=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.246 retrieving revision 1.251 diff -u -r1.246 -r1.251 --- src/usr.bin/ssh/ssh-keygen.c 2014/04/29 18:01:49 1.246 +++ src/usr.bin/ssh/ssh-keygen.c 2014/12/21 22:27:56 1.251 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.246 2014/04/29 18:01:49 markus Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.251 2014/12/21 22:27:56 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -22,6 +22,7 @@ #include #include +#include #include #include #include @@ -44,6 +45,7 @@ #include "ssh2.h" #include "atomicio.h" #include "krl.h" +#include "digest.h" #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" @@ -85,6 +87,9 @@ int print_fingerprint = 0; int print_bubblebabble = 0; +/* Hash algorithm to use for fingerprints. */ +int fingerprint_hash = SSH_FP_HASH_DEFAULT; + /* The identity file name, given on the command line or entered by the user. */ char identity_file[1024]; int have_identity = 0; @@ -160,7 +165,7 @@ /* argv0 */ extern char *__progname; -char hostname[MAXHOSTNAMELEN]; +char hostname[NI_MAXHOST]; /* moduli.c */ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); @@ -473,7 +478,9 @@ buffer_get_bignum_bits(&b, key->rsa->iqmp); buffer_get_bignum_bits(&b, key->rsa->q); buffer_get_bignum_bits(&b, key->rsa->p); - rsa_generate_additional_parameters(key->rsa); + if (rsa_generate_additional_parameters(key->rsa) != 0) + fatal("%s: rsa_generate_additional_parameters " + "error", __func__); break; } rlen = buffer_len(&b); @@ -734,11 +741,11 @@ Key **keys = NULL; int i, nkeys; enum fp_rep rep; - enum fp_type fptype; + int fptype; char *fp, *ra; - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; pkcs11_init(0); nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); @@ -747,7 +754,7 @@ for (i = 0; i < nkeys; i++) { if (print_fingerprint) { fp = key_fingerprint(keys[i], fptype, rep); - ra = key_fingerprint(keys[i], SSH_FP_MD5, + ra = key_fingerprint(keys[i], fingerprint_hash, SSH_FP_RANDOMART); printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), fp, key_type(keys[i])); @@ -777,12 +784,11 @@ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; int i, skip = 0, num = 0, invalid = 1; enum fp_rep rep; - enum fp_type fptype; + int fptype; struct stat st; - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; - + fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); if (stat(identity_file, &st) < 0) { @@ -792,7 +798,8 @@ public = key_load_public(identity_file, &comment); if (public != NULL) { fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + ra = key_fingerprint(public, fingerprint_hash, + SSH_FP_RANDOMART); printf("%u %s %s (%s)\n", key_size(public), fp, comment, key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) @@ -858,7 +865,8 @@ } comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + ra = key_fingerprint(public, fingerprint_hash, + SSH_FP_RANDOMART); printf("%u %s %s (%s)\n", key_size(public), fp, comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) @@ -950,12 +958,14 @@ f = fdopen(fd, "w"); if (f == NULL) { printf("fdopen %s failed\n", identity_file); + close(fd); key_free(public); first = 0; continue; } if (!key_write(public, f)) { fprintf(stderr, "write key failed\n"); + fclose(f); key_free(public); first = 0; continue; @@ -970,17 +980,19 @@ } static void -printhost(FILE *f, const char *name, Key *public, int ca, int hash) +printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) { if (print_fingerprint) { enum fp_rep rep; - enum fp_type fptype; + int fptype; char *fp, *ra; - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fptype = print_bubblebabble ? + SSH_DIGEST_SHA1 : fingerprint_hash; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + ra = key_fingerprint(public, fingerprint_hash, + SSH_FP_RANDOMART); printf("%u %s %s (%s)\n", key_size(public), fp, name, key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) @@ -990,7 +1002,8 @@ } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) fatal("hash_host failed"); - fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); + fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "", + revoked ? REVOKE_MARKER " " : "" , name); if (!key_write(public, f)) fatal("key_write failed"); fprintf(f, "\n"); @@ -1005,7 +1018,7 @@ char *cp, *cp2, *kp, *kp2; char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; - int ca; + int ca, revoked; int found_key = 0; if (!have_identity) { @@ -1019,6 +1032,7 @@ if ((in = fopen(identity_file, "r")) == NULL) fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + /* XXX this code is a mess; refactor -djm */ /* * Find hosts goes to stdout, hash and deletions happen in-place * A corner case is ssh-keygen -HF foo, which should go to stdout @@ -1062,7 +1076,7 @@ fprintf(out, "%s\n", cp); continue; } - /* Check whether this is a CA key */ + /* Check whether this is a CA key or revocation marker */ if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && (cp[sizeof(CA_MARKER) - 1] == ' ' || cp[sizeof(CA_MARKER) - 1] == '\t')) { @@ -1070,6 +1084,14 @@ cp += sizeof(CA_MARKER); } else ca = 0; + if (strncasecmp(cp, REVOKE_MARKER, + sizeof(REVOKE_MARKER) - 1) == 0 && + (cp[sizeof(REVOKE_MARKER) - 1] == ' ' || + cp[sizeof(REVOKE_MARKER) - 1] == '\t')) { + revoked = 1; + cp += sizeof(REVOKE_MARKER); + } else + revoked = 0; /* Find the end of the host name portion. */ for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) @@ -1113,20 +1135,23 @@ printf("# Host %s found: " "line %d type %s%s\n", name, num, key_type(pub), - ca ? " (CA key)" : ""); - printhost(out, cp, pub, ca, 0); + ca ? " (CA key)" : + revoked? " (revoked)" : ""); + printhost(out, cp, pub, ca, revoked, 0); found_key = 1; } if (delete_host) { - if (!c && !ca) - printhost(out, cp, pub, ca, 0); - else + if (!c || ca || revoked) { + printhost(out, cp, pub, + ca, revoked, 0); + } else { printf("# Host %s found: " "line %d type %s\n", name, num, key_type(pub)); + } } } else if (hash_hosts) - printhost(out, cp, pub, ca, 0); + printhost(out, cp, pub, ca, revoked, 0); } else { if (find_host || delete_host) { c = (match_hostname(name, cp, @@ -1137,38 +1162,43 @@ "line %d type %s%s\n", name, num, key_type(pub), ca ? " (CA key)" : ""); - printhost(out, name, pub, - ca, hash_hosts && !ca); + printhost(out, name, pub, ca, revoked, + hash_hosts && !(ca || revoked)); found_key = 1; } if (delete_host) { - if (!c && !ca) - printhost(out, cp, pub, ca, 0); - else + if (!c || ca || revoked) { + printhost(out, cp, pub, + ca, revoked, 0); + } else { printf("# Host %s found: " "line %d type %s\n", name, num, key_type(pub)); + } } + } else if (hash_hosts && (ca || revoked)) { + /* Don't hash CA and revoked keys' hostnames */ + printhost(out, cp, pub, ca, revoked, 0); + has_unhashed = 1; } else if (hash_hosts) { + /* Hash each hostname separately */ for (cp2 = strsep(&cp, ","); cp2 != NULL && *cp2 != '\0'; cp2 = strsep(&cp, ",")) { - if (ca) { - fprintf(stderr, "Warning: " - "ignoring CA key for host: " - "%.64s\n", cp2); - printhost(out, cp2, pub, ca, 0); - } else if (strcspn(cp2, "*?!") != + if (strcspn(cp2, "*?!") != strlen(cp2)) { fprintf(stderr, "Warning: " "ignoring host name with " "metacharacters: %.64s\n", cp2); - printhost(out, cp2, pub, ca, 0); - } else - printhost(out, cp2, pub, ca, 1); + printhost(out, cp2, pub, ca, + revoked, 0); + has_unhashed = 1; + } else { + printhost(out, cp2, pub, ca, + revoked, 1); + } } - has_unhashed = 1; } } key_free(pub); @@ -1622,12 +1652,12 @@ public->cert->valid_after = cert_valid_from; public->cert->valid_before = cert_valid_to; if (v00) { - prepare_options_buf(&public->cert->critical, + prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); } else { - prepare_options_buf(&public->cert->critical, + prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); - prepare_options_buf(&public->cert->extensions, + prepare_options_buf(public->cert->extensions, OPTIONS_EXTENSIONS); } public->cert->signature_key = key_from_private(ca); @@ -1871,9 +1901,9 @@ fatal("%s is not a certificate", identity_file); v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = key_fingerprint(key->cert->signature_key, - SSH_FP_MD5, SSH_FP_HEX); + fingerprint_hash, SSH_FP_DEFAULT); printf("%s:\n", identity_file); printf(" Type: %s %s certificate\n", key_ssh_name(key), @@ -1898,19 +1928,19 @@ printf("\n"); } printf(" Critical Options: "); - if (buffer_len(&key->cert->critical) == 0) + if (buffer_len(key->cert->critical) == 0) printf("(none)\n"); else { printf("\n"); - show_options(&key->cert->critical, v00, 1); + show_options(key->cert->critical, v00, 1); } if (!v00) { printf(" Extensions: "); - if (buffer_len(&key->cert->extensions) == 0) + if (buffer_len(key->cert->extensions) == 0) printf("(none)\n"); else { printf("\n"); - show_options(&key->cert->extensions, v00, 0); + show_options(key->cert->extensions, v00, 0); } } exit(0); @@ -2152,7 +2182,7 @@ " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" " ssh-keygen -y [-f input_keyfile]\n" " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" - " ssh-keygen -l [-f input_keyfile]\n" + " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" " ssh-keygen -B [-f input_keyfile]\n"); #ifdef ENABLE_PKCS11 fprintf(stderr, @@ -2217,9 +2247,10 @@ exit(1); } - /* Remaining characters: EUYdw */ + /* Remaining characters: UYdw */ while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" - "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { + "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" + "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -2230,6 +2261,11 @@ fatal("Bits has bad value %s (%s)", optarg, errstr); break; + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); + if (fingerprint_hash == -1) + fatal("Invalid hash algorithm \"%s\"", optarg); + break; case 'F': find_host = 1; rr_hostname = optarg; @@ -2661,8 +2697,9 @@ fclose(f); if (!quiet) { - char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); - char *ra = key_fingerprint(public, SSH_FP_MD5, + char *fp = key_fingerprint(public, fingerprint_hash, + SSH_FP_DEFAULT); + char *ra = key_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART); printf("Your public key has been saved in %s.\n", identity_file);