=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.152 retrieving revision 1.178 diff -u -r1.152 -r1.178 --- src/usr.bin/ssh/ssh-keygen.c 2006/07/26 13:57:17 1.152 +++ src/usr.bin/ssh/ssh-keygen.c 2010/02/09 00:50:59 1.178 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.152 2006/07/26 13:57:17 stevesk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.178 2010/02/09 00:50:59 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -12,9 +12,8 @@ * called by a name other than "ssh" or "Secure Shell". */ -#include "includes.h" - #include +#include #include #include @@ -24,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -34,7 +34,6 @@ #include "authfile.h" #include "uuencode.h" #include "buffer.h" -#include "bufaux.h" #include "pathnames.h" #include "log.h" #include "misc.h" @@ -42,8 +41,8 @@ #include "hostfile.h" #include "dns.h" -#ifdef SMARTCARD -#include "scard.h" +#ifdef ENABLE_PKCS11 +#include "ssh-pkcs11.h" #endif /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ @@ -65,6 +64,8 @@ int quiet = 0; +int log_level = SYSLOG_LEVEL_INFO; + /* Flag indicating that we want to hash a known_hosts file */ int hash_hosts = 0; /* Flag indicating that we want lookup a host in known_hosts file */ @@ -126,7 +127,7 @@ name = _PATH_SSH_CLIENT_ID_RSA; break; default: - fprintf(stderr, "bad key type"); + fprintf(stderr, "bad key type\n"); exit(1); break; } @@ -135,8 +136,7 @@ fprintf(stderr, "%s (%s): ", prompt, identity_file); if (fgets(buf, sizeof(buf), stdin) == NULL) exit(1); - if (strchr(buf, '\n')) - *strchr(buf, '\n') = 0; + buf[strcspn(buf, "\n")] = '\0'; if (strcmp(buf, "") != 0) strlcpy(identity_file, buf, sizeof(identity_file)); have_identity = 1; @@ -173,6 +173,7 @@ Key *k; u_int len; u_char *blob; + char comment[61]; struct stat st; if (!have_identity) @@ -195,11 +196,14 @@ fprintf(stderr, "key_to_blob failed\n"); exit(1); } - fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); - fprintf(stdout, - "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n", + /* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ + snprintf(comment, sizeof(comment), + "%u-bit %s, converted by %s@%s from OpenSSH", key_size(k), key_type(k), pw->pw_name, hostname); + + fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); + fprintf(stdout, "Comment: \"%s\"\n", comment); dump_base64(stdout, blob, len); fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); key_free(k); @@ -216,7 +220,8 @@ if (buffer_len(b) < bytes) fatal("buffer_get_bignum_bits: input buffer too small: " "need %d have %d", bytes, buffer_len(b)); - BN_bin2bn(buffer_ptr(b), bytes, value); + if (BN_bin2bn(buffer_ptr(b), bytes, value) == NULL) + fatal("buffer_get_bignum_bits: BN_bin2bn failed"); buffer_consume(b, bytes); } @@ -234,7 +239,7 @@ buffer_init(&b); buffer_append(&b, blob, blen); - magic = buffer_get_int(&b); + magic = buffer_get_int(&b); if (magic != SSH_COM_PRIVATE_KEY_MAGIC) { error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC); buffer_free(&b); @@ -246,7 +251,7 @@ i2 = buffer_get_int(&b); i3 = buffer_get_int(&b); i4 = buffer_get_int(&b); - debug("ignore (%d %d %d %d)", i1,i2,i3,i4); + debug("ignore (%d %d %d %d)", i1, i2, i3, i4); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); xfree(cipher); @@ -277,7 +282,7 @@ buffer_get_bignum_bits(&b, key->dsa->priv_key); break; case KEY_RSA: - e = buffer_get_char(&b); + e = buffer_get_char(&b); debug("e %lx", e); if (e < 30) { e <<= 8; @@ -339,9 +344,8 @@ line[pos++] = c; line[pos] = '\0'; } - if (c == EOF) - return -1; - return pos; + /* We reached EOF */ + return -1; } static void @@ -413,7 +417,7 @@ PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) : key_write(k, stdout); if (!ok) { - fprintf(stderr, "key write failed"); + fprintf(stderr, "key write failed\n"); exit(1); } key_free(k); @@ -447,59 +451,37 @@ exit(0); } -#ifdef SMARTCARD static void -do_upload(struct passwd *pw, const char *sc_reader_id) +do_download(struct passwd *pw, char *pkcs11provider) { - Key *prv = NULL; - struct stat st; - int ret; - - if (!have_identity) - ask_filename(pw, "Enter file in which the key is"); - if (stat(identity_file, &st) < 0) { - perror(identity_file); - exit(1); - } - prv = load_identity(identity_file); - if (prv == NULL) { - error("load failed"); - exit(1); - } - ret = sc_put_key(prv, sc_reader_id); - key_free(prv); - if (ret < 0) - exit(1); - logit("loading key done"); - exit(0); -} - -static void -do_download(struct passwd *pw, const char *sc_reader_id) -{ +#ifdef ENABLE_PKCS11 Key **keys = NULL; - int i; + int i, nkeys; - keys = sc_get_keys(sc_reader_id, NULL); - if (keys == NULL) - fatal("cannot read public key from smartcard"); - for (i = 0; keys[i]; i++) { + pkcs11_init(0); + nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); + if (nkeys <= 0) + fatal("cannot read public key from pkcs11"); + for (i = 0; i < nkeys; i++) { key_write(keys[i], stdout); key_free(keys[i]); fprintf(stdout, "\n"); } xfree(keys); + pkcs11_terminate(); exit(0); +#else + fatal("no pkcs11 support"); +#endif /* ENABLE_PKCS11 */ } -#endif /* SMARTCARD */ static void do_fingerprint(struct passwd *pw) { FILE *f; Key *public; - char *comment = NULL, *cp, *ep, line[16*1024], *fp; - int i, skip = 0, num = 1, invalid = 1; + char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; + int i, skip = 0, num = 0, invalid = 1; enum fp_rep rep; enum fp_type fptype; struct stat st; @@ -516,9 +498,14 @@ public = key_load_public(identity_file, &comment); if (public != NULL) { fp = key_fingerprint(public, fptype, rep); - printf("%u %s %s\n", key_size(public), fp, comment); + ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + printf("%u %s %s (%s)\n", key_size(public), fp, comment, + key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); key_free(public); xfree(comment); + xfree(ra); xfree(fp); exit(0); } @@ -530,9 +517,9 @@ f = fopen(identity_file, "r"); if (f != NULL) { while (fgets(line, sizeof(line), f)) { - i = strlen(line) - 1; - if (line[i] != '\n') { - error("line %d too long: %.40s...", num, line); + if ((cp = strchr(line, '\n')) == NULL) { + error("line %d too long: %.40s...", + num + 1, line); skip = 1; continue; } @@ -541,13 +528,13 @@ skip = 0; continue; } - line[i] = '\0'; + *cp = '\0'; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; if (!*cp || *cp == '\n' || *cp == '#') - continue ; + continue; i = strtol(cp, &ep, 10); if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { int quoted = 0; @@ -576,8 +563,12 @@ } comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); - printf("%u %s %s\n", key_size(public), fp, - comment ? comment : "no comment"); + ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + printf("%u %s %s (%s)\n", key_size(public), fp, + comment ? comment : "no comment", key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); + xfree(ra); xfree(fp); key_free(public); invalid = 0; @@ -592,14 +583,31 @@ } static void -print_host(FILE *f, char *name, Key *public, int hash) +print_host(FILE *f, const char *name, Key *public, int hash) { - if (hash && (name = host_hash(name, NULL, 0)) == NULL) - fatal("hash_host failed"); - fprintf(f, "%s ", name); - if (!key_write(public, f)) - fatal("key_write failed"); - fprintf(f, "\n"); + if (print_fingerprint) { + enum fp_rep rep; + enum fp_type fptype; + char *fp, *ra; + + fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fp = key_fingerprint(public, fptype, rep); + ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + printf("%u %s %s (%s)\n", key_size(public), fp, name, + key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); + xfree(ra); + xfree(fp); + } else { + if (hash && (name = host_hash(name, NULL, 0)) == NULL) + fatal("hash_host failed"); + fprintf(f, "%s ", name); + if (!key_write(public, f)) + fatal("key_write failed"); + fprintf(f, "\n"); + } } static void @@ -609,7 +617,7 @@ Key *public; char *cp, *cp2, *kp, *kp2; char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; - int c, i, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; + int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; if (!have_identity) { cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); @@ -644,19 +652,18 @@ } while (fgets(line, sizeof(line), in)) { - num++; - i = strlen(line) - 1; - if (line[i] != '\n') { - error("line %d too long: %.40s...", num, line); + if ((cp = strchr(line, '\n')) == NULL) { + error("line %d too long: %.40s...", num + 1, line); skip = 1; invalid = 1; continue; } + num++; if (skip) { skip = 0; continue; } - line[i] = '\0'; + *cp = '\0'; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -720,7 +727,8 @@ printf("# Host %s found: " "line %d type %s\n", name, num, key_type(public)); - print_host(out, cp, public, hash_hosts); + print_host(out, name, public, + hash_hosts); } if (delete_host && !c) print_host(out, cp, public, 0); @@ -744,7 +752,7 @@ fclose(in); if (invalid) { - fprintf(stderr, "%s is not a valid known_host file.\n", + fprintf(stderr, "%s is not a valid known_hosts file.\n", identity_file); if (inplace) { fprintf(stderr, "Not replacing existing known_hosts " @@ -956,8 +964,7 @@ key_free(private); exit(1); } - if (strchr(new_comment, '\n')) - *strchr(new_comment, '\n') = 0; + new_comment[strcspn(new_comment, "\n")] = '\0'; } /* Save the file using the new passphrase. */ @@ -982,11 +989,11 @@ } f = fdopen(fd, "w"); if (f == NULL) { - printf("fdopen %s failed", identity_file); + printf("fdopen %s failed\n", identity_file); exit(1); } if (!key_write(public, f)) - fprintf(stderr, "write key failed"); + fprintf(stderr, "write key failed\n"); key_free(public); fprintf(f, " %s\n", new_comment); fclose(f); @@ -1000,23 +1007,23 @@ static void usage(void) { - fprintf(stderr, "Usage: %s [options]\n", __progname); + fprintf(stderr, "usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); fprintf(stderr, " -b bits Number of bits in the key to create.\n"); fprintf(stderr, " -C comment Provide new comment.\n"); fprintf(stderr, " -c Change comment in private and public key files.\n"); -#ifdef SMARTCARD - fprintf(stderr, " -D reader Download public key from smartcard.\n"); -#endif /* SMARTCARD */ - fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n"); +#ifdef ENABLE_PKCS11 + fprintf(stderr, " -D pkcs11 Download public key from pkcs11 token.\n"); +#endif + fprintf(stderr, " -e Convert OpenSSH to RFC 4716 key file.\n"); fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); fprintf(stderr, " -f filename Filename of the key file.\n"); fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); fprintf(stderr, " -g Use generic DNS resource record format.\n"); fprintf(stderr, " -H Hash names in known_hosts file.\n"); - fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n"); + fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -N phrase Provide new passphrase.\n"); @@ -1028,9 +1035,6 @@ fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n"); fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); fprintf(stderr, " -t type Specify type of key to create.\n"); -#ifdef SMARTCARD - fprintf(stderr, " -U reader Upload private key to smartcard.\n"); -#endif /* SMARTCARD */ fprintf(stderr, " -v Verbose.\n"); fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -y Read private key file and print public key.\n"); @@ -1042,18 +1046,17 @@ * Main program for key management. */ int -main(int ac, char **av) +main(int argc, char **argv) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; - char out_file[MAXPATHLEN], *reader_id = NULL; + char out_file[MAXPATHLEN], *pkcs11provider = NULL; char *rr_hostname = NULL; Key *private, *public; struct passwd *pw; struct stat st; - int opt, type, fd, download = 0; + int opt, type, fd; u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; - int log_level = SYSLOG_LEVEL_INFO; BIGNUM *start = NULL; FILE *f; const char *errstr; @@ -1065,7 +1068,7 @@ sanitise_stdfd(); SSLeay_add_all_algorithms(); - log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); /* we need this for the home * directory. */ pw = getpwuid(getuid()); @@ -1078,8 +1081,8 @@ exit(1); } - while ((opt = getopt(ac, av, - "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { + while ((opt = getopt(argc, argv, + "degiqpclBHvxXyF:b:f:t:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr); @@ -1151,10 +1154,7 @@ key_type_name = optarg; break; case 'D': - download = 1; - /*FALLTHROUGH*/ - case 'U': - reader_id = optarg; + pkcs11provider = optarg; break; case 'v': if (log_level == SYSLOG_LEVEL_INFO) @@ -1211,9 +1211,9 @@ } /* reinit */ - log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1); - if (optind < ac) { + if (optind < argc) { printf("Too many arguments.\n"); usage(); } @@ -1221,6 +1221,10 @@ printf("Can only have one of -p and -c.\n"); usage(); } + if (print_fingerprint && (delete_host || hash_hosts)) { + printf("Cannot use -l with -D or -R.\n"); + usage(); + } if (delete_host || hash_hosts || find_host) do_known_hosts(pw, rr_hostname); if (print_fingerprint || print_bubblebabble) @@ -1258,16 +1262,8 @@ exit(0); } } - if (reader_id != NULL) { -#ifdef SMARTCARD - if (download) - do_download(pw, reader_id); - else - do_upload(pw, reader_id); -#else /* SMARTCARD */ - fatal("no support for smartcards."); -#endif /* SMARTCARD */ - } + if (pkcs11provider != NULL) + do_download(pw, pkcs11provider); if (do_gen_candidates) { FILE *out = fopen(out_file, "w"); @@ -1325,7 +1321,7 @@ printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits); if (private == NULL) { - fprintf(stderr, "key_generate failed"); + fprintf(stderr, "key_generate failed\n"); exit(1); } public = key_from_private(private); @@ -1385,7 +1381,7 @@ if (identity_comment) { strlcpy(comment, identity_comment, sizeof(comment)); } else { - /* Create default commend field for the passphrase. */ + /* Create default comment field for the passphrase. */ snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); } @@ -1415,20 +1411,25 @@ } f = fdopen(fd, "w"); if (f == NULL) { - printf("fdopen %s failed", identity_file); + printf("fdopen %s failed\n", identity_file); exit(1); } if (!key_write(public, f)) - fprintf(stderr, "write key failed"); + fprintf(stderr, "write key failed\n"); fprintf(f, " %s\n", comment); fclose(f); if (!quiet) { char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); + char *ra = key_fingerprint(public, SSH_FP_MD5, + SSH_FP_RANDOMART); printf("Your public key has been saved in %s.\n", identity_file); printf("The key fingerprint is:\n"); printf("%s %s\n", fp, comment); + printf("The key's randomart image is:\n"); + printf("%s\n", ra); + xfree(ra); xfree(fp); }