=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.248 retrieving revision 1.251 diff -u -r1.248 -r1.251 --- src/usr.bin/ssh/ssh-keygen.c 2014/07/03 03:34:09 1.248 +++ src/usr.bin/ssh/ssh-keygen.c 2014/12/21 22:27:56 1.251 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.248 2014/07/03 03:34:09 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.251 2014/12/21 22:27:56 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -45,6 +45,7 @@ #include "ssh2.h" #include "atomicio.h" #include "krl.h" +#include "digest.h" #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" @@ -86,6 +87,9 @@ int print_fingerprint = 0; int print_bubblebabble = 0; +/* Hash algorithm to use for fingerprints. */ +int fingerprint_hash = SSH_FP_HASH_DEFAULT; + /* The identity file name, given on the command line or entered by the user. */ char identity_file[1024]; int have_identity = 0; @@ -737,11 +741,11 @@ Key **keys = NULL; int i, nkeys; enum fp_rep rep; - enum fp_type fptype; + int fptype; char *fp, *ra; - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; pkcs11_init(0); nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); @@ -750,7 +754,7 @@ for (i = 0; i < nkeys; i++) { if (print_fingerprint) { fp = key_fingerprint(keys[i], fptype, rep); - ra = key_fingerprint(keys[i], SSH_FP_MD5, + ra = key_fingerprint(keys[i], fingerprint_hash, SSH_FP_RANDOMART); printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), fp, key_type(keys[i])); @@ -780,12 +784,11 @@ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; int i, skip = 0, num = 0, invalid = 1; enum fp_rep rep; - enum fp_type fptype; + int fptype; struct stat st; - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; - + fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); if (stat(identity_file, &st) < 0) { @@ -795,7 +798,8 @@ public = key_load_public(identity_file, &comment); if (public != NULL) { fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + ra = key_fingerprint(public, fingerprint_hash, + SSH_FP_RANDOMART); printf("%u %s %s (%s)\n", key_size(public), fp, comment, key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) @@ -861,7 +865,8 @@ } comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + ra = key_fingerprint(public, fingerprint_hash, + SSH_FP_RANDOMART); printf("%u %s %s (%s)\n", key_size(public), fp, comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) @@ -953,12 +958,14 @@ f = fdopen(fd, "w"); if (f == NULL) { printf("fdopen %s failed\n", identity_file); + close(fd); key_free(public); first = 0; continue; } if (!key_write(public, f)) { fprintf(stderr, "write key failed\n"); + fclose(f); key_free(public); first = 0; continue; @@ -973,17 +980,19 @@ } static void -printhost(FILE *f, const char *name, Key *public, int ca, int hash) +printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) { if (print_fingerprint) { enum fp_rep rep; - enum fp_type fptype; + int fptype; char *fp, *ra; - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fptype = print_bubblebabble ? + SSH_DIGEST_SHA1 : fingerprint_hash; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); + ra = key_fingerprint(public, fingerprint_hash, + SSH_FP_RANDOMART); printf("%u %s %s (%s)\n", key_size(public), fp, name, key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) @@ -993,7 +1002,8 @@ } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) fatal("hash_host failed"); - fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); + fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "", + revoked ? REVOKE_MARKER " " : "" , name); if (!key_write(public, f)) fatal("key_write failed"); fprintf(f, "\n"); @@ -1008,7 +1018,7 @@ char *cp, *cp2, *kp, *kp2; char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; - int ca; + int ca, revoked; int found_key = 0; if (!have_identity) { @@ -1022,6 +1032,7 @@ if ((in = fopen(identity_file, "r")) == NULL) fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + /* XXX this code is a mess; refactor -djm */ /* * Find hosts goes to stdout, hash and deletions happen in-place * A corner case is ssh-keygen -HF foo, which should go to stdout @@ -1065,7 +1076,7 @@ fprintf(out, "%s\n", cp); continue; } - /* Check whether this is a CA key */ + /* Check whether this is a CA key or revocation marker */ if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && (cp[sizeof(CA_MARKER) - 1] == ' ' || cp[sizeof(CA_MARKER) - 1] == '\t')) { @@ -1073,6 +1084,14 @@ cp += sizeof(CA_MARKER); } else ca = 0; + if (strncasecmp(cp, REVOKE_MARKER, + sizeof(REVOKE_MARKER) - 1) == 0 && + (cp[sizeof(REVOKE_MARKER) - 1] == ' ' || + cp[sizeof(REVOKE_MARKER) - 1] == '\t')) { + revoked = 1; + cp += sizeof(REVOKE_MARKER); + } else + revoked = 0; /* Find the end of the host name portion. */ for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) @@ -1116,20 +1135,23 @@ printf("# Host %s found: " "line %d type %s%s\n", name, num, key_type(pub), - ca ? " (CA key)" : ""); - printhost(out, cp, pub, ca, 0); + ca ? " (CA key)" : + revoked? " (revoked)" : ""); + printhost(out, cp, pub, ca, revoked, 0); found_key = 1; } if (delete_host) { - if (!c && !ca) - printhost(out, cp, pub, ca, 0); - else + if (!c || ca || revoked) { + printhost(out, cp, pub, + ca, revoked, 0); + } else { printf("# Host %s found: " "line %d type %s\n", name, num, key_type(pub)); + } } } else if (hash_hosts) - printhost(out, cp, pub, ca, 0); + printhost(out, cp, pub, ca, revoked, 0); } else { if (find_host || delete_host) { c = (match_hostname(name, cp, @@ -1140,38 +1162,43 @@ "line %d type %s%s\n", name, num, key_type(pub), ca ? " (CA key)" : ""); - printhost(out, name, pub, - ca, hash_hosts && !ca); + printhost(out, name, pub, ca, revoked, + hash_hosts && !(ca || revoked)); found_key = 1; } if (delete_host) { - if (!c && !ca) - printhost(out, cp, pub, ca, 0); - else + if (!c || ca || revoked) { + printhost(out, cp, pub, + ca, revoked, 0); + } else { printf("# Host %s found: " "line %d type %s\n", name, num, key_type(pub)); + } } + } else if (hash_hosts && (ca || revoked)) { + /* Don't hash CA and revoked keys' hostnames */ + printhost(out, cp, pub, ca, revoked, 0); + has_unhashed = 1; } else if (hash_hosts) { + /* Hash each hostname separately */ for (cp2 = strsep(&cp, ","); cp2 != NULL && *cp2 != '\0'; cp2 = strsep(&cp, ",")) { - if (ca) { - fprintf(stderr, "Warning: " - "ignoring CA key for host: " - "%.64s\n", cp2); - printhost(out, cp2, pub, ca, 0); - } else if (strcspn(cp2, "*?!") != + if (strcspn(cp2, "*?!") != strlen(cp2)) { fprintf(stderr, "Warning: " "ignoring host name with " "metacharacters: %.64s\n", cp2); - printhost(out, cp2, pub, ca, 0); - } else - printhost(out, cp2, pub, ca, 1); + printhost(out, cp2, pub, ca, + revoked, 0); + has_unhashed = 1; + } else { + printhost(out, cp2, pub, ca, + revoked, 1); + } } - has_unhashed = 1; } } key_free(pub); @@ -1874,9 +1901,9 @@ fatal("%s is not a certificate", identity_file); v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = key_fingerprint(key->cert->signature_key, - SSH_FP_MD5, SSH_FP_HEX); + fingerprint_hash, SSH_FP_DEFAULT); printf("%s:\n", identity_file); printf(" Type: %s %s certificate\n", key_ssh_name(key), @@ -2155,7 +2182,7 @@ " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" " ssh-keygen -y [-f input_keyfile]\n" " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" - " ssh-keygen -l [-f input_keyfile]\n" + " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" " ssh-keygen -B [-f input_keyfile]\n"); #ifdef ENABLE_PKCS11 fprintf(stderr, @@ -2220,9 +2247,10 @@ exit(1); } - /* Remaining characters: EUYdw */ + /* Remaining characters: UYdw */ while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" - "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { + "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" + "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -2233,6 +2261,11 @@ fatal("Bits has bad value %s (%s)", optarg, errstr); break; + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); + if (fingerprint_hash == -1) + fatal("Invalid hash algorithm \"%s\"", optarg); + break; case 'F': find_host = 1; rr_hostname = optarg; @@ -2664,8 +2697,9 @@ fclose(f); if (!quiet) { - char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); - char *ra = key_fingerprint(public, SSH_FP_MD5, + char *fp = key_fingerprint(public, fingerprint_hash, + SSH_FP_DEFAULT); + char *ra = key_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART); printf("Your public key has been saved in %s.\n", identity_file);