, sizeof(ret), "from %s to %s", from, to);

return ret;

}

static void

add_flag_option(struct sshbuf *c, const char *name)

{

Line 1496

Line 1506

static void

prepare_options_buf(struct sshbuf *c, int which)

{

size_t i;

sshbuf_reset(c);

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_command != NULL)

Line 1518

Line 1530

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_src_addr != NULL)

add_string_option(c, "source-address", certflags_src_addr);

for (i = 0; i < ncert_userext; i++) {

if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) ||

(!cert_userext[i].crit && (which & OPTIONS_CRITICAL)))

continue;

if (cert_userext[i].val == NULL)

add_flag_option(c, cert_userext[i].key);

else {

add_string_option(c, cert_userext[i].key,

cert_userext[i].val);

}

static struct sshkey *

Line 1556

Line 1579

int r, i, fd;

u_int n;

struct sshkey *ca, *public;

char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

FILE *f;

int v00 = 0; /* legacy keys */

if (key_type_name != NULL) {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA_CERT_V00:

case KEY_DSA_CERT_V00:

v00 = 1;

break;

case KEY_UNSPEC:

if (strcasecmp(key_type_name, "v00") == 0) {

v00 = 1;

break;

} else if (strcasecmp(key_type_name, "v01") == 0)

break;

/* FALLTHROUGH */

default:

fprintf(stderr, "unknown key type %s\n", key_type_name);

exit(1);

}

#ifdef ENABLE_PKCS11

pkcs11_init(1);

#endif

Line 1590

Line 1593

ca = load_identity(tmp);

free(tmp);

if (key_type_name != NULL &&

sshkey_type_from_name(key_type_name) != ca->type) {

fatal("CA key type %s doesn't match specified %s",

sshkey_ssh_name(ca), key_type_name);

}

for (i = 0; i < argc; i++) {

/* Split list of principals */

n = 0;

Line 1597

Line 1606

otmp = tmp = xstrdup(cert_principals);

plist = NULL;

for (; (cp = strsep(&tmp, ",")) != NULL; n++) {

plist = xrealloc(plist, n + 1, sizeof(*plist));

plist = xreallocarray(plist, n + 1, sizeof(*plist));

if (*(plist[n] = xstrdup(cp)) == '\0')

fatal("Empty principal name");

}

Line 1614

Line 1623

__func__, tmp, sshkey_type(public));

/* Prepare certificate to sign */

if ((r = sshkey_to_certified(public, v00)) != 0)

if ((r = sshkey_to_certified(public)) != 0)

fatal("Could not upgrade key %s to certificate: %s",

tmp, ssh_err(r));

public->cert->type = cert_key_type;

Line 1624

Line 1633

public->cert->principals = plist;

public->cert->valid_after = cert_valid_from;

public->cert->valid_before = cert_valid_to;

if (v00) {

prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);

prepare_options_buf(public->cert->critical,

prepare_options_buf(public->cert->extensions,

OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);

OPTIONS_EXTENSIONS);

} else {

prepare_options_buf(public->cert->critical,

OPTIONS_CRITICAL);

prepare_options_buf(public->cert->extensions,

OPTIONS_EXTENSIONS);

}

if ((r = sshkey_from_private(ca,

&public->cert->signature_key)) != 0)

fatal("key_from_private (ca key): %s", ssh_err(r));

if (sshkey_certify(public, ca) != 0)

if ((r = sshkey_certify(public, ca, key_type_name)) != 0)

fatal("Couldn't not certify key %s", tmp);

fatal("Couldn't certify key %s: %s", tmp, ssh_err(r));

if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)

*cp = '\0';

Line 1657

Line 1660

fclose(f);

if (!quiet) {

sshkey_format_cert_validity(public->cert,

valid, sizeof(valid));

logit("Signed %s key %s: id \"%s\" serial %llu%s%s "

"valid %s", sshkey_cert_type(public),

out, public->cert->key_id,

(unsigned long long)public->cert->serial,

cert_principals != NULL ? " for " : "",

cert_principals != NULL ? cert_principals : "",

fmt_validity(cert_valid_from, cert_valid_to));

valid);

}

sshkey_free(public);

Line 1697

Line 1702

char buf[32], *fmt;

* POSIX strptime says "The application shall ensure that there

* is white-space or other non-alphanumeric characters between

* any two conversion specifications" so arrange things this way.

Line 1772

Line 1777

static void

add_cert_option(char *opt)

{

char *val;

char *val, *cp;

int iscrit = 0;

if (strcasecmp(opt, "clear") == 0)

certflags_flags = 0;

Line 1812

Line 1818

if (addr_match_cidr_list(NULL, val) != 0)

fatal("Invalid source-address list");

certflags_src_addr = xstrdup(val);

} else if (strncasecmp(opt, "extension:", 10) == 0 ||

(iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {

val = xstrdup(strchr(opt, ':') + 1);

if ((cp = strchr(val, '=')) != NULL)

*cp++ = '\0';

cert_userext = xreallocarray(cert_userext, ncert_userext + 1,

sizeof(*cert_userext));

cert_userext[ncert_userext].key = val;

cert_userext[ncert_userext].val = cp == NULL ?

NULL : xstrdup(cp);

cert_userext[ncert_userext].crit = iscrit;

ncert_userext++;

} else

fatal("Unsupported certificate option \"%s\"", opt);

}

static void

show_options(struct sshbuf *optbuf, int v00, int in_critical)

show_options(struct sshbuf *optbuf, int in_critical)

{

char *name, *arg;

struct sshbuf *options, *option = NULL;

Line 1832

Line 1850

(r = sshbuf_froms(options, &option)) != 0)

fatal("%s: buffer error: %s", __func__, ssh_err(r));

printf(" %s", name);

if ((v00 || !in_critical) &&

if (!in_critical &&

(strcmp(name, "permit-X11-forwarding") == 0 ||

strcmp(name, "permit-agent-forwarding") == 0 ||

strcmp(name, "permit-port-forwarding") == 0 ||

strcmp(name, "permit-pty") == 0 ||

strcmp(name, "permit-user-rc") == 0))

printf("\n");

else if ((v00 || in_critical) &&

else if (in_critical &&

(strcmp(name, "force-command") == 0 ||

strcmp(name, "source-address") == 0)) {

if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)

Line 1861

Line 1879

}

static void

do_show_cert(struct passwd *pw)

print_cert(struct sshkey *key)

{

struct sshkey *key;

char valid[64], *key_fp, *ca_fp;

struct stat st;

u_int i;

char *key_fp, *ca_fp;

u_int i, v00;

int r;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0)

fatal("Cannot load public key \"%s\": %s",

identity_file, ssh_err(r));

if (!sshkey_is_cert(key))

fatal("%s is not a certificate", identity_file);

v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;

key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);

ca_fp = sshkey_fingerprint(key->cert->signature_key,

fingerprint_hash, SSH_FP_DEFAULT);

if (key_fp == NULL || ca_fp == NULL)

fatal("%s: sshkey_fingerprint fail", __func__);

sshkey_format_cert_validity(key->cert, valid, sizeof(valid));

printf("%s:\n", identity_file);

printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),

sshkey_cert_type(key));

printf(" Public key: %s %s\n", sshkey_type(key), key_fp);

printf(" Signing CA: %s %s\n",

sshkey_type(key->cert->signature_key), ca_fp);

printf(" Key ID: \"%s\"\n", key->cert->key_id);

if (!v00) {

printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);

printf(" Serial: %llu\n",

printf(" Valid: %s\n", valid);

(unsigned long long)key->cert->serial);

}

printf(" Valid: %s\n",

fmt_validity(key->cert->valid_after, key->cert->valid_before));

printf(" Principals: ");

if (key->cert->nprincipals == 0)

printf("(none)\n");

Line 1911

Line 1913

printf("(none)\n");

else {

printf("\n");

show_options(key->cert->critical, v00, 1);

show_options(key->cert->critical, 1);

}

if (!v00) {

printf(" Extensions: ");

if (sshbuf_len(key->cert->extensions) == 0)

printf("(none)\n");

else {

printf("\n");

show_options(key->cert->extensions, 0);

show_options(key->cert->extensions, v00, 0);

}

static void

do_show_cert(struct passwd *pw)

{

struct sshkey *key = NULL;

struct stat st;

int r, is_stdin = 0, ok = 0;

FILE *f;

char *cp, line[SSH_MAX_PUBKEY_BYTES];

const char *path;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) < 0)

fatal("%s: %s: %s", __progname, identity_file, strerror(errno));

path = identity_file;

if (strcmp(path, "-") == 0) {

f = stdin;

path = "(stdin)";

is_stdin = 1;

} else if ((f = fopen(identity_file, "r")) == NULL)

fatal("fopen %s: %s", identity_file, strerror(errno));

while (read_keyfile_line(f, path, line, sizeof(line), &lnum) == 0) {

sshkey_free(key);

key = NULL;

/* Trim leading space and comments */

cp = line + strspn(line, " \t");

if (*cp == '#' || *cp == '\0')

continue;

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

if ((r = sshkey_read(key, &cp)) != 0) {

error("%s:%lu: invalid key: %s", path,

lnum, ssh_err(r));

continue;

}

if (!sshkey_is_cert(key)) {

error("%s:%lu is not a certificate", path, lnum);

continue;

}

ok = 1;

if (!is_stdin && lnum == 1)

printf("%s:\n", path);

else

printf("%s:%lu:\n", path, lnum);

print_cert(key);

}

exit(0);

sshkey_free(key);

fclose(f);

exit(ok ? 0 : 1);

}

#ifdef WITH_OPENSSL

Line 1947

Line 2000

}

static void

update_krl_from_file(struct passwd *pw, const char *file,

update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,

const struct sshkey *ca, struct ssh_krl *krl)

{

struct sshkey *key = NULL;

Line 1989

Line 2042

if (*cp == '\0')

continue;

if (strncasecmp(cp, "serial:", 7) == 0) {

if (ca == NULL) {

if (ca == NULL && !wild_ca) {

fatal("revoking certificates by serial number "

"requires specification of a CA key");

}

Line 2026

Line 2079

__func__);

}

} else if (strncasecmp(cp, "id:", 3) == 0) {

if (ca == NULL) {

if (ca == NULL && !wild_ca) {

fatal("revoking certificates by key ID "

"requires specification of a CA key");

}

Line 2077

Line 2130

struct ssh_krl *krl;

struct stat sb;

struct sshkey *ca = NULL;

int fd, i, r;

int fd, i, r, wild_ca = 0;

char *tmp;

struct sshbuf *kbuf;

Line 2091

Line 2144

fatal("KRL \"%s\" does not exist", identity_file);

}

if (ca_key_path != NULL) {

tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);

if (strcasecmp(ca_key_path, "none") == 0)

if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)

wild_ca = 1;

fatal("Cannot load CA public key %s: %s",

else {

tmp, ssh_err(r));

tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);

free(tmp);

if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)

fatal("Cannot load CA public key %s: %s",

tmp, ssh_err(r));

free(tmp);

}

if (updating)

Line 2109

Line 2166

ssh_krl_set_comment(krl, identity_comment);

for (i = 0; i < argc; i++)

update_krl_from_file(pw, argv[i], ca, krl);

update_krl_from_file(pw, argv[i], wild_ca, ca, krl);

if ((kbuf = sshbuf_new()) == NULL)

fatal("sshbuf_new failed");

Line 2123

Line 2180

close(fd);

sshbuf_free(kbuf);

ssh_krl_free(krl);

if (ca != NULL)

sshkey_free(ca);

}

static void

Line 2160

Line 2216

usage(void)

{

fprintf(stderr,

"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"

"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n"

" [-N new_passphrase] [-C comment] [-f output_keyfile]\n"

" ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"

" ssh-keygen -i [-m key_format] [-f input_keyfile]\n"

" ssh-keygen -e [-m key_format] [-f input_keyfile]\n"

" ssh-keygen -y [-f input_keyfile]\n"

" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"

" ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"

" ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"

" ssh-keygen -B [-f input_keyfile]\n");

#ifdef ENABLE_PKCS11

fprintf(stderr,

Line 2178

Line 2234

" ssh-keygen -H [-f known_hosts_file]\n"

" ssh-keygen -R hostname [-f known_hosts_file]\n"

" ssh-keygen -r hostname [-f input_keyfile] [-g]\n"

#ifdef WITH_OPENSSL

" ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n"

" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"

" [-j start_line] [-K checkpt] [-W generator]\n"

#endif

" ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"

" [-O option] [-V validity_interval] [-z serial_number] file ...\n"

" ssh-keygen -L [-f input_keyfile]\n"

Line 2198

Line 2256

main(int argc, char **argv)

{

char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;

char *checkpoint = NULL;

char *rr_hostname = NULL, *ep, *fp, *ra;

char out_file[PATH_MAX], *rr_hostname = NULL, *ep;

struct sshkey *private, *public;

struct passwd *pw;

struct stat st;

int r, opt, type, fd;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

FILE *f;

const char *errstr;

#ifdef WITH_OPENSSL

/* Moduli generation/screening */

char out_file[PATH_MAX], *checkpoint = NULL;

u_int32_t memory = 0, generator_wanted = 0;

int do_gen_candidates = 0, do_screen_candidates = 0;

int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;

unsigned long start_lineno = 0, lines_to_process = 0;

BIGNUM *start = NULL;

FILE *f;

#endif

const char *errstr;

extern int optind;

extern char *optarg;

ssh_malloc_init(); /* must be called before any mallocs */

/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */

sanitise_stdfd();

OpenSSL_add_all_algorithms();

log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);

setlocale(LC_CTYPE, "");

/* we need this for the home * directory. */

pw = getpwuid(getuid());

if (!pw) {

if (!pw)

printf("No user exists for uid %lu\n", (u_long)getuid());

fatal("No user exists for uid %lu", (u_long)getuid());

exit(1);

if (gethostname(hostname, sizeof(hostname)) < 0)

}

fatal("gethostname: %s", strerror(errno));

if (gethostname(hostname, sizeof(hostname)) < 0) {

perror("gethostname");

exit(1);

}

/* Remaining characters: UYdw */

while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"

Line 2261

Line 2321

case 'I':

cert_key_id = optarg;

break;

case 'J':

lines_to_process = strtoul(optarg, NULL, 10);

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'R':

delete_host = 1;

rr_hostname = optarg;

Line 2308

Line 2362

change_comment = 1;

break;

case 'f':

if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=

if (strlcpy(identity_file, optarg,

sizeof(identity_file))

sizeof(identity_file)) >= sizeof(identity_file))

fatal("Identity filename too long");

have_identity = 1;

break;

Line 2381

Line 2435

case 'r':

rr_hostname = optarg;

break;

case 'W':

generator_wanted = (u_int32_t)strtonum(optarg, 1,

UINT_MAX, &errstr);

if (errstr)

fatal("Desired generator has bad value: %s (%s)",

optarg, errstr);

break;

case 'a':

rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr);

if (errstr)

fatal("Invalid number: %s (%s)",

optarg, errstr);

break;

case 'M':

case 'V':

memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);

parse_cert_times(optarg);

if (errstr)

fatal("Memory limit is %s: %s", errstr, optarg);

break;

case 'z':

errno = 0;

cert_serial = strtoull(optarg, &ep, 10);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Invalid serial number \"%s\"", optarg);

break;

#ifdef WITH_OPENSSL

/* Moduli generation/screening */

case 'G':

do_gen_candidates = 1;

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'T':

case 'J':

do_screen_candidates = 1;

lines_to_process = strtoul(optarg, NULL, 10);

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'K':

if (strlen(optarg) >= PATH_MAX)

fatal("Checkpoint filename too long");

checkpoint = xstrdup(optarg);

break;

case 'M':

memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX,

&errstr);

if (errstr)

fatal("Memory limit is %s: %s", errstr, optarg);

break;

case 'S':

/* XXX - also compare length against bits */

if (BN_hex2bn(&start, optarg) == 0)

fatal("Invalid start point.");

break;

case 'V':

case 'T':

parse_cert_times(optarg);

do_screen_candidates = 1;

if (strlcpy(out_file, optarg, sizeof(out_file)) >=

sizeof(out_file))

fatal("Output filename too long");

break;

case 'z':

case 'W':

errno = 0;

generator_wanted = (u_int32_t)strtonum(optarg, 1,

cert_serial = strtoull(optarg, &ep, 10);

UINT_MAX, &errstr);

if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||

if (errstr != NULL)

(errno == ERANGE && cert_serial == ULLONG_MAX))

fatal("Desired generator invalid: %s (%s)",

fatal("Invalid serial number \"%s\"", optarg);

optarg, errstr);

break;

#endif /* WITH_OPENSSL */

case '?':

default:

usage();

Line 2445

Line 2509

if (ca_key_path != NULL) {

if (argc < 1 && !gen_krl) {

printf("Too few arguments.\n");

error("Too few arguments.");

usage();

}

} else if (argc > 0 && !gen_krl && !check_krl) {

printf("Too many arguments.\n");

error("Too many arguments.");

usage();

}

if (change_passphrase && change_comment) {

printf("Can only have one of -p and -c.\n");

error("Can only have one of -p and -c.");

usage();

}

if (print_fingerprint && (delete_host || hash_hosts)) {

printf("Cannot use -l with -H or -R.\n");

error("Cannot use -l with -H or -R.");

usage();

}

#ifdef WITH_OPENSSL

Line 2501

Line 2565

if (have_identity) {

n = do_print_resource_record(pw,

identity_file, rr_hostname);

if (n == 0) {

if (n == 0)

perror(identity_file);

fatal("%s: %s", identity_file, strerror(errno));

exit(1);

}

exit(0);

} else {

Line 2522

Line 2584

}

#ifdef WITH_OPENSSL

if (do_gen_candidates) {

FILE *out = fopen(out_file, "w");

Line 2561

Line 2624

fatal("modulus screening failed");

return (0);

}

#endif

if (gen_all_hostkeys) {

do_gen_all_hostkeys(pw);

Line 2568

Line 2632

}

if (key_type_name == NULL)

key_type_name = "rsa";

key_type_name = DEFAULT_KEY_TYPE_NAME;

type = sshkey_type_from_name(key_type_name);

type_bits_valid(type, key_type_name, &bits);

Line 2576

Line 2640

if (!quiet)

printf("Generating public/private %s key pair.\n",

key_type_name);

if ((r = sshkey_generate(type, bits, &private)) != 0) {

if ((r = sshkey_generate(type, bits, &private)) != 0)

fprintf(stderr, "key_generate failed\n");

fatal("key_generate failed");

exit(1);

if ((r = sshkey_from_private(private, &public)) != 0)

}

fatal("key_from_private failed: %s\n", ssh_err(r));

if ((r = sshkey_from_private(private, &public)) != 0) {

fprintf(stderr, "key_from_private failed: %s\n", ssh_err(r));

exit(1);

}

if (!have_identity)

ask_filename(pw, "Enter file in which to save the key");

Line 2653

Line 2713

/* Save the key with the given passphrase and comment. */

if ((r = sshkey_save_private(private, identity_file, passphrase1,

comment, use_new_format, new_format_cipher, rounds)) != 0) {

printf("Saving key \"%s\" failed: %s\n",

error("Saving key \"%s\" failed: %s",

identity_file, ssh_err(r));

explicit_bzero(passphrase1, strlen(passphrase1));

free(passphrase1);

Line 2670

Line 2730

printf("Your identification has been saved in %s.\n", identity_file);

strlcat(identity_file, ".pub", sizeof(identity_file));

fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);

if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)

if (fd == -1) {

fatal("Unable to save public key to %s: %s",

printf("Could not save your public key in %s\n", identity_file);

identity_file, strerror(errno));

exit(1);

if ((f = fdopen(fd, "w")) == NULL)

}

fatal("fdopen %s failed: %s", identity_file, strerror(errno));

f = fdopen(fd, "w");

if (f == NULL) {

printf("fdopen %s failed\n", identity_file);

exit(1);

}

if ((r = sshkey_write(public, f)) != 0)

fprintf(stderr, "write key failed: %s\n", ssh_err(r));

error("write key failed: %s", ssh_err(r));

fprintf(f, " %s\n", comment);

fclose(f);

if (!quiet) {

char *fp = sshkey_fingerprint(public, fingerprint_hash,

fp = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_DEFAULT);

char *ra = sshkey_fingerprint(public, fingerprint_hash,

ra = sshkey_fingerprint(public, fingerprint_hash,

SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("sshkey_fingerprint failed");

printf("Your public key has been saved in %s.\n",

identity_file);

printf("The key fingerprint is:\n");