version 1.305, 2017/06/28 01:09:22 |
version 1.311, 2018/02/10 05:43:26 |
|
|
|
|
#include "xmalloc.h" |
#include "xmalloc.h" |
#include "sshkey.h" |
#include "sshkey.h" |
#include "rsa.h" |
|
#include "authfile.h" |
#include "authfile.h" |
#include "uuencode.h" |
#include "uuencode.h" |
#include "sshbuf.h" |
#include "sshbuf.h" |
|
|
if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
fatal("PEM_write_RSAPublicKey failed"); |
fatal("PEM_write_RSAPublicKey failed"); |
break; |
break; |
#if notyet /* OpenSSH 0.9.8 lacks this function */ |
|
case KEY_DSA: |
|
if (!PEM_write_DSAPublicKey(stdout, k->dsa)) |
|
fatal("PEM_write_DSAPublicKey failed"); |
|
break; |
|
#endif |
|
/* XXX ECDSA? */ |
|
default: |
default: |
fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); |
fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); |
} |
} |
|
|
buffer_get_bignum_bits(b, key->rsa->iqmp); |
buffer_get_bignum_bits(b, key->rsa->iqmp); |
buffer_get_bignum_bits(b, key->rsa->q); |
buffer_get_bignum_bits(b, key->rsa->q); |
buffer_get_bignum_bits(b, key->rsa->p); |
buffer_get_bignum_bits(b, key->rsa->p); |
if ((r = rsa_generate_additional_parameters(key->rsa)) != 0) |
if ((r = ssh_rsa_generate_additional_parameters(key)) != 0) |
fatal("generate RSA parameters failed: %s", ssh_err(r)); |
fatal("generate RSA parameters failed: %s", ssh_err(r)); |
break; |
break; |
} |
} |
|
|
|
|
/* try the key */ |
/* try the key */ |
if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 || |
if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 || |
sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) { |
sshkey_verify(key, sig, slen, data, sizeof(data), NULL, 0) != 0) { |
sshkey_free(key); |
sshkey_free(key); |
free(sig); |
free(sig); |
return NULL; |
return NULL; |
|
|
{ |
{ |
FILE *fp; |
FILE *fp; |
RSA *rsa; |
RSA *rsa; |
#ifdef notyet |
|
DSA *dsa; |
|
#endif |
|
|
|
if ((fp = fopen(identity_file, "r")) == NULL) |
if ((fp = fopen(identity_file, "r")) == NULL) |
fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
|
|
fclose(fp); |
fclose(fp); |
return; |
return; |
} |
} |
#if notyet /* OpenSSH 0.9.8 lacks this function */ |
|
rewind(fp); |
|
if ((dsa = PEM_read_DSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { |
|
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
|
fatal("sshkey_new failed"); |
|
(*k)->type = KEY_DSA; |
|
(*k)->dsa = dsa; |
|
fclose(fp); |
|
return; |
|
} |
|
/* XXX ECDSA */ |
|
#endif |
|
fatal("%s: unrecognised raw private key format", __func__); |
fatal("%s: unrecognised raw private key format", __func__); |
} |
} |
|
|
|
|
int first = 0; |
int first = 0; |
struct stat st; |
struct stat st; |
struct sshkey *private, *public; |
struct sshkey *private, *public; |
char comment[1024]; |
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; |
int i, type, fd, r; |
int i, type, fd, r; |
FILE *f; |
FILE *f; |
|
|
for (i = 0; key_types[i].key_type; i++) { |
for (i = 0; key_types[i].key_type; i++) { |
if (stat(key_types[i].path, &st) == 0) |
public = private = NULL; |
continue; |
prv_tmp = pub_tmp = prv_file = pub_file = NULL; |
if (errno != ENOENT) { |
|
|
xasprintf(&prv_file, "%s%s", |
|
identity_file, key_types[i].path); |
|
|
|
/* Check whether private key exists and is not zero-length */ |
|
if (stat(prv_file, &st) == 0) { |
|
if (st.st_size != 0) |
|
goto next; |
|
} else if (errno != ENOENT) { |
error("Could not stat %s: %s", key_types[i].path, |
error("Could not stat %s: %s", key_types[i].path, |
strerror(errno)); |
strerror(errno)); |
first = 0; |
goto failnext; |
continue; |
|
} |
} |
|
|
|
/* |
|
* Private key doesn't exist or is invalid; proceed with |
|
* key generation. |
|
*/ |
|
xasprintf(&prv_tmp, "%s%s.XXXXXXXXXX", |
|
identity_file, key_types[i].path); |
|
xasprintf(&pub_tmp, "%s%s.pub.XXXXXXXXXX", |
|
identity_file, key_types[i].path); |
|
xasprintf(&pub_file, "%s%s.pub", |
|
identity_file, key_types[i].path); |
|
|
if (first == 0) { |
if (first == 0) { |
first = 1; |
first = 1; |
printf("%s: generating new host keys: ", __progname); |
printf("%s: generating new host keys: ", __progname); |
|
|
printf("%s ", key_types[i].key_type_display); |
printf("%s ", key_types[i].key_type_display); |
fflush(stdout); |
fflush(stdout); |
type = sshkey_type_from_name(key_types[i].key_type); |
type = sshkey_type_from_name(key_types[i].key_type); |
strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); |
if ((fd = mkstemp(prv_tmp)) == -1) { |
|
error("Could not save your public key in %s: %s", |
|
prv_tmp, strerror(errno)); |
|
goto failnext; |
|
} |
|
close(fd); /* just using mkstemp() to generate/reserve a name */ |
bits = 0; |
bits = 0; |
type_bits_valid(type, NULL, &bits); |
type_bits_valid(type, NULL, &bits); |
if ((r = sshkey_generate(type, bits, &private)) != 0) { |
if ((r = sshkey_generate(type, bits, &private)) != 0) { |
error("sshkey_generate failed: %s", ssh_err(r)); |
error("sshkey_generate failed: %s", ssh_err(r)); |
first = 0; |
goto failnext; |
continue; |
|
} |
} |
if ((r = sshkey_from_private(private, &public)) != 0) |
if ((r = sshkey_from_private(private, &public)) != 0) |
fatal("sshkey_from_private failed: %s", ssh_err(r)); |
fatal("sshkey_from_private failed: %s", ssh_err(r)); |
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
hostname); |
hostname); |
if ((r = sshkey_save_private(private, identity_file, "", |
if ((r = sshkey_save_private(private, prv_tmp, "", |
comment, use_new_format, new_format_cipher, rounds)) != 0) { |
comment, use_new_format, new_format_cipher, rounds)) != 0) { |
error("Saving key \"%s\" failed: %s", |
error("Saving key \"%s\" failed: %s", |
identity_file, ssh_err(r)); |
prv_tmp, ssh_err(r)); |
sshkey_free(private); |
goto failnext; |
sshkey_free(public); |
|
first = 0; |
|
continue; |
|
} |
} |
sshkey_free(private); |
if ((fd = mkstemp(pub_tmp)) == -1) { |
strlcat(identity_file, ".pub", sizeof(identity_file)); |
error("Could not save your public key in %s: %s", |
fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); |
pub_tmp, strerror(errno)); |
if (fd == -1) { |
goto failnext; |
error("Could not save your public key in %s", |
|
identity_file); |
|
sshkey_free(public); |
|
first = 0; |
|
continue; |
|
} |
} |
|
(void)fchmod(fd, 0644); |
f = fdopen(fd, "w"); |
f = fdopen(fd, "w"); |
if (f == NULL) { |
if (f == NULL) { |
error("fdopen %s failed", identity_file); |
error("fdopen %s failed: %s", pub_tmp, strerror(errno)); |
close(fd); |
close(fd); |
sshkey_free(public); |
goto failnext; |
first = 0; |
|
continue; |
|
} |
} |
if ((r = sshkey_write(public, f)) != 0) { |
if ((r = sshkey_write(public, f)) != 0) { |
error("write key failed: %s", ssh_err(r)); |
error("write key failed: %s", ssh_err(r)); |
fclose(f); |
fclose(f); |
sshkey_free(public); |
goto failnext; |
first = 0; |
|
continue; |
|
} |
} |
fprintf(f, " %s\n", comment); |
fprintf(f, " %s\n", comment); |
fclose(f); |
if (ferror(f) != 0) { |
sshkey_free(public); |
error("write key failed: %s", strerror(errno)); |
|
fclose(f); |
|
goto failnext; |
|
} |
|
if (fclose(f) != 0) { |
|
error("key close failed: %s", strerror(errno)); |
|
goto failnext; |
|
} |
|
|
|
/* Rename temporary files to their permanent locations. */ |
|
if (rename(pub_tmp, pub_file) != 0) { |
|
error("Unable to move %s into position: %s", |
|
pub_file, strerror(errno)); |
|
goto failnext; |
|
} |
|
if (rename(prv_tmp, prv_file) != 0) { |
|
error("Unable to move %s into position: %s", |
|
key_types[i].path, strerror(errno)); |
|
failnext: |
|
first = 0; |
|
goto next; |
|
} |
|
next: |
|
sshkey_free(private); |
|
sshkey_free(public); |
|
free(prv_tmp); |
|
free(pub_tmp); |
|
free(prv_file); |
|
free(pub_file); |
} |
} |
if (first != 0) |
if (first != 0) |
printf("\n"); |
printf("\n"); |
|
|
s, s + 4, s + 6, s + 8, s + 10, s + 12); |
s, s + 4, s + 6, s + 8, s + 10, s + 12); |
break; |
break; |
default: |
default: |
fatal("Invalid certificate time format %s", s); |
fatal("Invalid certificate time format \"%s\"", s); |
} |
} |
|
|
memset(&tm, 0, sizeof(tm)); |
memset(&tm, 0, sizeof(tm)); |
|
|
|
|
/* |
/* |
* from:to, where |
* from:to, where |
* from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS |
* from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always" |
* to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS |
* to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever" |
*/ |
*/ |
from = xstrdup(timespec); |
from = xstrdup(timespec); |
to = strchr(from, ':'); |
to = strchr(from, ':'); |
|
|
|
|
if (*from == '-' || *from == '+') |
if (*from == '-' || *from == '+') |
cert_valid_from = parse_relative_time(from, now); |
cert_valid_from = parse_relative_time(from, now); |
|
else if (strcmp(from, "always") == 0) |
|
cert_valid_from = 0; |
else |
else |
cert_valid_from = parse_absolute_time(from); |
cert_valid_from = parse_absolute_time(from); |
|
|
if (*to == '-' || *to == '+') |
if (*to == '-' || *to == '+') |
cert_valid_to = parse_relative_time(to, now); |
cert_valid_to = parse_relative_time(to, now); |
|
else if (strcmp(to, "forever") == 0) |
|
cert_valid_to = ~(u_int64_t)0; |
else |
else |
cert_valid_to = parse_absolute_time(to); |
cert_valid_to = parse_absolute_time(to); |
|
|
|
|
if ((r = sshkey_write(public, f)) != 0) |
if ((r = sshkey_write(public, f)) != 0) |
error("write key failed: %s", ssh_err(r)); |
error("write key failed: %s", ssh_err(r)); |
fprintf(f, " %s\n", comment); |
fprintf(f, " %s\n", comment); |
fclose(f); |
if (ferror(f) || fclose(f) != 0) |
|
fatal("write public failed: %s", strerror(errno)); |
|
|
if (!quiet) { |
if (!quiet) { |
fp = sshkey_fingerprint(public, fingerprint_hash, |
fp = sshkey_fingerprint(public, fingerprint_hash, |