=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.396 retrieving revision 1.407 diff -u -r1.396 -r1.407 --- src/usr.bin/ssh/ssh-keygen.c 2020/02/04 09:58:04 1.396 +++ src/usr.bin/ssh/ssh-keygen.c 2020/04/20 04:43:57 1.407 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.396 2020/02/04 09:58:04 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.407 2020/04/20 04:43:57 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -315,8 +315,7 @@ else pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); r = sshkey_load_private(filename, pass, &prv, commentp); - explicit_bzero(pass, strlen(pass)); - free(pass); + freezero(pass, strlen(pass)); if (r != 0) fatal("Load key \"%s\": %s", filename, ssh_err(r)); return prv; @@ -891,22 +890,25 @@ { struct stat st; char *comment = NULL; - struct sshkey *public = NULL; + struct sshkey *privkey = NULL, *pubkey = NULL; int r; if (stat(identity_file, &st) == -1) fatal("%s: %s", path, strerror(errno)); - if ((r = sshkey_load_public(path, &public, &comment)) != 0) { + if ((r = sshkey_load_public(path, &pubkey, &comment)) != 0) debug("load public \"%s\": %s", path, ssh_err(r)); + if (pubkey == NULL || comment == NULL || *comment == '\0') { + free(comment); if ((r = sshkey_load_private(path, NULL, - &public, &comment)) != 0) { + &privkey, &comment)) != 0) debug("load private \"%s\": %s", path, ssh_err(r)); - fatal("%s is not a key file.", path); - } } + if (pubkey == NULL && privkey == NULL) + fatal("%s is not a key file.", path); - fingerprint_one_key(public, comment); - sshkey_free(public); + fingerprint_one_key(pubkey == NULL ? privkey : pubkey, comment); + sshkey_free(pubkey); + sshkey_free(privkey); free(comment); } @@ -1402,8 +1404,7 @@ RP_ALLOW_STDIN); r = sshkey_load_private(identity_file, old_passphrase, &private, &comment); - explicit_bzero(old_passphrase, strlen(old_passphrase)); - free(old_passphrase); + freezero(old_passphrase, strlen(old_passphrase)); if (r != 0) goto badkey; } else if (r != 0) { @@ -1434,8 +1435,7 @@ exit(1); } /* Destroy the other copy. */ - explicit_bzero(passphrase2, strlen(passphrase2)); - free(passphrase2); + freezero(passphrase2, strlen(passphrase2)); } /* Save the file using the new passphrase. */ @@ -1443,15 +1443,13 @@ comment, private_key_format, openssh_format_cipher, rounds)) != 0) { error("Saving key \"%s\" failed: %s.", identity_file, ssh_err(r)); - explicit_bzero(passphrase1, strlen(passphrase1)); - free(passphrase1); + freezero(passphrase1, strlen(passphrase1)); sshkey_free(private); free(comment); exit(1); } /* Destroy the passphrase and the copy of the key in memory. */ - explicit_bzero(passphrase1, strlen(passphrase1)); - free(passphrase1); + freezero(passphrase1, strlen(passphrase1)); sshkey_free(private); /* Destroys contents */ free(comment); @@ -1521,8 +1519,7 @@ /* Try to load using the passphrase. */ if ((r = sshkey_load_private(identity_file, passphrase, &private, &comment)) != 0) { - explicit_bzero(passphrase, strlen(passphrase)); - free(passphrase); + freezero(passphrase, strlen(passphrase)); fatal("Cannot load private key \"%s\": %s.", identity_file, ssh_err(r)); } @@ -1567,14 +1564,12 @@ rounds)) != 0) { error("Saving key \"%s\" failed: %s", identity_file, ssh_err(r)); - explicit_bzero(passphrase, strlen(passphrase)); - free(passphrase); + freezero(passphrase, strlen(passphrase)); sshkey_free(private); free(comment); exit(1); } - explicit_bzero(passphrase, strlen(passphrase)); - free(passphrase); + freezero(passphrase, strlen(passphrase)); if ((r = sshkey_from_private(private, &public)) != 0) fatal("sshkey_from_private failed: %s", ssh_err(r)); sshkey_free(private); @@ -1656,7 +1651,7 @@ if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if ((which & OPTIONS_CRITICAL) != 0 && + if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) add_flag_option(c, "no-touch-required"); if ((which & OPTIONS_CRITICAL) != 0 && @@ -2308,6 +2303,9 @@ cp = cp + strspn(cp, " \t"); hash_to_blob(cp, &blob, &blen, file, lnum); r = ssh_krl_revoke_key_sha256(krl, blob, blen); + if (r != 0) + fatal("%s: revoke key failed: %s", + __func__, ssh_err(r)); } else { if (strncasecmp(cp, "key:", 4) == 0) { cp += 4; @@ -2422,7 +2420,7 @@ } static void -do_check_krl(struct passwd *pw, int argc, char **argv) +do_check_krl(struct passwd *pw, int print_krl, int argc, char **argv) { int i, r, ret = 0; char *comment; @@ -2432,6 +2430,8 @@ if (*identity_file == '\0') fatal("KRL checking requires an input file"); load_krl(identity_file, &krl); + if (print_krl) + krl_dump(krl, stdout); for (i = 0; i < argc; i++) { if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0) fatal("Cannot load public key %s: %s", @@ -2459,7 +2459,7 @@ int r; /* - * If passed a public key filename, then try to locate the correponding + * If passed a public key filename, then try to locate the corresponding * private key. This lets us specify certificates on the command-line * and have ssh-keygen find the appropriate private key. */ @@ -2943,18 +2943,25 @@ struct sshkey **keys; size_t nkeys, i; int r, ok = -1; - char *fp, *pin, *pass = NULL, *path, *pubpath; + char *fp, *pin = NULL, *pass = NULL, *path, *pubpath; const char *ext; if (skprovider == NULL) fatal("Cannot download keys without provider"); - pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); - if ((r = sshsk_load_resident(skprovider, device, pin, - &keys, &nkeys)) != 0) { - freezero(pin, strlen(pin)); - error("Unable to load resident keys: %s", ssh_err(r)); - return -1; + for (i = 0; i < 2; i++) { + if (i == 1) { + pin = read_passphrase("Enter PIN for authenticator: ", + RP_ALLOW_STDIN); + } + if ((r = sshsk_load_resident(skprovider, device, pin, + &keys, &nkeys)) != 0) { + if (i == 0 && r == SSH_ERR_KEY_WRONG_PASSPHRASE) + continue; + freezero(pin, strlen(pin)); + error("Unable to load resident keys: %s", ssh_err(r)); + return -1; + } } if (nkeys == 0) logit("No keys to download"); @@ -3008,9 +3015,9 @@ free(path); if ((r = sshkey_save_public(keys[i], pubpath, keys[i]->sk_application)) != 0) { - free(pubpath); error("Saving public key \"%s\" failed: %s", pubpath, ssh_err(r)); + free(pubpath); break; } free(pubpath); @@ -3062,7 +3069,7 @@ " ssh-keygen -A [-f prefix_path]\n" " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" " file ...\n" - " ssh-keygen -Q -f krl_file file ...\n" + " ssh-keygen -Q [-l] -f krl_file [file ...]\n" " ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n" " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" " ssh-keygen -Y sign -f key_file -n namespace file ...\n" @@ -3414,7 +3421,7 @@ return (0); } if (check_krl) { - do_check_krl(pw, argc, argv); + do_check_krl(pw, print_fingerprint, argc, argv); return (0); } if (ca_key_path != NULL) { @@ -3557,13 +3564,13 @@ } } if (!quiet) { - printf("You may need to touch your security key " + printf("You may need to touch your authenticator " "to authorize key generation.\n"); } passphrase = NULL; if ((attest = sshbuf_new()) == NULL) fatal("sshbuf_new failed"); - for (i = 0 ; i < 3; i++) { + for (i = 0 ; ; i++) { fflush(stdout); r = sshsk_enroll(type, sk_provider, sk_device, sk_application == NULL ? "ssh:" : sk_application, @@ -3573,15 +3580,21 @@ break; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) fatal("Key enrollment failed: %s", ssh_err(r)); - if (passphrase != NULL) + else if (i > 0) + error("PIN incorrect"); + if (passphrase != NULL) { freezero(passphrase, strlen(passphrase)); - passphrase = read_passphrase("Enter PIN for security " - "key: ", RP_ALLOW_STDIN); + passphrase = NULL; + } + if (i >= 3) + fatal("Too many incorrect PINs"); + passphrase = read_passphrase("Enter PIN for " + "authenticator: ", RP_ALLOW_STDIN); } - if (passphrase != NULL) + if (passphrase != NULL) { freezero(passphrase, strlen(passphrase)); - if (i > 3) - fatal("Too many incorrect PINs"); + passphrase = NULL; + } break; default: if ((r = sshkey_generate(type, bits, &private)) != 0)