===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.246
retrieving revision 1.250
diff -u -r1.246 -r1.250
--- src/usr.bin/ssh/ssh-keygen.c	2014/04/29 18:01:49	1.246
+++ src/usr.bin/ssh/ssh-keygen.c	2014/08/21 01:08:52	1.250
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.246 2014/04/29 18:01:49 markus Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.250 2014/08/21 01:08:52 doug Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -22,6 +22,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <netdb.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -160,7 +161,7 @@
 /* argv0 */
 extern char *__progname;
 
-char hostname[MAXHOSTNAMELEN];
+char hostname[NI_MAXHOST];
 
 /* moduli.c */
 int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
@@ -473,7 +474,9 @@
 		buffer_get_bignum_bits(&b, key->rsa->iqmp);
 		buffer_get_bignum_bits(&b, key->rsa->q);
 		buffer_get_bignum_bits(&b, key->rsa->p);
-		rsa_generate_additional_parameters(key->rsa);
+		if (rsa_generate_additional_parameters(key->rsa) != 0)
+			fatal("%s: rsa_generate_additional_parameters "
+			    "error", __func__);
 		break;
 	}
 	rlen = buffer_len(&b);
@@ -950,12 +953,14 @@
 		f = fdopen(fd, "w");
 		if (f == NULL) {
 			printf("fdopen %s failed\n", identity_file);
+			close(fd);
 			key_free(public);
 			first = 0;
 			continue;
 		}
 		if (!key_write(public, f)) {
 			fprintf(stderr, "write key failed\n");
+			fclose(f);
 			key_free(public);
 			first = 0;
 			continue;
@@ -970,7 +975,7 @@
 }
 
 static void
-printhost(FILE *f, const char *name, Key *public, int ca, int hash)
+printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
 {
 	if (print_fingerprint) {
 		enum fp_rep rep;
@@ -990,7 +995,8 @@
 	} else {
 		if (hash && (name = host_hash(name, NULL, 0)) == NULL)
 			fatal("hash_host failed");
-		fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name);
+		fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",
+		    revoked ? REVOKE_MARKER " " : "" , name);
 		if (!key_write(public, f))
 			fatal("key_write failed");
 		fprintf(f, "\n");
@@ -1005,7 +1011,7 @@
 	char *cp, *cp2, *kp, *kp2;
 	char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
 	int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
-	int ca;
+	int ca, revoked;
 	int found_key = 0;
 
 	if (!have_identity) {
@@ -1019,6 +1025,7 @@
 	if ((in = fopen(identity_file, "r")) == NULL)
 		fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
 
+	/* XXX this code is a mess; refactor -djm */
 	/*
 	 * Find hosts goes to stdout, hash and deletions happen in-place
 	 * A corner case is ssh-keygen -HF foo, which should go to stdout
@@ -1062,7 +1069,7 @@
 				fprintf(out, "%s\n", cp);
 			continue;
 		}
-		/* Check whether this is a CA key */
+		/* Check whether this is a CA key or revocation marker */
 		if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
 		    (cp[sizeof(CA_MARKER) - 1] == ' ' ||
 		    cp[sizeof(CA_MARKER) - 1] == '\t')) {
@@ -1070,6 +1077,14 @@
 			cp += sizeof(CA_MARKER);
 		} else
 			ca = 0;
+		if (strncasecmp(cp, REVOKE_MARKER,
+		    sizeof(REVOKE_MARKER) - 1) == 0 &&
+		    (cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||
+		    cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {
+ 			revoked = 1;
+			cp += sizeof(REVOKE_MARKER);
+		} else
+			revoked = 0;
 
 		/* Find the end of the host name portion. */
 		for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
@@ -1113,20 +1128,23 @@
 						printf("# Host %s found: "
 						    "line %d type %s%s\n", name,
 						    num, key_type(pub),
-						    ca ? " (CA key)" : "");
-					printhost(out, cp, pub, ca, 0);
+						    ca ? " (CA key)" :
+						    revoked? " (revoked)" : "");
+					printhost(out, cp, pub, ca, revoked, 0);
 					found_key = 1;
 				}
 				if (delete_host) {
-					if (!c && !ca)
-						printhost(out, cp, pub, ca, 0);
-					else
+					if (!c || ca || revoked) {
+						printhost(out, cp, pub,
+						    ca, revoked, 0);
+					} else {
 						printf("# Host %s found: "
 						    "line %d type %s\n", name,
 						    num, key_type(pub));
+					}
 				}
 			} else if (hash_hosts)
-				printhost(out, cp, pub, ca, 0);
+				printhost(out, cp, pub, ca, revoked, 0);
 		} else {
 			if (find_host || delete_host) {
 				c = (match_hostname(name, cp,
@@ -1137,38 +1155,43 @@
 						    "line %d type %s%s\n", name,
 						    num, key_type(pub),
 						    ca ? " (CA key)" : "");
-					printhost(out, name, pub,
-					    ca, hash_hosts && !ca);
+					printhost(out, name, pub, ca, revoked,
+					    hash_hosts && !(ca || revoked));
 					found_key = 1;
 				}
 				if (delete_host) {
-					if (!c && !ca)
-						printhost(out, cp, pub, ca, 0);
-					else
+					if (!c || ca || revoked) {
+						printhost(out, cp, pub,
+						    ca, revoked, 0);
+					} else {
 						printf("# Host %s found: "
 						    "line %d type %s\n", name,
 						    num, key_type(pub));
+					}
 				}
+			} else if (hash_hosts && (ca || revoked)) {
+				/* Don't hash CA and revoked keys' hostnames */
+				printhost(out, cp, pub, ca, revoked, 0);
+				has_unhashed = 1;
 			} else if (hash_hosts) {
+				/* Hash each hostname separately */
 				for (cp2 = strsep(&cp, ",");
 				    cp2 != NULL && *cp2 != '\0';
 				    cp2 = strsep(&cp, ",")) {
-					if (ca) {
-						fprintf(stderr, "Warning: "
-						    "ignoring CA key for host: "
-						    "%.64s\n", cp2);
-						printhost(out, cp2, pub, ca, 0);
-					} else if (strcspn(cp2, "*?!") !=
+					if (strcspn(cp2, "*?!") !=
 					    strlen(cp2)) {
 						fprintf(stderr, "Warning: "
 						    "ignoring host name with "
 						    "metacharacters: %.64s\n",
 						    cp2);
-						printhost(out, cp2, pub, ca, 0);
-					} else
-						printhost(out, cp2, pub, ca, 1);
+						printhost(out, cp2, pub, ca,
+						    revoked, 0);
+						has_unhashed = 1;
+					} else {
+						printhost(out, cp2, pub, ca,
+						    revoked, 1);
+					}
 				}
-				has_unhashed = 1;
 			}
 		}
 		key_free(pub);
@@ -1622,12 +1645,12 @@
 		public->cert->valid_after = cert_valid_from;
 		public->cert->valid_before = cert_valid_to;
 		if (v00) {
-			prepare_options_buf(&public->cert->critical,
+			prepare_options_buf(public->cert->critical,
 			    OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
 		} else {
-			prepare_options_buf(&public->cert->critical,
+			prepare_options_buf(public->cert->critical,
 			    OPTIONS_CRITICAL);
-			prepare_options_buf(&public->cert->extensions,
+			prepare_options_buf(public->cert->extensions,
 			    OPTIONS_EXTENSIONS);
 		}
 		public->cert->signature_key = key_from_private(ca);
@@ -1898,19 +1921,19 @@
 		printf("\n");
 	}
 	printf("        Critical Options: ");
-	if (buffer_len(&key->cert->critical) == 0)
+	if (buffer_len(key->cert->critical) == 0)
 		printf("(none)\n");
 	else {
 		printf("\n");
-		show_options(&key->cert->critical, v00, 1);
+		show_options(key->cert->critical, v00, 1);
 	}
 	if (!v00) {
 		printf("        Extensions: ");
-		if (buffer_len(&key->cert->extensions) == 0)
+		if (buffer_len(key->cert->extensions) == 0)
 			printf("(none)\n");
 		else {
 			printf("\n");
-			show_options(&key->cert->extensions, v00, 0);
+			show_options(key->cert->extensions, v00, 0);
 		}
 	}
 	exit(0);