| version 1.295, 2017/02/17 02:32:05 |
version 1.302, 2017/04/30 23:18:44 |
|
|
| char *certflags_command = NULL; |
char *certflags_command = NULL; |
| char *certflags_src_addr = NULL; |
char *certflags_src_addr = NULL; |
| |
|
| |
/* Arbitrary extensions specified by user */ |
| |
struct cert_userext { |
| |
char *key; |
| |
char *val; |
| |
int crit; |
| |
}; |
| |
struct cert_userext *cert_userext; |
| |
size_t ncert_userext; |
| |
|
| /* Conversion to/from various formats */ |
/* Conversion to/from various formats */ |
| int convert_to = 0; |
int convert_to = 0; |
| int convert_from = 0; |
int convert_from = 0; |
|
|
| name = _PATH_SSH_CLIENT_ID_RSA; |
name = _PATH_SSH_CLIENT_ID_RSA; |
| else { |
else { |
| switch (sshkey_type_from_name(key_type_name)) { |
switch (sshkey_type_from_name(key_type_name)) { |
| case KEY_RSA1: |
|
| name = _PATH_SSH_CLIENT_IDENTITY; |
|
| break; |
|
| case KEY_DSA_CERT: |
case KEY_DSA_CERT: |
| case KEY_DSA: |
case KEY_DSA: |
| name = _PATH_SSH_CLIENT_ID_DSA; |
name = _PATH_SSH_CLIENT_ID_DSA; |
|
|
| char comment[61]; |
char comment[61]; |
| int r; |
int r; |
| |
|
| if (k->type == KEY_RSA1) |
|
| fatal("version 1 keys are not supported"); |
|
| if ((r = sshkey_to_blob(k, &blob, &len)) != 0) |
if ((r = sshkey_to_blob(k, &blob, &len)) != 0) |
| fatal("key_to_blob failed: %s", ssh_err(r)); |
fatal("key_to_blob failed: %s", ssh_err(r)); |
| /* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ |
/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ |
|
|
| do_convert_to_pkcs8(struct sshkey *k) |
do_convert_to_pkcs8(struct sshkey *k) |
| { |
{ |
| switch (sshkey_type_plain(k->type)) { |
switch (sshkey_type_plain(k->type)) { |
| case KEY_RSA1: |
|
| case KEY_RSA: |
case KEY_RSA: |
| if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) |
if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) |
| fatal("PEM_write_RSA_PUBKEY failed"); |
fatal("PEM_write_RSA_PUBKEY failed"); |
|
|
| do_convert_to_pem(struct sshkey *k) |
do_convert_to_pem(struct sshkey *k) |
| { |
{ |
| switch (sshkey_type_plain(k->type)) { |
switch (sshkey_type_plain(k->type)) { |
| case KEY_RSA1: |
|
| case KEY_RSA: |
case KEY_RSA: |
| if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
| fatal("PEM_write_RSAPublicKey failed"); |
fatal("PEM_write_RSAPublicKey failed"); |
|
|
| struct sshkey *ret; |
struct sshkey *ret; |
| int r; |
int r; |
| |
|
| if ((ret = sshkey_new(KEY_RSA1)) == NULL) |
|
| fatal("sshkey_new failed"); |
|
| /* Try RSA1 */ |
|
| if ((r = sshkey_read(ret, cpp)) == 0) |
|
| return ret; |
|
| /* Try modern */ |
|
| sshkey_free(ret); |
|
| if ((ret = sshkey_new(KEY_UNSPEC)) == NULL) |
if ((ret = sshkey_new(KEY_UNSPEC)) == NULL) |
| fatal("sshkey_new failed"); |
fatal("sshkey_new failed"); |
| if ((r = sshkey_read(ret, cpp)) == 0) |
if ((r = sshkey_read(ret, cpp)) == 0) |
|
|
| char *path; |
char *path; |
| } key_types[] = { |
} key_types[] = { |
| #ifdef WITH_OPENSSL |
#ifdef WITH_OPENSSL |
| #ifdef WITH_SSH1 |
|
| { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, |
|
| #endif /* WITH_SSH1 */ |
|
| { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
| { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
| { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
|
|
| struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
| char *hashed, *cp, *hosts, *ohosts; |
char *hashed, *cp, *hosts, *ohosts; |
| int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
| |
int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM; |
| |
|
| switch (l->status) { |
switch (l->status) { |
| case HKF_STATUS_OK: |
case HKF_STATUS_OK: |
|
|
| * Don't hash hosts already already hashed, with wildcard |
* Don't hash hosts already already hashed, with wildcard |
| * characters or a CA/revocation marker. |
* characters or a CA/revocation marker. |
| */ |
*/ |
| if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || |
if (was_hashed || has_wild || l->marker != MRK_NONE) { |
| has_wild || l->marker != MRK_NONE) { |
|
| fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
| if (has_wild && !find_host) { |
if (has_wild && !find_host) { |
| logit("%s:%ld: ignoring host name " |
logit("%s:%lu: ignoring host name " |
| "with wildcard: %.64s", l->path, |
"with wildcard: %.64s", l->path, |
| l->linenum, l->hosts); |
l->linenum, l->hosts); |
| } |
} |
|
|
| */ |
*/ |
| ohosts = hosts = xstrdup(l->hosts); |
ohosts = hosts = xstrdup(l->hosts); |
| while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
| |
lowercase(cp); |
| if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
| fatal("hash_host failed"); |
fatal("hash_host failed"); |
| fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
|
|
| case HKF_STATUS_INVALID: |
case HKF_STATUS_INVALID: |
| /* Retain invalid lines, but mark file as invalid. */ |
/* Retain invalid lines, but mark file as invalid. */ |
| ctx->invalid = 1; |
ctx->invalid = 1; |
| logit("%s:%ld: invalid line", l->path, l->linenum); |
logit("%s:%lu: invalid line", l->path, l->linenum); |
| /* FALLTHROUGH */ |
/* FALLTHROUGH */ |
| default: |
default: |
| fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
|
|
| */ |
*/ |
| ctx->found_key = 1; |
ctx->found_key = 1; |
| if (!quiet) |
if (!quiet) |
| printf("# Host %s found: line %ld\n", |
printf("# Host %s found: line %lu\n", |
| ctx->host, l->linenum); |
ctx->host, l->linenum); |
| } |
} |
| return 0; |
return 0; |
| } else if (find_host) { |
} else if (find_host) { |
| ctx->found_key = 1; |
ctx->found_key = 1; |
| if (!quiet) { |
if (!quiet) { |
| printf("# Host %s found: line %ld %s\n", |
printf("# Host %s found: line %lu %s\n", |
| ctx->host, |
ctx->host, |
| l->linenum, l->marker == MRK_CA ? "CA" : |
l->linenum, l->marker == MRK_CA ? "CA" : |
| (l->marker == MRK_REVOKE ? "REVOKED" : "")); |
(l->marker == MRK_REVOKE ? "REVOKED" : "")); |
|
|
| /* Retain non-matching hosts when deleting */ |
/* Retain non-matching hosts when deleting */ |
| if (l->status == HKF_STATUS_INVALID) { |
if (l->status == HKF_STATUS_INVALID) { |
| ctx->invalid = 1; |
ctx->invalid = 1; |
| logit("%s:%ld: invalid line", l->path, l->linenum); |
logit("%s:%lu: invalid line", l->path, l->linenum); |
| } |
} |
| fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
| } |
} |
|
|
| } |
} |
| } |
} |
| |
|
| if (private->type != KEY_RSA1 && private->type != KEY_ED25519 && |
if (private->type != KEY_ED25519 && !use_new_format) { |
| !use_new_format) { |
error("Comments are only supported for keys stored in " |
| error("Comments are only supported for RSA1 or keys stored in " |
|
| "the new format (-o)."); |
"the new format (-o)."); |
| explicit_bzero(passphrase, strlen(passphrase)); |
explicit_bzero(passphrase, strlen(passphrase)); |
| sshkey_free(private); |
sshkey_free(private); |
|
|
| static void |
static void |
| prepare_options_buf(struct sshbuf *c, int which) |
prepare_options_buf(struct sshbuf *c, int which) |
| { |
{ |
| |
size_t i; |
| |
|
| sshbuf_reset(c); |
sshbuf_reset(c); |
| if ((which & OPTIONS_CRITICAL) != 0 && |
if ((which & OPTIONS_CRITICAL) != 0 && |
| certflags_command != NULL) |
certflags_command != NULL) |
|
|
| if ((which & OPTIONS_CRITICAL) != 0 && |
if ((which & OPTIONS_CRITICAL) != 0 && |
| certflags_src_addr != NULL) |
certflags_src_addr != NULL) |
| add_string_option(c, "source-address", certflags_src_addr); |
add_string_option(c, "source-address", certflags_src_addr); |
| |
for (i = 0; i < ncert_userext; i++) { |
| |
if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) || |
| |
(!cert_userext[i].crit && (which & OPTIONS_CRITICAL))) |
| |
continue; |
| |
if (cert_userext[i].val == NULL) |
| |
add_flag_option(c, cert_userext[i].key); |
| |
else { |
| |
add_string_option(c, cert_userext[i].key, |
| |
cert_userext[i].val); |
| |
} |
| |
} |
| } |
} |
| |
|
| static struct sshkey * |
static struct sshkey * |
|
|
| static void |
static void |
| add_cert_option(char *opt) |
add_cert_option(char *opt) |
| { |
{ |
| char *val; |
char *val, *cp; |
| |
int iscrit = 0; |
| |
|
| if (strcasecmp(opt, "clear") == 0) |
if (strcasecmp(opt, "clear") == 0) |
| certflags_flags = 0; |
certflags_flags = 0; |
|
|
| if (addr_match_cidr_list(NULL, val) != 0) |
if (addr_match_cidr_list(NULL, val) != 0) |
| fatal("Invalid source-address list"); |
fatal("Invalid source-address list"); |
| certflags_src_addr = xstrdup(val); |
certflags_src_addr = xstrdup(val); |
| |
} else if (strncasecmp(opt, "extension:", 10) == 0 || |
| |
(iscrit = (strncasecmp(opt, "critical:", 9) == 0))) { |
| |
val = xstrdup(strchr(opt, ':') + 1); |
| |
if ((cp = strchr(val, '=')) != NULL) |
| |
*cp++ = '\0'; |
| |
cert_userext = xreallocarray(cert_userext, ncert_userext + 1, |
| |
sizeof(*cert_userext)); |
| |
cert_userext[ncert_userext].key = val; |
| |
cert_userext[ncert_userext].val = cp == NULL ? |
| |
NULL : xstrdup(cp); |
| |
cert_userext[ncert_userext].crit = iscrit; |
| |
ncert_userext++; |
| } else |
} else |
| fatal("Unsupported certificate option \"%s\"", opt); |
fatal("Unsupported certificate option \"%s\"", opt); |
| } |
} |
|
|
| } |
} |
| #endif |
#endif |
| |
|
| #ifdef WITH_SSH1 |
|
| # define RSA1_USAGE " | rsa1" |
|
| #else |
|
| # define RSA1_USAGE "" |
|
| #endif |
|
| |
|
| static void |
static void |
| usage(void) |
usage(void) |
| { |
{ |
| fprintf(stderr, |
fprintf(stderr, |
| "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa%s]\n" |
"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" |
| " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
" [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
| " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
" ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
| " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
" ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
|
|
| " ssh-keygen -y [-f input_keyfile]\n" |
" ssh-keygen -y [-f input_keyfile]\n" |
| " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
| " ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" |
" ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" |
| " ssh-keygen -B [-f input_keyfile]\n", RSA1_USAGE); |
" ssh-keygen -B [-f input_keyfile]\n"); |
| #ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
| fprintf(stderr, |
fprintf(stderr, |
| " ssh-keygen -D pkcs11\n"); |
" ssh-keygen -D pkcs11\n"); |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh