version 1.295, 2017/02/17 02:32:05 |
version 1.302, 2017/04/30 23:18:44 |
|
|
char *certflags_command = NULL; |
char *certflags_command = NULL; |
char *certflags_src_addr = NULL; |
char *certflags_src_addr = NULL; |
|
|
|
/* Arbitrary extensions specified by user */ |
|
struct cert_userext { |
|
char *key; |
|
char *val; |
|
int crit; |
|
}; |
|
struct cert_userext *cert_userext; |
|
size_t ncert_userext; |
|
|
/* Conversion to/from various formats */ |
/* Conversion to/from various formats */ |
int convert_to = 0; |
int convert_to = 0; |
int convert_from = 0; |
int convert_from = 0; |
|
|
name = _PATH_SSH_CLIENT_ID_RSA; |
name = _PATH_SSH_CLIENT_ID_RSA; |
else { |
else { |
switch (sshkey_type_from_name(key_type_name)) { |
switch (sshkey_type_from_name(key_type_name)) { |
case KEY_RSA1: |
|
name = _PATH_SSH_CLIENT_IDENTITY; |
|
break; |
|
case KEY_DSA_CERT: |
case KEY_DSA_CERT: |
case KEY_DSA: |
case KEY_DSA: |
name = _PATH_SSH_CLIENT_ID_DSA; |
name = _PATH_SSH_CLIENT_ID_DSA; |
|
|
char comment[61]; |
char comment[61]; |
int r; |
int r; |
|
|
if (k->type == KEY_RSA1) |
|
fatal("version 1 keys are not supported"); |
|
if ((r = sshkey_to_blob(k, &blob, &len)) != 0) |
if ((r = sshkey_to_blob(k, &blob, &len)) != 0) |
fatal("key_to_blob failed: %s", ssh_err(r)); |
fatal("key_to_blob failed: %s", ssh_err(r)); |
/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ |
/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ |
|
|
do_convert_to_pkcs8(struct sshkey *k) |
do_convert_to_pkcs8(struct sshkey *k) |
{ |
{ |
switch (sshkey_type_plain(k->type)) { |
switch (sshkey_type_plain(k->type)) { |
case KEY_RSA1: |
|
case KEY_RSA: |
case KEY_RSA: |
if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) |
if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) |
fatal("PEM_write_RSA_PUBKEY failed"); |
fatal("PEM_write_RSA_PUBKEY failed"); |
|
|
do_convert_to_pem(struct sshkey *k) |
do_convert_to_pem(struct sshkey *k) |
{ |
{ |
switch (sshkey_type_plain(k->type)) { |
switch (sshkey_type_plain(k->type)) { |
case KEY_RSA1: |
|
case KEY_RSA: |
case KEY_RSA: |
if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
fatal("PEM_write_RSAPublicKey failed"); |
fatal("PEM_write_RSAPublicKey failed"); |
|
|
struct sshkey *ret; |
struct sshkey *ret; |
int r; |
int r; |
|
|
if ((ret = sshkey_new(KEY_RSA1)) == NULL) |
|
fatal("sshkey_new failed"); |
|
/* Try RSA1 */ |
|
if ((r = sshkey_read(ret, cpp)) == 0) |
|
return ret; |
|
/* Try modern */ |
|
sshkey_free(ret); |
|
if ((ret = sshkey_new(KEY_UNSPEC)) == NULL) |
if ((ret = sshkey_new(KEY_UNSPEC)) == NULL) |
fatal("sshkey_new failed"); |
fatal("sshkey_new failed"); |
if ((r = sshkey_read(ret, cpp)) == 0) |
if ((r = sshkey_read(ret, cpp)) == 0) |
|
|
char *path; |
char *path; |
} key_types[] = { |
} key_types[] = { |
#ifdef WITH_OPENSSL |
#ifdef WITH_OPENSSL |
#ifdef WITH_SSH1 |
|
{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, |
|
#endif /* WITH_SSH1 */ |
|
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
|
|
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
char *hashed, *cp, *hosts, *ohosts; |
char *hashed, *cp, *hosts, *ohosts; |
int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
|
int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM; |
|
|
switch (l->status) { |
switch (l->status) { |
case HKF_STATUS_OK: |
case HKF_STATUS_OK: |
|
|
* Don't hash hosts already already hashed, with wildcard |
* Don't hash hosts already already hashed, with wildcard |
* characters or a CA/revocation marker. |
* characters or a CA/revocation marker. |
*/ |
*/ |
if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || |
if (was_hashed || has_wild || l->marker != MRK_NONE) { |
has_wild || l->marker != MRK_NONE) { |
|
fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
if (has_wild && !find_host) { |
if (has_wild && !find_host) { |
logit("%s:%ld: ignoring host name " |
logit("%s:%lu: ignoring host name " |
"with wildcard: %.64s", l->path, |
"with wildcard: %.64s", l->path, |
l->linenum, l->hosts); |
l->linenum, l->hosts); |
} |
} |
|
|
*/ |
*/ |
ohosts = hosts = xstrdup(l->hosts); |
ohosts = hosts = xstrdup(l->hosts); |
while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
|
lowercase(cp); |
if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
fatal("hash_host failed"); |
fatal("hash_host failed"); |
fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
|
|
case HKF_STATUS_INVALID: |
case HKF_STATUS_INVALID: |
/* Retain invalid lines, but mark file as invalid. */ |
/* Retain invalid lines, but mark file as invalid. */ |
ctx->invalid = 1; |
ctx->invalid = 1; |
logit("%s:%ld: invalid line", l->path, l->linenum); |
logit("%s:%lu: invalid line", l->path, l->linenum); |
/* FALLTHROUGH */ |
/* FALLTHROUGH */ |
default: |
default: |
fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
|
|
*/ |
*/ |
ctx->found_key = 1; |
ctx->found_key = 1; |
if (!quiet) |
if (!quiet) |
printf("# Host %s found: line %ld\n", |
printf("# Host %s found: line %lu\n", |
ctx->host, l->linenum); |
ctx->host, l->linenum); |
} |
} |
return 0; |
return 0; |
} else if (find_host) { |
} else if (find_host) { |
ctx->found_key = 1; |
ctx->found_key = 1; |
if (!quiet) { |
if (!quiet) { |
printf("# Host %s found: line %ld %s\n", |
printf("# Host %s found: line %lu %s\n", |
ctx->host, |
ctx->host, |
l->linenum, l->marker == MRK_CA ? "CA" : |
l->linenum, l->marker == MRK_CA ? "CA" : |
(l->marker == MRK_REVOKE ? "REVOKED" : "")); |
(l->marker == MRK_REVOKE ? "REVOKED" : "")); |
|
|
/* Retain non-matching hosts when deleting */ |
/* Retain non-matching hosts when deleting */ |
if (l->status == HKF_STATUS_INVALID) { |
if (l->status == HKF_STATUS_INVALID) { |
ctx->invalid = 1; |
ctx->invalid = 1; |
logit("%s:%ld: invalid line", l->path, l->linenum); |
logit("%s:%lu: invalid line", l->path, l->linenum); |
} |
} |
fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
} |
} |
|
|
} |
} |
} |
} |
|
|
if (private->type != KEY_RSA1 && private->type != KEY_ED25519 && |
if (private->type != KEY_ED25519 && !use_new_format) { |
!use_new_format) { |
error("Comments are only supported for keys stored in " |
error("Comments are only supported for RSA1 or keys stored in " |
|
"the new format (-o)."); |
"the new format (-o)."); |
explicit_bzero(passphrase, strlen(passphrase)); |
explicit_bzero(passphrase, strlen(passphrase)); |
sshkey_free(private); |
sshkey_free(private); |
|
|
static void |
static void |
prepare_options_buf(struct sshbuf *c, int which) |
prepare_options_buf(struct sshbuf *c, int which) |
{ |
{ |
|
size_t i; |
|
|
sshbuf_reset(c); |
sshbuf_reset(c); |
if ((which & OPTIONS_CRITICAL) != 0 && |
if ((which & OPTIONS_CRITICAL) != 0 && |
certflags_command != NULL) |
certflags_command != NULL) |
|
|
if ((which & OPTIONS_CRITICAL) != 0 && |
if ((which & OPTIONS_CRITICAL) != 0 && |
certflags_src_addr != NULL) |
certflags_src_addr != NULL) |
add_string_option(c, "source-address", certflags_src_addr); |
add_string_option(c, "source-address", certflags_src_addr); |
|
for (i = 0; i < ncert_userext; i++) { |
|
if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) || |
|
(!cert_userext[i].crit && (which & OPTIONS_CRITICAL))) |
|
continue; |
|
if (cert_userext[i].val == NULL) |
|
add_flag_option(c, cert_userext[i].key); |
|
else { |
|
add_string_option(c, cert_userext[i].key, |
|
cert_userext[i].val); |
|
} |
|
} |
} |
} |
|
|
static struct sshkey * |
static struct sshkey * |
|
|
static void |
static void |
add_cert_option(char *opt) |
add_cert_option(char *opt) |
{ |
{ |
char *val; |
char *val, *cp; |
|
int iscrit = 0; |
|
|
if (strcasecmp(opt, "clear") == 0) |
if (strcasecmp(opt, "clear") == 0) |
certflags_flags = 0; |
certflags_flags = 0; |
|
|
if (addr_match_cidr_list(NULL, val) != 0) |
if (addr_match_cidr_list(NULL, val) != 0) |
fatal("Invalid source-address list"); |
fatal("Invalid source-address list"); |
certflags_src_addr = xstrdup(val); |
certflags_src_addr = xstrdup(val); |
|
} else if (strncasecmp(opt, "extension:", 10) == 0 || |
|
(iscrit = (strncasecmp(opt, "critical:", 9) == 0))) { |
|
val = xstrdup(strchr(opt, ':') + 1); |
|
if ((cp = strchr(val, '=')) != NULL) |
|
*cp++ = '\0'; |
|
cert_userext = xreallocarray(cert_userext, ncert_userext + 1, |
|
sizeof(*cert_userext)); |
|
cert_userext[ncert_userext].key = val; |
|
cert_userext[ncert_userext].val = cp == NULL ? |
|
NULL : xstrdup(cp); |
|
cert_userext[ncert_userext].crit = iscrit; |
|
ncert_userext++; |
} else |
} else |
fatal("Unsupported certificate option \"%s\"", opt); |
fatal("Unsupported certificate option \"%s\"", opt); |
} |
} |
|
|
} |
} |
#endif |
#endif |
|
|
#ifdef WITH_SSH1 |
|
# define RSA1_USAGE " | rsa1" |
|
#else |
|
# define RSA1_USAGE "" |
|
#endif |
|
|
|
static void |
static void |
usage(void) |
usage(void) |
{ |
{ |
fprintf(stderr, |
fprintf(stderr, |
"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa%s]\n" |
"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" |
" [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
" [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
" ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
" ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
" ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
" ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
|
|
" ssh-keygen -y [-f input_keyfile]\n" |
" ssh-keygen -y [-f input_keyfile]\n" |
" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
" ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" |
" ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" |
" ssh-keygen -B [-f input_keyfile]\n", RSA1_USAGE); |
" ssh-keygen -B [-f input_keyfile]\n"); |
#ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
fprintf(stderr, |
fprintf(stderr, |
" ssh-keygen -D pkcs11\n"); |
" ssh-keygen -D pkcs11\n"); |