===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.257
retrieving revision 1.268
diff -u -r1.257 -r1.268
--- src/usr.bin/ssh/ssh-keygen.c	2015/01/18 21:51:19	1.257
+++ src/usr.bin/ssh/ssh-keygen.c	2015/03/31 11:06:49	1.268
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.257 2015/01/18 21:51:19 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.268 2015/03/31 11:06:49 tobias Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -706,12 +706,12 @@
 		fatal("%s: unknown key format %d", __func__, convert_format);
 	}
 
-	if (!private)
+	if (!private) {
 		if ((r = sshkey_write(k, stdout)) == 0)
 			ok = 1;
 		if (ok)
 			fprintf(stdout, "\n");
-	else {
+	} else {
 		switch (k->type) {
 		case KEY_DSA:
 			ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
@@ -783,6 +783,8 @@
 			fp = sshkey_fingerprint(keys[i], fptype, rep);
 			ra = sshkey_fingerprint(keys[i], fingerprint_hash,
 			    SSH_FP_RANDOMART);
+			if (fp == NULL || ra == NULL)
+				fatal("%s: sshkey_fingerprint fail", __func__);
 			printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),
 			    fp, sshkey_type(keys[i]));
 			if (log_level >= SYSLOG_LEVEL_VERBOSE)
@@ -823,12 +825,14 @@
 		exit(1);
 	}
 	if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0)
-		error("Error loading public key \"%s\": %s",
+		debug2("Error loading public key \"%s\": %s",
 		    identity_file, ssh_err(r));
 	else {
 		fp = sshkey_fingerprint(public, fptype, rep);
 		ra = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_RANDOMART);
+		if (fp == NULL || ra == NULL)
+			fatal("%s: sshkey_fingerprint fail", __func__);
 		printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment,
 		    sshkey_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
@@ -898,6 +902,8 @@
 		fp = sshkey_fingerprint(public, fptype, rep);
 		ra = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_RANDOMART);
+		if (fp == NULL || ra == NULL)
+			fatal("%s: sshkey_fingerprint fail", __func__);
 		printf("%u %s %s (%s)\n", sshkey_size(public), fp,
 		    comment ? comment : "no comment", sshkey_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
@@ -924,10 +930,14 @@
 		char *key_type_display;
 		char *path;
 	} key_types[] = {
+#ifdef WITH_OPENSSL
+#ifdef WITH_SSH1
 		{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
+#endif /* WITH_SSH1 */
 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
+#endif /* WITH_OPENSSL */
 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
 		{ NULL, NULL, NULL }
 	};
@@ -1027,40 +1037,47 @@
 	char *hashed, *cp, *hosts, *ohosts;
 	int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
 
-	/* Retain invalid lines when hashing, but mark file as invalid. */
-	if (l->status == HKF_STATUS_INVALID) {
+	switch (l->status) {
+	case HKF_STATUS_OK:
+	case HKF_STATUS_MATCHED:
+		/*
+		 * Don't hash hosts already already hashed, with wildcard
+		 * characters or a CA/revocation marker.
+		 */
+		if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
+		    has_wild || l->marker != MRK_NONE) {
+			fprintf(ctx->out, "%s\n", l->line);
+			if (has_wild && !find_host) {
+				fprintf(stderr, "%s:%ld: ignoring host name "
+				    "with wildcard: %.64s\n", l->path,
+				    l->linenum, l->hosts);
+			}
+			return 0;
+		}
+		/*
+		 * Split any comma-separated hostnames from the host list,
+		 * hash and store separately.
+		 */
+		ohosts = hosts = xstrdup(l->hosts);
+		while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {
+			if ((hashed = host_hash(cp, NULL, 0)) == NULL)
+				fatal("hash_host failed");
+			fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);
+			ctx->has_unhashed = 1;
+		}
+		free(ohosts);
+		return 0;
+	case HKF_STATUS_INVALID:
+		/* Retain invalid lines, but mark file as invalid. */
 		ctx->invalid = 1;
 		fprintf(stderr, "%s:%ld: invalid line\n", l->path, l->linenum);
+		/* FALLTHROUGH */
+	default:
 		fprintf(ctx->out, "%s\n", l->line);
 		return 0;
 	}
-
-	/*
-	 * Don't hash hosts already already hashed, with wildcard characters
-	 * or a CA/revocation marker.
-	 */
-	if (l->was_hashed || has_wild || l->marker != MRK_NONE) {
-		fprintf(ctx->out, "%s\n", l->line);
-		if (has_wild && !find_host) {
-			fprintf(stderr, "%s:%ld: ignoring host name "
-			    "with wildcard: %.64s\n", l->path,
-			    l->linenum, l->hosts);
-		}
-		return 0;
-	}
-	/*
-	 * Split any comma-separated hostnames from the host list,
-	 * hash and store separately.
-	 */
-	ohosts = hosts = xstrdup(l->hosts);
-	while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {
-		if ((hashed = host_hash(cp, NULL, 0)) == NULL)
-			fatal("hash_host failed");
-		fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);
-		ctx->has_unhashed = 1;
-	}
-	free(ohosts);
-	return 0;
+	/* NOTREACHED */
+	return -1;
 }
 
 static int
@@ -1068,7 +1085,7 @@
 {
 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
 
-	if (l->status == HKF_STATUS_HOST_MATCHED) {
+	if (l->status == HKF_STATUS_MATCHED) {
 		if (delete_host) {
 			if (l->marker != MRK_NONE) {
 				/* Don't remove CA and revocation lines */
@@ -1114,7 +1131,7 @@
 static void
 do_known_hosts(struct passwd *pw, const char *name)
 {
-	char *cp, tmp[MAXPATHLEN], old[MAXPATHLEN];
+	char *cp, tmp[PATH_MAX], old[PATH_MAX];
 	int r, fd, oerrno, inplace = 0;
 	struct known_hosts_ctx ctx;
 
@@ -1155,7 +1172,7 @@
 	/* XXX support identity_file == "-" for stdin */
 	if ((r = hostkeys_foreach(identity_file,
 	    hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,
-	    name, find_host ? HKF_WANT_MATCH_HOST : 0)) != 0)
+	    name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0)
 		fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
 
 	if (inplace)
@@ -1243,7 +1260,8 @@
 		    identity_file, ssh_err(r));
 		exit(1);
 	}
-	printf("Key has comment '%s'\n", comment);
+	if (comment)
+		printf("Key has comment '%s'\n", comment);
 
 	/* Ask the new passphrase (twice). */
 	if (identity_new_passphrase) {
@@ -1367,6 +1385,7 @@
 	}
 	if (private->type != KEY_RSA1) {
 		fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
+		explicit_bzero(passphrase, strlen(passphrase));
 		sshkey_free(private);
 		exit(1);
 	}
@@ -1883,6 +1902,8 @@
 	key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
 	ca_fp = sshkey_fingerprint(key->cert->signature_key,
 	    fingerprint_hash, SSH_FP_DEFAULT);
+	if (key_fp == NULL || ca_fp == NULL)
+		fatal("%s: sshkey_fingerprint fail", __func__);
 
 	printf("%s:\n", identity_file);
 	printf("        Type: %s %s certificate\n", sshkey_ssh_name(key),
@@ -1947,7 +1968,7 @@
 }
 
 static void
-update_krl_from_file(struct passwd *pw, const char *file,
+update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
     const struct sshkey *ca, struct ssh_krl *krl)
 {
 	struct sshkey *key = NULL;
@@ -1989,7 +2010,7 @@
 		if (*cp == '\0')
 			continue;
 		if (strncasecmp(cp, "serial:", 7) == 0) {
-			if (ca == NULL) {
+			if (ca == NULL && !wild_ca) {
 				fatal("revoking certificates by serial number "
 				    "requires specification of a CA key");
 			}
@@ -2026,7 +2047,7 @@
 				    __func__);
 			}
 		} else if (strncasecmp(cp, "id:", 3) == 0) {
-			if (ca == NULL) {
+			if (ca == NULL && !wild_ca) {
 				fatal("revoking certificates by key ID "
 				    "requires specification of a CA key");
 			}
@@ -2077,7 +2098,7 @@
 	struct ssh_krl *krl;
 	struct stat sb;
 	struct sshkey *ca = NULL;
-	int fd, i, r;
+	int fd, i, r, wild_ca = 0;
 	char *tmp;
 	struct sshbuf *kbuf;
 
@@ -2091,11 +2112,15 @@
 			fatal("KRL \"%s\" does not exist", identity_file);
 	}
 	if (ca_key_path != NULL) {
-		tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
-		if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)
-			fatal("Cannot load CA public key %s: %s",
-			    tmp, ssh_err(r));
-		free(tmp);
+		if (strcasecmp(ca_key_path, "none") == 0)
+			wild_ca = 1;
+		else {
+			tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
+			if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)
+				fatal("Cannot load CA public key %s: %s",
+				    tmp, ssh_err(r));
+			free(tmp);
+		}
 	}
 
 	if (updating)
@@ -2109,7 +2134,7 @@
 		ssh_krl_set_comment(krl, identity_comment);
 
 	for (i = 0; i < argc; i++)
-		update_krl_from_file(pw, argv[i], ca, krl);
+		update_krl_from_file(pw, argv[i], wild_ca, ca, krl);
 
 	if ((kbuf = sshbuf_new()) == NULL)
 		fatal("sshbuf_new failed");
@@ -2167,7 +2192,7 @@
 	    "       ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
 	    "       ssh-keygen -y [-f input_keyfile]\n"
 	    "       ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
-	    "       ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"
+	    "       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"
 	    "       ssh-keygen -B [-f input_keyfile]\n");
 #ifdef ENABLE_PKCS11
 	fprintf(stderr,
@@ -2199,7 +2224,7 @@
 {
 	char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;
 	char *checkpoint = NULL;
-	char out_file[PATH_MAX], *rr_hostname = NULL, *ep;
+	char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;
 	struct sshkey *private, *public;
 	struct passwd *pw;
 	struct stat st;
@@ -2686,10 +2711,12 @@
 	fclose(f);
 
 	if (!quiet) {
-		char *fp = sshkey_fingerprint(public, fingerprint_hash,
+		fp = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_DEFAULT);
-		char *ra = sshkey_fingerprint(public, fingerprint_hash,
+		ra = sshkey_fingerprint(public, fingerprint_hash,
 		    SSH_FP_RANDOMART);
+		if (fp == NULL || ra == NULL)
+			fatal("sshkey_fingerprint failed");
 		printf("Your public key has been saved in %s.\n",
 		    identity_file);
 		printf("The key fingerprint is:\n");