=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.189 retrieving revision 1.191 diff -u -r1.189 -r1.191 --- src/usr.bin/ssh/ssh-keygen.c 2010/04/23 22:48:31 1.189 +++ src/usr.bin/ssh/ssh-keygen.c 2010/06/22 04:32:06 1.191 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.189 2010/04/23 22:48:31 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.191 2010/06/22 04:32:06 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -114,17 +114,16 @@ u_int64_t cert_valid_to = ~0ULL; /* Certificate options */ -#define CRITOPT_X_FWD (1) -#define CRITOPT_AGENT_FWD (1<<1) -#define CRITOPT_PORT_FWD (1<<2) -#define CRITOPT_PTY (1<<3) -#define CRITOPT_USER_RC (1<<4) -#define CRITOPT_DEFAULT (CRITOPT_X_FWD|CRITOPT_AGENT_FWD| \ - CRITOPT_PORT_FWD|CRITOPT_PTY| \ - CRITOPT_USER_RC) -u_int32_t critical_flags = CRITOPT_DEFAULT; -char *critical_command = NULL; -char *critical_src_addr = NULL; +#define CERTOPT_X_FWD (1) +#define CERTOPT_AGENT_FWD (1<<1) +#define CERTOPT_PORT_FWD (1<<2) +#define CERTOPT_PTY (1<<3) +#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ + CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) +u_int32_t certflags_flags = CERTOPT_DEFAULT; +char *certflags_command = NULL; +char *certflags_src_addr = NULL; /* Dump public key file in format used by real and the original SSH 2 */ int convert_to_ssh2 = 0; @@ -407,11 +406,8 @@ perror(identity_file); exit(1); } - fp = fopen(identity_file, "r"); - if (fp == NULL) { - perror(identity_file); - exit(1); - } + if ((fp = fopen(identity_file, "r")) == NULL) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); encoded[0] = '\0'; while ((blen = get_line(fp, line, sizeof(line))) != -1) { if (line[blen - 1] == '\\') @@ -554,67 +550,68 @@ comment = NULL; } - f = fopen(identity_file, "r"); - if (f != NULL) { - while (fgets(line, sizeof(line), f)) { - if ((cp = strchr(line, '\n')) == NULL) { - error("line %d too long: %.40s...", - num + 1, line); - skip = 1; - continue; - } - num++; - if (skip) { - skip = 0; - continue; - } - *cp = '\0'; + if ((f = fopen(identity_file, "r")) == NULL) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); - /* Skip leading whitespace, empty and comment lines. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++) - ; - if (!*cp || *cp == '\n' || *cp == '#') - continue; - i = strtol(cp, &ep, 10); - if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { - int quoted = 0; - comment = cp; - for (; *cp && (quoted || (*cp != ' ' && - *cp != '\t')); cp++) { - if (*cp == '\\' && cp[1] == '"') - cp++; /* Skip both */ - else if (*cp == '"') - quoted = !quoted; - } - if (!*cp) - continue; - *cp++ = '\0'; + while (fgets(line, sizeof(line), f)) { + if ((cp = strchr(line, '\n')) == NULL) { + error("line %d too long: %.40s...", + num + 1, line); + skip = 1; + continue; + } + num++; + if (skip) { + skip = 0; + continue; + } + *cp = '\0'; + + /* Skip leading whitespace, empty and comment lines. */ + for (cp = line; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + i = strtol(cp, &ep, 10); + if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { + int quoted = 0; + comment = cp; + for (; *cp && (quoted || (*cp != ' ' && + *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; } - ep = cp; - public = key_new(KEY_RSA1); + if (!*cp) + continue; + *cp++ = '\0'; + } + ep = cp; + public = key_new(KEY_RSA1); + if (key_read(public, &cp) != 1) { + cp = ep; + key_free(public); + public = key_new(KEY_UNSPEC); if (key_read(public, &cp) != 1) { - cp = ep; key_free(public); - public = key_new(KEY_UNSPEC); - if (key_read(public, &cp) != 1) { - key_free(public); - continue; - } + continue; } - comment = *cp ? cp : comment; - fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); - printf("%u %s %s (%s)\n", key_size(public), fp, - comment ? comment : "no comment", key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) - printf("%s\n", ra); - xfree(ra); - xfree(fp); - key_free(public); - invalid = 0; } - fclose(f); + comment = *cp ? cp : comment; + fp = key_fingerprint(public, fptype, rep); + ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + printf("%u %s %s (%s)\n", key_size(public), fp, + comment ? comment : "no comment", key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); + xfree(ra); + xfree(fp); + key_free(public); + invalid = 0; } + fclose(f); + if (invalid) { printf("%s is not a public key file.\n", identity_file); exit(1); @@ -669,7 +666,7 @@ have_identity = 1; } if ((in = fopen(identity_file, "r")) == NULL) - fatal("fopen: %s", strerror(errno)); + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); /* * Find hosts goes to stdout, hash and deletions happen in-place @@ -1125,24 +1122,33 @@ buffer_free(&b); } +#define OPTIONS_CRITICAL 1 +#define OPTIONS_EXTENSIONS 2 static void -prepare_options_buf(Buffer *c) +prepare_options_buf(Buffer *c, int which) { buffer_clear(c); - if ((critical_flags & CRITOPT_X_FWD) != 0) + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_X_FWD) != 0) add_flag_option(c, "permit-X11-forwarding"); - if ((critical_flags & CRITOPT_AGENT_FWD) != 0) + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_AGENT_FWD) != 0) add_flag_option(c, "permit-agent-forwarding"); - if ((critical_flags & CRITOPT_PORT_FWD) != 0) + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_PORT_FWD) != 0) add_flag_option(c, "permit-port-forwarding"); - if ((critical_flags & CRITOPT_PTY) != 0) + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_PTY) != 0) add_flag_option(c, "permit-pty"); - if ((critical_flags & CRITOPT_USER_RC) != 0) + if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if (critical_command != NULL) - add_string_option(c, "force-command", critical_command); - if (critical_src_addr != NULL) - add_string_option(c, "source-address", critical_src_addr); + if ((which & OPTIONS_CRITICAL) != 0 && + certflags_command != NULL) + add_string_option(c, "force-command", certflags_command); + if ((which & OPTIONS_CRITICAL) != 0 && + certflags_src_addr != NULL) + add_string_option(c, "source-address", certflags_src_addr); } static void @@ -1210,7 +1216,15 @@ public->cert->principals = plist; public->cert->valid_after = cert_valid_from; public->cert->valid_before = cert_valid_to; - prepare_options_buf(&public->cert->critical); + if (v00) { + prepare_options_buf(&public->cert->critical, + OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); + } else { + prepare_options_buf(&public->cert->critical, + OPTIONS_CRITICAL); + prepare_options_buf(&public->cert->extensions, + OPTIONS_EXTENSIONS); + } public->cert->signature_key = key_from_private(ca); if (key_certify(public, ca) != 0) @@ -1346,43 +1360,43 @@ char *val; if (strcmp(opt, "clear") == 0) - critical_flags = 0; + certflags_flags = 0; else if (strcasecmp(opt, "no-x11-forwarding") == 0) - critical_flags &= ~CRITOPT_X_FWD; + certflags_flags &= ~CERTOPT_X_FWD; else if (strcasecmp(opt, "permit-x11-forwarding") == 0) - critical_flags |= CRITOPT_X_FWD; + certflags_flags |= CERTOPT_X_FWD; else if (strcasecmp(opt, "no-agent-forwarding") == 0) - critical_flags &= ~CRITOPT_AGENT_FWD; + certflags_flags &= ~CERTOPT_AGENT_FWD; else if (strcasecmp(opt, "permit-agent-forwarding") == 0) - critical_flags |= CRITOPT_AGENT_FWD; + certflags_flags |= CERTOPT_AGENT_FWD; else if (strcasecmp(opt, "no-port-forwarding") == 0) - critical_flags &= ~CRITOPT_PORT_FWD; + certflags_flags &= ~CERTOPT_PORT_FWD; else if (strcasecmp(opt, "permit-port-forwarding") == 0) - critical_flags |= CRITOPT_PORT_FWD; + certflags_flags |= CERTOPT_PORT_FWD; else if (strcasecmp(opt, "no-pty") == 0) - critical_flags &= ~CRITOPT_PTY; + certflags_flags &= ~CERTOPT_PTY; else if (strcasecmp(opt, "permit-pty") == 0) - critical_flags |= CRITOPT_PTY; + certflags_flags |= CERTOPT_PTY; else if (strcasecmp(opt, "no-user-rc") == 0) - critical_flags &= ~CRITOPT_USER_RC; + certflags_flags &= ~CERTOPT_USER_RC; else if (strcasecmp(opt, "permit-user-rc") == 0) - critical_flags |= CRITOPT_USER_RC; + certflags_flags |= CERTOPT_USER_RC; else if (strncasecmp(opt, "force-command=", 14) == 0) { val = opt + 14; if (*val == '\0') fatal("Empty force-command option"); - if (critical_command != NULL) + if (certflags_command != NULL) fatal("force-command already specified"); - critical_command = xstrdup(val); + certflags_command = xstrdup(val); } else if (strncasecmp(opt, "source-address=", 15) == 0) { val = opt + 15; if (*val == '\0') fatal("Empty source-address option"); - if (critical_src_addr != NULL) + if (certflags_src_addr != NULL) fatal("source-address already specified"); if (addr_match_cidr_list(NULL, val) != 0) fatal("Invalid source-address list"); - critical_src_addr = xstrdup(val); + certflags_src_addr = xstrdup(val); } else fatal("Unsupported certificate option \"%s\"", opt); } @@ -1399,10 +1413,8 @@ if (!have_identity) ask_filename(pw, "Enter file in which the key is"); - if (stat(identity_file, &st) < 0) { - perror(identity_file); - exit(1); - } + if (stat(identity_file, &st) < 0) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); if ((key = key_load_public(identity_file, NULL)) == NULL) fatal("%s is not a public key", identity_file); if (!key_is_cert(key)) @@ -1654,7 +1666,7 @@ break; case 'h': cert_key_type = SSH2_CERT_TYPE_HOST; - critical_flags = 0; + certflags_flags = 0; break; case 'i': case 'X':