=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.279 retrieving revision 1.288 diff -u -r1.279 -r1.288 --- src/usr.bin/ssh/ssh-keygen.c 2015/11/16 22:53:07 1.279 +++ src/usr.bin/ssh/ssh-keygen.c 2016/02/15 09:47:49 1.288 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.279 2015/11/16 22:53:07 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.288 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -514,7 +514,7 @@ sshbuf_free(b); /* try the key */ - if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 || + if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 || sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) { sshkey_free(key); free(sig); @@ -848,8 +848,15 @@ if (stat(identity_file, &st) < 0) fatal("%s: %s", path, strerror(errno)); - if ((r = sshkey_load_public(path, &public, &comment)) != 0) - fatal("Error loading public key \"%s\": %s", path, ssh_err(r)); + if ((r = sshkey_load_public(path, &public, &comment)) != 0) { + debug("load public \"%s\": %s", path, ssh_err(r)); + if ((r = sshkey_load_private(path, NULL, + &public, &comment)) != 0) { + debug("load private \"%s\": %s", path, ssh_err(r)); + fatal("%s is not a key file.", path); + } + } + fingerprint_one_key(public, comment); sshkey_free(public); free(comment); @@ -860,7 +867,7 @@ { FILE *f; struct sshkey *public = NULL; - char *comment = NULL, *cp, *ep, line[16*1024]; + char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES]; int i, invalid = 1; const char *path; long int lnum = 0; @@ -894,7 +901,7 @@ * not reading from stdin (XXX support private keys on stdin). */ if (lnum == 1 && strcmp(identity_file, "-") != 0 && - strstr(cp, "SSH PRIVATE KEY") != NULL) { + strstr(cp, "PRIVATE KEY") != NULL) { fclose(f); fingerprint_private(path); exit(0); @@ -1209,8 +1216,11 @@ foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0; if ((r = hostkeys_foreach(identity_file, hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, - name, NULL, foreach_options)) != 0) + name, NULL, foreach_options)) != 0) { + if (inplace) + unlink(tmp); fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); + } if (inplace) fclose(ctx.out); @@ -1407,9 +1417,11 @@ identity_file, ssh_err(r)); } } - /* XXX what about new-format keys? */ - if (private->type != KEY_RSA1) { - error("Comments are only supported for RSA1 keys."); + + if (private->type != KEY_RSA1 && private->type != KEY_ED25519 && + !use_new_format) { + error("Comments are only supported for RSA1 or keys stored in " + "the new format (-o)."); explicit_bzero(passphrase, strlen(passphrase)); sshkey_free(private); exit(1); @@ -1465,44 +1477,6 @@ exit(0); } -static const char * -fmt_validity(u_int64_t valid_from, u_int64_t valid_to) -{ - char from[32], to[32]; - static char ret[64]; - time_t tt; - struct tm *tm; - - *from = *to = '\0'; - if (valid_from == 0 && valid_to == 0xffffffffffffffffULL) - return "forever"; - - if (valid_from != 0) { - /* XXX revisit INT_MAX in 2038 :) */ - tt = valid_from > INT_MAX ? INT_MAX : valid_from; - tm = localtime(&tt); - strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); - } - if (valid_to != 0xffffffffffffffffULL) { - /* XXX revisit INT_MAX in 2038 :) */ - tt = valid_to > INT_MAX ? INT_MAX : valid_to; - tm = localtime(&tt); - strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); - } - - if (valid_from == 0) { - snprintf(ret, sizeof(ret), "before %s", to); - return ret; - } - if (valid_to == 0xffffffffffffffffULL) { - snprintf(ret, sizeof(ret), "after %s", from); - return ret; - } - - snprintf(ret, sizeof(ret), "from %s to %s", from, to); - return ret; -} - static void add_flag_option(struct sshbuf *c, const char *name) { @@ -1596,7 +1570,7 @@ int r, i, fd; u_int n; struct sshkey *ca, *public; - char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; + char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; FILE *f; #ifdef ENABLE_PKCS11 @@ -1671,13 +1645,15 @@ fclose(f); if (!quiet) { + sshkey_format_cert_validity(public->cert, + valid, sizeof(valid)); logit("Signed %s key %s: id \"%s\" serial %llu%s%s " - "valid %s", sshkey_cert_type(public), + "valid %s", sshkey_cert_type(public), out, public->cert->key_id, (unsigned long long)public->cert->serial, cert_principals != NULL ? " for " : "", cert_principals != NULL ? cert_principals : "", - fmt_validity(cert_valid_from, cert_valid_to)); + valid); } sshkey_free(public); @@ -1711,7 +1687,7 @@ char buf[32], *fmt; /* - * POSIX strptime says "The application shall ensure that there + * POSIX strptime says "The application shall ensure that there * is white-space or other non-alphanumeric characters between * any two conversion specifications" so arrange things this way. */ @@ -1877,7 +1853,7 @@ static void print_cert(struct sshkey *key) { - char *key_fp, *ca_fp; + char valid[64], *key_fp, *ca_fp; u_int i; key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); @@ -1885,6 +1861,7 @@ fingerprint_hash, SSH_FP_DEFAULT); if (key_fp == NULL || ca_fp == NULL) fatal("%s: sshkey_fingerprint fail", __func__); + sshkey_format_cert_validity(key->cert, valid, sizeof(valid)); printf(" Type: %s %s certificate\n", sshkey_ssh_name(key), sshkey_cert_type(key)); @@ -1893,8 +1870,7 @@ sshkey_type(key->cert->signature_key), ca_fp); printf(" Key ID: \"%s\"\n", key->cert->key_id); printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); - printf(" Valid: %s\n", - fmt_validity(key->cert->valid_after, key->cert->valid_before)); + printf(" Valid: %s\n", valid); printf(" Principals: "); if (key->cert->nprincipals == 0) printf("(none)\n"); @@ -1927,7 +1903,7 @@ struct stat st; int r, is_stdin = 0, ok = 0; FILE *f; - char *cp, line[2048]; + char *cp, line[SSH_MAX_PUBKEY_BYTES]; const char *path; long int lnum = 0; @@ -2176,8 +2152,7 @@ close(fd); sshbuf_free(kbuf); ssh_krl_free(krl); - if (ca != NULL) - sshkey_free(ca); + sshkey_free(ca); } static void @@ -2273,6 +2248,7 @@ extern int optind; extern char *optarg; + ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd();