Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | /* $OpenBSD: ssh-keygen.c,v 1.266 2015/02/26 20:45:47 djm Exp $ */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved |
| 6 | * Identity and host key generation and maintenance. |
| 7 | * |
| 8 | * As far as I am concerned, the code I have written for this software |
| 9 | * can be used freely for any purpose. Any derived versions of this |
| 10 | * software must be clearly marked as such, and if the derived work is |
| 11 | * incompatible with the protocol description in the RFC file, it must be |
| 12 | * called by a name other than "ssh" or "Secure Shell". |
| 13 | */ |
| 14 | |
| 15 | #include "includes.h" |
| 16 | |
| 17 | #include <sys/types.h> |
| 18 | #include <sys/socket.h> |
| 19 | #include <sys/stat.h> |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 20 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 21 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 22 | #include <openssl/evp.h> |
| 23 | #include <openssl/pem.h> |
| 24 | #include "openbsd-compat/openssl-compat.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 25 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 26 | |
| 27 | #include <errno.h> |
| 28 | #include <fcntl.h> |
| 29 | #include <netdb.h> |
| 30 | #ifdef HAVE_PATHS_H |
| 31 | # include <paths.h> |
| 32 | #endif |
| 33 | #include <pwd.h> |
| 34 | #include <stdarg.h> |
| 35 | #include <stdio.h> |
| 36 | #include <stdlib.h> |
| 37 | #include <string.h> |
| 38 | #include <unistd.h> |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 39 | #include <limits.h> |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 40 | |
| 41 | #include "xmalloc.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 42 | #include "sshkey.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 43 | #include "rsa.h" |
| 44 | #include "authfile.h" |
| 45 | #include "uuencode.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 46 | #include "sshbuf.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 47 | #include "pathnames.h" |
| 48 | #include "log.h" |
| 49 | #include "misc.h" |
| 50 | #include "match.h" |
| 51 | #include "hostfile.h" |
| 52 | #include "dns.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 53 | #include "ssh.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 54 | #include "ssh2.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 55 | #include "ssherr.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 56 | #include "ssh-pkcs11.h" |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 57 | #include "atomicio.h" |
| 58 | #include "krl.h" |
| 59 | #include "digest.h" |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 60 | |
| 61 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
| 62 | #define DEFAULT_BITS 2048 |
| 63 | #define DEFAULT_BITS_DSA 1024 |
| 64 | #define DEFAULT_BITS_ECDSA 256 |
| 65 | u_int32_t bits = 0; |
| 66 | |
| 67 | /* |
| 68 | * Flag indicating that we just want to change the passphrase. This can be |
| 69 | * set on the command line. |
| 70 | */ |
| 71 | int change_passphrase = 0; |
| 72 | |
| 73 | /* |
| 74 | * Flag indicating that we just want to change the comment. This can be set |
| 75 | * on the command line. |
| 76 | */ |
| 77 | int change_comment = 0; |
| 78 | |
| 79 | int quiet = 0; |
| 80 | |
| 81 | int log_level = SYSLOG_LEVEL_INFO; |
| 82 | |
| 83 | /* Flag indicating that we want to hash a known_hosts file */ |
| 84 | int hash_hosts = 0; |
| 85 | /* Flag indicating that we want lookup a host in known_hosts file */ |
| 86 | int find_host = 0; |
| 87 | /* Flag indicating that we want to delete a host from a known_hosts file */ |
| 88 | int delete_host = 0; |
| 89 | |
| 90 | /* Flag indicating that we want to show the contents of a certificate */ |
| 91 | int show_cert = 0; |
| 92 | |
| 93 | /* Flag indicating that we just want to see the key fingerprint */ |
| 94 | int print_fingerprint = 0; |
| 95 | int print_bubblebabble = 0; |
| 96 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 97 | /* Hash algorithm to use for fingerprints. */ |
| 98 | int fingerprint_hash = SSH_FP_HASH_DEFAULT; |
| 99 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 100 | /* The identity file name, given on the command line or entered by the user. */ |
| 101 | char identity_file[1024]; |
| 102 | int have_identity = 0; |
| 103 | |
| 104 | /* This is set to the passphrase if given on the command line. */ |
| 105 | char *identity_passphrase = NULL; |
| 106 | |
| 107 | /* This is set to the new passphrase if given on the command line. */ |
| 108 | char *identity_new_passphrase = NULL; |
| 109 | |
| 110 | /* This is set to the new comment if given on the command line. */ |
| 111 | char *identity_comment = NULL; |
| 112 | |
| 113 | /* Path to CA key when certifying keys. */ |
| 114 | char *ca_key_path = NULL; |
| 115 | |
| 116 | /* Certificate serial number */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 117 | unsigned long long cert_serial = 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 118 | |
| 119 | /* Key type when certifying */ |
| 120 | u_int cert_key_type = SSH2_CERT_TYPE_USER; |
| 121 | |
| 122 | /* "key ID" of signed key */ |
| 123 | char *cert_key_id = NULL; |
| 124 | |
| 125 | /* Comma-separated list of principal names for certifying keys */ |
| 126 | char *cert_principals = NULL; |
| 127 | |
| 128 | /* Validity period for certificates */ |
| 129 | u_int64_t cert_valid_from = 0; |
| 130 | u_int64_t cert_valid_to = ~0ULL; |
| 131 | |
| 132 | /* Certificate options */ |
| 133 | #define CERTOPT_X_FWD (1) |
| 134 | #define CERTOPT_AGENT_FWD (1<<1) |
| 135 | #define CERTOPT_PORT_FWD (1<<2) |
| 136 | #define CERTOPT_PTY (1<<3) |
| 137 | #define CERTOPT_USER_RC (1<<4) |
| 138 | #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ |
| 139 | CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) |
| 140 | u_int32_t certflags_flags = CERTOPT_DEFAULT; |
| 141 | char *certflags_command = NULL; |
| 142 | char *certflags_src_addr = NULL; |
| 143 | |
| 144 | /* Conversion to/from various formats */ |
| 145 | int convert_to = 0; |
| 146 | int convert_from = 0; |
| 147 | enum { |
| 148 | FMT_RFC4716, |
| 149 | FMT_PKCS8, |
| 150 | FMT_PEM |
| 151 | } convert_format = FMT_RFC4716; |
| 152 | int print_public = 0; |
| 153 | int print_generic = 0; |
| 154 | |
| 155 | char *key_type_name = NULL; |
| 156 | |
| 157 | /* Load key from this PKCS#11 provider */ |
| 158 | char *pkcs11provider = NULL; |
| 159 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 160 | /* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ |
| 161 | int use_new_format = 0; |
| 162 | |
| 163 | /* Cipher for new-format private keys */ |
| 164 | char *new_format_cipher = NULL; |
| 165 | |
| 166 | /* |
| 167 | * Number of KDF rounds to derive new format keys / |
| 168 | * number of primality trials when screening moduli. |
| 169 | */ |
| 170 | int rounds = 0; |
| 171 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 172 | /* argv0 */ |
| 173 | extern char *__progname; |
| 174 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 175 | char hostname[NI_MAXHOST]; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 176 | |
| 177 | /* moduli.c */ |
| 178 | int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 179 | int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, |
| 180 | unsigned long); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 181 | |
| 182 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 183 | type_bits_valid(int type, const char *name, u_int32_t *bitsp) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 184 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 185 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 186 | u_int maxbits; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 187 | int nid; |
| 188 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 189 | |
| 190 | if (type == KEY_UNSPEC) { |
| 191 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
| 192 | exit(1); |
| 193 | } |
| 194 | if (*bitsp == 0) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 195 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 196 | if (type == KEY_DSA) |
| 197 | *bitsp = DEFAULT_BITS_DSA; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 198 | else if (type == KEY_ECDSA) { |
| 199 | if (name != NULL && |
| 200 | (nid = sshkey_ecdsa_nid_from_name(name)) > 0) |
| 201 | *bitsp = sshkey_curve_nid_to_bits(nid); |
| 202 | if (*bitsp == 0) |
| 203 | *bitsp = DEFAULT_BITS_ECDSA; |
| 204 | } else |
| 205 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 206 | *bitsp = DEFAULT_BITS; |
| 207 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 208 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 209 | maxbits = (type == KEY_DSA) ? |
| 210 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
| 211 | if (*bitsp > maxbits) { |
| 212 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
| 213 | exit(1); |
| 214 | } |
| 215 | if (type == KEY_DSA && *bitsp != 1024) |
| 216 | fatal("DSA keys must be 1024 bits"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 217 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 218 | fatal("Key must at least be 768 bits"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 219 | else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 220 | fatal("Invalid ECDSA key length - valid lengths are " |
| 221 | "256, 384 or 521 bits"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 222 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 223 | } |
| 224 | |
| 225 | static void |
| 226 | ask_filename(struct passwd *pw, const char *prompt) |
| 227 | { |
| 228 | char buf[1024]; |
| 229 | char *name = NULL; |
| 230 | |
| 231 | if (key_type_name == NULL) |
| 232 | name = _PATH_SSH_CLIENT_ID_RSA; |
| 233 | else { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 234 | switch (sshkey_type_from_name(key_type_name)) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 235 | case KEY_RSA1: |
| 236 | name = _PATH_SSH_CLIENT_IDENTITY; |
| 237 | break; |
| 238 | case KEY_DSA_CERT: |
| 239 | case KEY_DSA_CERT_V00: |
| 240 | case KEY_DSA: |
| 241 | name = _PATH_SSH_CLIENT_ID_DSA; |
| 242 | break; |
| 243 | #ifdef OPENSSL_HAS_ECC |
| 244 | case KEY_ECDSA_CERT: |
| 245 | case KEY_ECDSA: |
| 246 | name = _PATH_SSH_CLIENT_ID_ECDSA; |
| 247 | break; |
| 248 | #endif |
| 249 | case KEY_RSA_CERT: |
| 250 | case KEY_RSA_CERT_V00: |
| 251 | case KEY_RSA: |
| 252 | name = _PATH_SSH_CLIENT_ID_RSA; |
| 253 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 254 | case KEY_ED25519: |
| 255 | case KEY_ED25519_CERT: |
| 256 | name = _PATH_SSH_CLIENT_ID_ED25519; |
| 257 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 258 | default: |
| 259 | fprintf(stderr, "bad key type\n"); |
| 260 | exit(1); |
| 261 | break; |
| 262 | } |
| 263 | } |
| 264 | snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name); |
| 265 | fprintf(stderr, "%s (%s): ", prompt, identity_file); |
| 266 | if (fgets(buf, sizeof(buf), stdin) == NULL) |
| 267 | exit(1); |
| 268 | buf[strcspn(buf, "\n")] = '\0'; |
| 269 | if (strcmp(buf, "") != 0) |
| 270 | strlcpy(identity_file, buf, sizeof(identity_file)); |
| 271 | have_identity = 1; |
| 272 | } |
| 273 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 274 | static struct sshkey * |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 275 | load_identity(char *filename) |
| 276 | { |
| 277 | char *pass; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 278 | struct sshkey *prv; |
| 279 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 280 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 281 | if ((r = sshkey_load_private(filename, "", &prv, NULL)) == 0) |
| 282 | return prv; |
| 283 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
| 284 | fatal("Load key \"%s\": %s", filename, ssh_err(r)); |
| 285 | if (identity_passphrase) |
| 286 | pass = xstrdup(identity_passphrase); |
| 287 | else |
| 288 | pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); |
| 289 | r = sshkey_load_private(filename, pass, &prv, NULL); |
| 290 | explicit_bzero(pass, strlen(pass)); |
| 291 | free(pass); |
| 292 | if (r != 0) |
| 293 | fatal("Load key \"%s\": %s", filename, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 294 | return prv; |
| 295 | } |
| 296 | |
| 297 | #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" |
| 298 | #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----" |
| 299 | #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" |
| 300 | #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb |
| 301 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 302 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 303 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 304 | do_convert_to_ssh2(struct passwd *pw, struct sshkey *k) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 305 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 306 | size_t len; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 307 | u_char *blob; |
| 308 | char comment[61]; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 309 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 310 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 311 | if (k->type == KEY_RSA1) { |
| 312 | fprintf(stderr, "version 1 keys are not supported\n"); |
| 313 | exit(1); |
| 314 | } |
| 315 | if ((r = sshkey_to_blob(k, &blob, &len)) != 0) { |
| 316 | fprintf(stderr, "key_to_blob failed: %s\n", ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 317 | exit(1); |
| 318 | } |
| 319 | /* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ |
| 320 | snprintf(comment, sizeof(comment), |
| 321 | "%u-bit %s, converted by %s@%s from OpenSSH", |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 322 | sshkey_size(k), sshkey_type(k), |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 323 | pw->pw_name, hostname); |
| 324 | |
| 325 | fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); |
| 326 | fprintf(stdout, "Comment: \"%s\"\n", comment); |
| 327 | dump_base64(stdout, blob, len); |
| 328 | fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 329 | sshkey_free(k); |
| 330 | free(blob); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 331 | exit(0); |
| 332 | } |
| 333 | |
| 334 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 335 | do_convert_to_pkcs8(struct sshkey *k) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 336 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 337 | switch (sshkey_type_plain(k->type)) { |
| 338 | case KEY_RSA1: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 339 | case KEY_RSA: |
| 340 | if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) |
| 341 | fatal("PEM_write_RSA_PUBKEY failed"); |
| 342 | break; |
| 343 | case KEY_DSA: |
| 344 | if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) |
| 345 | fatal("PEM_write_DSA_PUBKEY failed"); |
| 346 | break; |
| 347 | #ifdef OPENSSL_HAS_ECC |
| 348 | case KEY_ECDSA: |
| 349 | if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) |
| 350 | fatal("PEM_write_EC_PUBKEY failed"); |
| 351 | break; |
| 352 | #endif |
| 353 | default: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 354 | fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 355 | } |
| 356 | exit(0); |
| 357 | } |
| 358 | |
| 359 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 360 | do_convert_to_pem(struct sshkey *k) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 361 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 362 | switch (sshkey_type_plain(k->type)) { |
| 363 | case KEY_RSA1: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 364 | case KEY_RSA: |
| 365 | if (!PEM_write_RSAPublicKey(stdout, k->rsa)) |
| 366 | fatal("PEM_write_RSAPublicKey failed"); |
| 367 | break; |
| 368 | #if notyet /* OpenSSH 0.9.8 lacks this function */ |
| 369 | case KEY_DSA: |
| 370 | if (!PEM_write_DSAPublicKey(stdout, k->dsa)) |
| 371 | fatal("PEM_write_DSAPublicKey failed"); |
| 372 | break; |
| 373 | #endif |
| 374 | /* XXX ECDSA? */ |
| 375 | default: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 376 | fatal("%s: unsupported key type %s", __func__, sshkey_type(k)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 377 | } |
| 378 | exit(0); |
| 379 | } |
| 380 | |
| 381 | static void |
| 382 | do_convert_to(struct passwd *pw) |
| 383 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 384 | struct sshkey *k; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 385 | struct stat st; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 386 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 387 | |
| 388 | if (!have_identity) |
| 389 | ask_filename(pw, "Enter file in which the key is"); |
| 390 | if (stat(identity_file, &st) < 0) |
| 391 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 392 | if ((r = sshkey_load_public(identity_file, &k, NULL)) != 0) |
| 393 | k = load_identity(identity_file); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 394 | switch (convert_format) { |
| 395 | case FMT_RFC4716: |
| 396 | do_convert_to_ssh2(pw, k); |
| 397 | break; |
| 398 | case FMT_PKCS8: |
| 399 | do_convert_to_pkcs8(k); |
| 400 | break; |
| 401 | case FMT_PEM: |
| 402 | do_convert_to_pem(k); |
| 403 | break; |
| 404 | default: |
| 405 | fatal("%s: unknown key format %d", __func__, convert_format); |
| 406 | } |
| 407 | exit(0); |
| 408 | } |
| 409 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 410 | /* |
| 411 | * This is almost exactly the bignum1 encoding, but with 32 bit for length |
| 412 | * instead of 16. |
| 413 | */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 414 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 415 | buffer_get_bignum_bits(struct sshbuf *b, BIGNUM *value) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 416 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 417 | u_int bytes, bignum_bits; |
| 418 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 419 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 420 | if ((r = sshbuf_get_u32(b, &bignum_bits)) != 0) |
| 421 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 422 | bytes = (bignum_bits + 7) / 8; |
| 423 | if (sshbuf_len(b) < bytes) |
| 424 | fatal("%s: input buffer too small: need %d have %zu", |
| 425 | __func__, bytes, sshbuf_len(b)); |
| 426 | if (BN_bin2bn(sshbuf_ptr(b), bytes, value) == NULL) |
| 427 | fatal("%s: BN_bin2bn failed", __func__); |
| 428 | if ((r = sshbuf_consume(b, bytes)) != 0) |
| 429 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 430 | } |
| 431 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 432 | static struct sshkey * |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 433 | do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) |
| 434 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 435 | struct sshbuf *b; |
| 436 | struct sshkey *key = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 437 | char *type, *cipher; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 438 | u_char e1, e2, e3, *sig = NULL, data[] = "abcde12345"; |
| 439 | int r, rlen, ktype; |
| 440 | u_int magic, i1, i2, i3, i4; |
| 441 | size_t slen; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 442 | u_long e; |
| 443 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 444 | if ((b = sshbuf_from(blob, blen)) == NULL) |
| 445 | fatal("%s: sshbuf_from failed", __func__); |
| 446 | if ((r = sshbuf_get_u32(b, &magic)) != 0) |
| 447 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 448 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 449 | if (magic != SSH_COM_PRIVATE_KEY_MAGIC) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 450 | error("bad magic 0x%x != 0x%x", magic, |
| 451 | SSH_COM_PRIVATE_KEY_MAGIC); |
| 452 | sshbuf_free(b); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 453 | return NULL; |
| 454 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 455 | if ((r = sshbuf_get_u32(b, &i1)) != 0 || |
| 456 | (r = sshbuf_get_cstring(b, &type, NULL)) != 0 || |
| 457 | (r = sshbuf_get_cstring(b, &cipher, NULL)) != 0 || |
| 458 | (r = sshbuf_get_u32(b, &i2)) != 0 || |
| 459 | (r = sshbuf_get_u32(b, &i3)) != 0 || |
| 460 | (r = sshbuf_get_u32(b, &i4)) != 0) |
| 461 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 462 | debug("ignore (%d %d %d %d)", i1, i2, i3, i4); |
| 463 | if (strcmp(cipher, "none") != 0) { |
| 464 | error("unsupported cipher %s", cipher); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 465 | free(cipher); |
| 466 | sshbuf_free(b); |
| 467 | free(type); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 468 | return NULL; |
| 469 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 470 | free(cipher); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 471 | |
| 472 | if (strstr(type, "dsa")) { |
| 473 | ktype = KEY_DSA; |
| 474 | } else if (strstr(type, "rsa")) { |
| 475 | ktype = KEY_RSA; |
| 476 | } else { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 477 | sshbuf_free(b); |
| 478 | free(type); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 479 | return NULL; |
| 480 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 481 | if ((key = sshkey_new_private(ktype)) == NULL) |
| 482 | fatal("key_new_private failed"); |
| 483 | free(type); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 484 | |
| 485 | switch (key->type) { |
| 486 | case KEY_DSA: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 487 | buffer_get_bignum_bits(b, key->dsa->p); |
| 488 | buffer_get_bignum_bits(b, key->dsa->g); |
| 489 | buffer_get_bignum_bits(b, key->dsa->q); |
| 490 | buffer_get_bignum_bits(b, key->dsa->pub_key); |
| 491 | buffer_get_bignum_bits(b, key->dsa->priv_key); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 492 | break; |
| 493 | case KEY_RSA: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 494 | if ((r = sshbuf_get_u8(b, &e1)) != 0 || |
| 495 | (e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) || |
| 496 | (e1 < 30 && (r = sshbuf_get_u8(b, &e3)) != 0)) |
| 497 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 498 | e = e1; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 499 | debug("e %lx", e); |
| 500 | if (e < 30) { |
| 501 | e <<= 8; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 502 | e += e2; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 503 | debug("e %lx", e); |
| 504 | e <<= 8; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 505 | e += e3; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 506 | debug("e %lx", e); |
| 507 | } |
| 508 | if (!BN_set_word(key->rsa->e, e)) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 509 | sshbuf_free(b); |
| 510 | sshkey_free(key); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 511 | return NULL; |
| 512 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 513 | buffer_get_bignum_bits(b, key->rsa->d); |
| 514 | buffer_get_bignum_bits(b, key->rsa->n); |
| 515 | buffer_get_bignum_bits(b, key->rsa->iqmp); |
| 516 | buffer_get_bignum_bits(b, key->rsa->q); |
| 517 | buffer_get_bignum_bits(b, key->rsa->p); |
| 518 | if ((r = rsa_generate_additional_parameters(key->rsa)) != 0) |
| 519 | fatal("generate RSA parameters failed: %s", ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 520 | break; |
| 521 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 522 | rlen = sshbuf_len(b); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 523 | if (rlen != 0) |
| 524 | error("do_convert_private_ssh2_from_blob: " |
| 525 | "remaining bytes in key blob %d", rlen); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 526 | sshbuf_free(b); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 527 | |
| 528 | /* try the key */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 529 | if (sshkey_sign(key, &sig, &slen, data, sizeof(data), 0) != 0 || |
| 530 | sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) { |
| 531 | sshkey_free(key); |
| 532 | free(sig); |
| 533 | return NULL; |
| 534 | } |
| 535 | free(sig); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 536 | return key; |
| 537 | } |
| 538 | |
| 539 | static int |
| 540 | get_line(FILE *fp, char *line, size_t len) |
| 541 | { |
| 542 | int c; |
| 543 | size_t pos = 0; |
| 544 | |
| 545 | line[0] = '\0'; |
| 546 | while ((c = fgetc(fp)) != EOF) { |
| 547 | if (pos >= len - 1) { |
| 548 | fprintf(stderr, "input line too long.\n"); |
| 549 | exit(1); |
| 550 | } |
| 551 | switch (c) { |
| 552 | case '\r': |
| 553 | c = fgetc(fp); |
| 554 | if (c != EOF && c != '\n' && ungetc(c, fp) == EOF) { |
| 555 | fprintf(stderr, "unget: %s\n", strerror(errno)); |
| 556 | exit(1); |
| 557 | } |
| 558 | return pos; |
| 559 | case '\n': |
| 560 | return pos; |
| 561 | } |
| 562 | line[pos++] = c; |
| 563 | line[pos] = '\0'; |
| 564 | } |
| 565 | /* We reached EOF */ |
| 566 | return -1; |
| 567 | } |
| 568 | |
| 569 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 570 | do_convert_from_ssh2(struct passwd *pw, struct sshkey **k, int *private) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 571 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 572 | int r, blen, escaped = 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 573 | u_int len; |
| 574 | char line[1024]; |
| 575 | u_char blob[8096]; |
| 576 | char encoded[8096]; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 577 | FILE *fp; |
| 578 | |
| 579 | if ((fp = fopen(identity_file, "r")) == NULL) |
| 580 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
| 581 | encoded[0] = '\0'; |
| 582 | while ((blen = get_line(fp, line, sizeof(line))) != -1) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 583 | if (blen > 0 && line[blen - 1] == '\\') |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 584 | escaped++; |
| 585 | if (strncmp(line, "----", 4) == 0 || |
| 586 | strstr(line, ": ") != NULL) { |
| 587 | if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL) |
| 588 | *private = 1; |
| 589 | if (strstr(line, " END ") != NULL) { |
| 590 | break; |
| 591 | } |
| 592 | /* fprintf(stderr, "ignore: %s", line); */ |
| 593 | continue; |
| 594 | } |
| 595 | if (escaped) { |
| 596 | escaped--; |
| 597 | /* fprintf(stderr, "escaped: %s", line); */ |
| 598 | continue; |
| 599 | } |
| 600 | strlcat(encoded, line, sizeof(encoded)); |
| 601 | } |
| 602 | len = strlen(encoded); |
| 603 | if (((len % 4) == 3) && |
| 604 | (encoded[len-1] == '=') && |
| 605 | (encoded[len-2] == '=') && |
| 606 | (encoded[len-3] == '=')) |
| 607 | encoded[len-3] = '\0'; |
| 608 | blen = uudecode(encoded, blob, sizeof(blob)); |
| 609 | if (blen < 0) { |
| 610 | fprintf(stderr, "uudecode failed.\n"); |
| 611 | exit(1); |
| 612 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 613 | if (*private) |
| 614 | *k = do_convert_private_ssh2_from_blob(blob, blen); |
| 615 | else if ((r = sshkey_from_blob(blob, blen, k)) != 0) { |
| 616 | fprintf(stderr, "decode blob failed: %s\n", ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 617 | exit(1); |
| 618 | } |
| 619 | fclose(fp); |
| 620 | } |
| 621 | |
| 622 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 623 | do_convert_from_pkcs8(struct sshkey **k, int *private) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 624 | { |
| 625 | EVP_PKEY *pubkey; |
| 626 | FILE *fp; |
| 627 | |
| 628 | if ((fp = fopen(identity_file, "r")) == NULL) |
| 629 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
| 630 | if ((pubkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL)) == NULL) { |
| 631 | fatal("%s: %s is not a recognised public key format", __func__, |
| 632 | identity_file); |
| 633 | } |
| 634 | fclose(fp); |
| 635 | switch (EVP_PKEY_type(pubkey->type)) { |
| 636 | case EVP_PKEY_RSA: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 637 | if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
| 638 | fatal("sshkey_new failed"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 639 | (*k)->type = KEY_RSA; |
| 640 | (*k)->rsa = EVP_PKEY_get1_RSA(pubkey); |
| 641 | break; |
| 642 | case EVP_PKEY_DSA: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 643 | if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
| 644 | fatal("sshkey_new failed"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 645 | (*k)->type = KEY_DSA; |
| 646 | (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); |
| 647 | break; |
| 648 | #ifdef OPENSSL_HAS_ECC |
| 649 | case EVP_PKEY_EC: |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 650 | if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
| 651 | fatal("sshkey_new failed"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 652 | (*k)->type = KEY_ECDSA; |
| 653 | (*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 654 | (*k)->ecdsa_nid = sshkey_ecdsa_key_to_nid((*k)->ecdsa); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 655 | break; |
| 656 | #endif |
| 657 | default: |
| 658 | fatal("%s: unsupported pubkey type %d", __func__, |
| 659 | EVP_PKEY_type(pubkey->type)); |
| 660 | } |
| 661 | EVP_PKEY_free(pubkey); |
| 662 | return; |
| 663 | } |
| 664 | |
| 665 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 666 | do_convert_from_pem(struct sshkey **k, int *private) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 667 | { |
| 668 | FILE *fp; |
| 669 | RSA *rsa; |
| 670 | #ifdef notyet |
| 671 | DSA *dsa; |
| 672 | #endif |
| 673 | |
| 674 | if ((fp = fopen(identity_file, "r")) == NULL) |
| 675 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
| 676 | if ((rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 677 | if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
| 678 | fatal("sshkey_new failed"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 679 | (*k)->type = KEY_RSA; |
| 680 | (*k)->rsa = rsa; |
| 681 | fclose(fp); |
| 682 | return; |
| 683 | } |
| 684 | #if notyet /* OpenSSH 0.9.8 lacks this function */ |
| 685 | rewind(fp); |
| 686 | if ((dsa = PEM_read_DSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 687 | if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) |
| 688 | fatal("sshkey_new failed"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 689 | (*k)->type = KEY_DSA; |
| 690 | (*k)->dsa = dsa; |
| 691 | fclose(fp); |
| 692 | return; |
| 693 | } |
| 694 | /* XXX ECDSA */ |
| 695 | #endif |
| 696 | fatal("%s: unrecognised raw private key format", __func__); |
| 697 | } |
| 698 | |
| 699 | static void |
| 700 | do_convert_from(struct passwd *pw) |
| 701 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 702 | struct sshkey *k = NULL; |
| 703 | int r, private = 0, ok = 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 704 | struct stat st; |
| 705 | |
| 706 | if (!have_identity) |
| 707 | ask_filename(pw, "Enter file in which the key is"); |
| 708 | if (stat(identity_file, &st) < 0) |
| 709 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
| 710 | |
| 711 | switch (convert_format) { |
| 712 | case FMT_RFC4716: |
| 713 | do_convert_from_ssh2(pw, &k, &private); |
| 714 | break; |
| 715 | case FMT_PKCS8: |
| 716 | do_convert_from_pkcs8(&k, &private); |
| 717 | break; |
| 718 | case FMT_PEM: |
| 719 | do_convert_from_pem(&k, &private); |
| 720 | break; |
| 721 | default: |
| 722 | fatal("%s: unknown key format %d", __func__, convert_format); |
| 723 | } |
| 724 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 725 | if (!private) { |
| 726 | if ((r = sshkey_write(k, stdout)) == 0) |
| 727 | ok = 1; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 728 | if (ok) |
| 729 | fprintf(stdout, "\n"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 730 | } else { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 731 | switch (k->type) { |
| 732 | case KEY_DSA: |
| 733 | ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, |
| 734 | NULL, 0, NULL, NULL); |
| 735 | break; |
| 736 | #ifdef OPENSSL_HAS_ECC |
| 737 | case KEY_ECDSA: |
| 738 | ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, |
| 739 | NULL, 0, NULL, NULL); |
| 740 | break; |
| 741 | #endif |
| 742 | case KEY_RSA: |
| 743 | ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, |
| 744 | NULL, 0, NULL, NULL); |
| 745 | break; |
| 746 | default: |
| 747 | fatal("%s: unsupported key type %s", __func__, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 748 | sshkey_type(k)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 749 | } |
| 750 | } |
| 751 | |
| 752 | if (!ok) { |
| 753 | fprintf(stderr, "key write failed\n"); |
| 754 | exit(1); |
| 755 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 756 | sshkey_free(k); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 757 | exit(0); |
| 758 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 759 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 760 | |
| 761 | static void |
| 762 | do_print_public(struct passwd *pw) |
| 763 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 764 | struct sshkey *prv; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 765 | struct stat st; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 766 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 767 | |
| 768 | if (!have_identity) |
| 769 | ask_filename(pw, "Enter file in which the key is"); |
| 770 | if (stat(identity_file, &st) < 0) { |
| 771 | perror(identity_file); |
| 772 | exit(1); |
| 773 | } |
| 774 | prv = load_identity(identity_file); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 775 | if ((r = sshkey_write(prv, stdout)) != 0) |
| 776 | fprintf(stderr, "key_write failed: %s", ssh_err(r)); |
| 777 | sshkey_free(prv); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 778 | fprintf(stdout, "\n"); |
| 779 | exit(0); |
| 780 | } |
| 781 | |
| 782 | static void |
| 783 | do_download(struct passwd *pw) |
| 784 | { |
| 785 | #ifdef ENABLE_PKCS11 |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 786 | struct sshkey **keys = NULL; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 787 | int i, nkeys; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 788 | enum sshkey_fp_rep rep; |
| 789 | int fptype; |
| 790 | char *fp, *ra; |
| 791 | |
| 792 | fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; |
| 793 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 794 | |
| 795 | pkcs11_init(0); |
| 796 | nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); |
| 797 | if (nkeys <= 0) |
| 798 | fatal("cannot read public key from pkcs11"); |
| 799 | for (i = 0; i < nkeys; i++) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 800 | if (print_fingerprint) { |
| 801 | fp = sshkey_fingerprint(keys[i], fptype, rep); |
| 802 | ra = sshkey_fingerprint(keys[i], fingerprint_hash, |
| 803 | SSH_FP_RANDOMART); |
| 804 | if (fp == NULL || ra == NULL) |
| 805 | fatal("%s: sshkey_fingerprint fail", __func__); |
| 806 | printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]), |
| 807 | fp, sshkey_type(keys[i])); |
| 808 | if (log_level >= SYSLOG_LEVEL_VERBOSE) |
| 809 | printf("%s\n", ra); |
| 810 | free(ra); |
| 811 | free(fp); |
| 812 | } else { |
| 813 | (void) sshkey_write(keys[i], stdout); /* XXX check */ |
| 814 | fprintf(stdout, "\n"); |
| 815 | } |
| 816 | sshkey_free(keys[i]); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 817 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 818 | free(keys); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 819 | pkcs11_terminate(); |
| 820 | exit(0); |
| 821 | #else |
| 822 | fatal("no pkcs11 support"); |
| 823 | #endif /* ENABLE_PKCS11 */ |
| 824 | } |
| 825 | |
| 826 | static void |
| 827 | do_fingerprint(struct passwd *pw) |
| 828 | { |
| 829 | FILE *f; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 830 | struct sshkey *public; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 831 | char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 832 | int r, i, skip = 0, num = 0, invalid = 1; |
| 833 | enum sshkey_fp_rep rep; |
| 834 | int fptype; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 835 | struct stat st; |
| 836 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 837 | fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; |
| 838 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 839 | if (!have_identity) |
| 840 | ask_filename(pw, "Enter file in which the key is"); |
| 841 | if (stat(identity_file, &st) < 0) { |
| 842 | perror(identity_file); |
| 843 | exit(1); |
| 844 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 845 | if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0) |
| 846 | debug2("Error loading public key \"%s\": %s", |
| 847 | identity_file, ssh_err(r)); |
| 848 | else { |
| 849 | fp = sshkey_fingerprint(public, fptype, rep); |
| 850 | ra = sshkey_fingerprint(public, fingerprint_hash, |
| 851 | SSH_FP_RANDOMART); |
| 852 | if (fp == NULL || ra == NULL) |
| 853 | fatal("%s: sshkey_fingerprint fail", __func__); |
| 854 | printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment, |
| 855 | sshkey_type(public)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 856 | if (log_level >= SYSLOG_LEVEL_VERBOSE) |
| 857 | printf("%s\n", ra); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 858 | sshkey_free(public); |
| 859 | free(comment); |
| 860 | free(ra); |
| 861 | free(fp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 862 | exit(0); |
| 863 | } |
| 864 | if (comment) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 865 | free(comment); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 866 | comment = NULL; |
| 867 | } |
| 868 | |
| 869 | if ((f = fopen(identity_file, "r")) == NULL) |
| 870 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
| 871 | |
| 872 | while (fgets(line, sizeof(line), f)) { |
| 873 | if ((cp = strchr(line, '\n')) == NULL) { |
| 874 | error("line %d too long: %.40s...", |
| 875 | num + 1, line); |
| 876 | skip = 1; |
| 877 | continue; |
| 878 | } |
| 879 | num++; |
| 880 | if (skip) { |
| 881 | skip = 0; |
| 882 | continue; |
| 883 | } |
| 884 | *cp = '\0'; |
| 885 | |
| 886 | /* Skip leading whitespace, empty and comment lines. */ |
| 887 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
| 888 | ; |
| 889 | if (!*cp || *cp == '\n' || *cp == '#') |
| 890 | continue; |
| 891 | i = strtol(cp, &ep, 10); |
| 892 | if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { |
| 893 | int quoted = 0; |
| 894 | comment = cp; |
| 895 | for (; *cp && (quoted || (*cp != ' ' && |
| 896 | *cp != '\t')); cp++) { |
| 897 | if (*cp == '\\' && cp[1] == '"') |
| 898 | cp++; /* Skip both */ |
| 899 | else if (*cp == '"') |
| 900 | quoted = !quoted; |
| 901 | } |
| 902 | if (!*cp) |
| 903 | continue; |
| 904 | *cp++ = '\0'; |
| 905 | } |
| 906 | ep = cp; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 907 | if ((public = sshkey_new(KEY_RSA1)) == NULL) |
| 908 | fatal("sshkey_new failed"); |
| 909 | if ((r = sshkey_read(public, &cp)) != 0) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 910 | cp = ep; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 911 | sshkey_free(public); |
| 912 | if ((public = sshkey_new(KEY_UNSPEC)) == NULL) |
| 913 | fatal("sshkey_new failed"); |
| 914 | if ((r = sshkey_read(public, &cp)) != 0) { |
| 915 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 916 | continue; |
| 917 | } |
| 918 | } |
| 919 | comment = *cp ? cp : comment; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 920 | fp = sshkey_fingerprint(public, fptype, rep); |
| 921 | ra = sshkey_fingerprint(public, fingerprint_hash, |
| 922 | SSH_FP_RANDOMART); |
| 923 | if (fp == NULL || ra == NULL) |
| 924 | fatal("%s: sshkey_fingerprint fail", __func__); |
| 925 | printf("%u %s %s (%s)\n", sshkey_size(public), fp, |
| 926 | comment ? comment : "no comment", sshkey_type(public)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 927 | if (log_level >= SYSLOG_LEVEL_VERBOSE) |
| 928 | printf("%s\n", ra); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 929 | free(ra); |
| 930 | free(fp); |
| 931 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 932 | invalid = 0; |
| 933 | } |
| 934 | fclose(f); |
| 935 | |
| 936 | if (invalid) { |
| 937 | printf("%s is not a public key file.\n", identity_file); |
| 938 | exit(1); |
| 939 | } |
| 940 | exit(0); |
| 941 | } |
| 942 | |
| 943 | static void |
| 944 | do_gen_all_hostkeys(struct passwd *pw) |
| 945 | { |
| 946 | struct { |
| 947 | char *key_type; |
| 948 | char *key_type_display; |
| 949 | char *path; |
| 950 | } key_types[] = { |
| 951 | { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, |
| 952 | { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
| 953 | { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 954 | #ifdef OPENSSL_HAS_ECC |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 955 | { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 956 | #endif |
| 957 | { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 958 | { NULL, NULL, NULL } |
| 959 | }; |
| 960 | |
| 961 | int first = 0; |
| 962 | struct stat st; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 963 | struct sshkey *private, *public; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 964 | char comment[1024]; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 965 | int i, type, fd, r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 966 | FILE *f; |
| 967 | |
| 968 | for (i = 0; key_types[i].key_type; i++) { |
| 969 | if (stat(key_types[i].path, &st) == 0) |
| 970 | continue; |
| 971 | if (errno != ENOENT) { |
| 972 | printf("Could not stat %s: %s", key_types[i].path, |
| 973 | strerror(errno)); |
| 974 | first = 0; |
| 975 | continue; |
| 976 | } |
| 977 | |
| 978 | if (first == 0) { |
| 979 | first = 1; |
| 980 | printf("%s: generating new host keys: ", __progname); |
| 981 | } |
| 982 | printf("%s ", key_types[i].key_type_display); |
| 983 | fflush(stdout); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 984 | type = sshkey_type_from_name(key_types[i].key_type); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 985 | strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); |
| 986 | bits = 0; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 987 | type_bits_valid(type, NULL, &bits); |
| 988 | if ((r = sshkey_generate(type, bits, &private)) != 0) { |
| 989 | fprintf(stderr, "key_generate failed: %s\n", |
| 990 | ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 991 | first = 0; |
| 992 | continue; |
| 993 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 994 | if ((r = sshkey_from_private(private, &public)) != 0) |
| 995 | fatal("sshkey_from_private failed: %s", ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 996 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
| 997 | hostname); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 998 | if ((r = sshkey_save_private(private, identity_file, "", |
| 999 | comment, use_new_format, new_format_cipher, rounds)) != 0) { |
| 1000 | printf("Saving key \"%s\" failed: %s\n", identity_file, |
| 1001 | ssh_err(r)); |
| 1002 | sshkey_free(private); |
| 1003 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1004 | first = 0; |
| 1005 | continue; |
| 1006 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1007 | sshkey_free(private); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1008 | strlcat(identity_file, ".pub", sizeof(identity_file)); |
| 1009 | fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); |
| 1010 | if (fd == -1) { |
| 1011 | printf("Could not save your public key in %s\n", |
| 1012 | identity_file); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1013 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1014 | first = 0; |
| 1015 | continue; |
| 1016 | } |
| 1017 | f = fdopen(fd, "w"); |
| 1018 | if (f == NULL) { |
| 1019 | printf("fdopen %s failed\n", identity_file); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1020 | close(fd); |
| 1021 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1022 | first = 0; |
| 1023 | continue; |
| 1024 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1025 | if ((r = sshkey_write(public, f)) != 0) { |
| 1026 | fprintf(stderr, "write key failed: %s\n", ssh_err(r)); |
| 1027 | fclose(f); |
| 1028 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1029 | first = 0; |
| 1030 | continue; |
| 1031 | } |
| 1032 | fprintf(f, " %s\n", comment); |
| 1033 | fclose(f); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1034 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1035 | |
| 1036 | } |
| 1037 | if (first != 0) |
| 1038 | printf("\n"); |
| 1039 | } |
| 1040 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1041 | struct known_hosts_ctx { |
| 1042 | const char *host; /* Hostname searched for in find/delete case */ |
| 1043 | FILE *out; /* Output file, stdout for find_hosts case */ |
| 1044 | int has_unhashed; /* When hashing, original had unhashed hosts */ |
| 1045 | int found_key; /* For find/delete, host was found */ |
| 1046 | int invalid; /* File contained invalid items; don't delete */ |
| 1047 | }; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1048 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1049 | static int |
| 1050 | known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx) |
| 1051 | { |
| 1052 | struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
| 1053 | char *hashed, *cp, *hosts, *ohosts; |
| 1054 | int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
| 1055 | |
| 1056 | switch (l->status) { |
| 1057 | case HKF_STATUS_OK: |
| 1058 | case HKF_STATUS_MATCHED: |
| 1059 | /* |
| 1060 | * Don't hash hosts already already hashed, with wildcard |
| 1061 | * characters or a CA/revocation marker. |
| 1062 | */ |
| 1063 | if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || |
| 1064 | has_wild || l->marker != MRK_NONE) { |
| 1065 | fprintf(ctx->out, "%s\n", l->line); |
| 1066 | if (has_wild && !find_host) { |
| 1067 | fprintf(stderr, "%s:%ld: ignoring host name " |
| 1068 | "with wildcard: %.64s\n", l->path, |
| 1069 | l->linenum, l->hosts); |
| 1070 | } |
| 1071 | return 0; |
| 1072 | } |
| 1073 | /* |
| 1074 | * Split any comma-separated hostnames from the host list, |
| 1075 | * hash and store separately. |
| 1076 | */ |
| 1077 | ohosts = hosts = xstrdup(l->hosts); |
| 1078 | while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
| 1079 | if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
| 1080 | fatal("hash_host failed"); |
| 1081 | fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
| 1082 | ctx->has_unhashed = 1; |
| 1083 | } |
| 1084 | free(ohosts); |
| 1085 | return 0; |
| 1086 | case HKF_STATUS_INVALID: |
| 1087 | /* Retain invalid lines, but mark file as invalid. */ |
| 1088 | ctx->invalid = 1; |
| 1089 | fprintf(stderr, "%s:%ld: invalid line\n", l->path, l->linenum); |
| 1090 | /* FALLTHROUGH */ |
| 1091 | default: |
| 1092 | fprintf(ctx->out, "%s\n", l->line); |
| 1093 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1094 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1095 | /* NOTREACHED */ |
| 1096 | return -1; |
| 1097 | } |
| 1098 | |
| 1099 | static int |
| 1100 | known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx) |
| 1101 | { |
| 1102 | struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
| 1103 | |
| 1104 | if (l->status == HKF_STATUS_MATCHED) { |
| 1105 | if (delete_host) { |
| 1106 | if (l->marker != MRK_NONE) { |
| 1107 | /* Don't remove CA and revocation lines */ |
| 1108 | fprintf(ctx->out, "%s\n", l->line); |
| 1109 | } else { |
| 1110 | /* |
| 1111 | * Hostname matches and has no CA/revoke |
| 1112 | * marker, delete it by *not* writing the |
| 1113 | * line to ctx->out. |
| 1114 | */ |
| 1115 | ctx->found_key = 1; |
| 1116 | if (!quiet) |
| 1117 | printf("# Host %s found: line %ld\n", |
| 1118 | ctx->host, l->linenum); |
| 1119 | } |
| 1120 | return 0; |
| 1121 | } else if (find_host) { |
| 1122 | ctx->found_key = 1; |
| 1123 | if (!quiet) { |
| 1124 | printf("# Host %s found: line %ld %s\n", |
| 1125 | ctx->host, |
| 1126 | l->linenum, l->marker == MRK_CA ? "CA" : |
| 1127 | (l->marker == MRK_REVOKE ? "REVOKED" : "")); |
| 1128 | } |
| 1129 | if (hash_hosts) |
| 1130 | known_hosts_hash(l, ctx); |
| 1131 | else |
| 1132 | fprintf(ctx->out, "%s\n", l->line); |
| 1133 | return 0; |
| 1134 | } |
| 1135 | } else if (delete_host) { |
| 1136 | /* Retain non-matching hosts when deleting */ |
| 1137 | if (l->status == HKF_STATUS_INVALID) { |
| 1138 | ctx->invalid = 1; |
| 1139 | fprintf(stderr, "%s:%ld: invalid line\n", |
| 1140 | l->path, l->linenum); |
| 1141 | } |
| 1142 | fprintf(ctx->out, "%s\n", l->line); |
| 1143 | } |
| 1144 | return 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1145 | } |
| 1146 | |
| 1147 | static void |
| 1148 | do_known_hosts(struct passwd *pw, const char *name) |
| 1149 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1150 | char *cp, tmp[PATH_MAX], old[PATH_MAX]; |
| 1151 | int r, fd, oerrno, inplace = 0; |
| 1152 | struct known_hosts_ctx ctx; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1153 | |
| 1154 | if (!have_identity) { |
| 1155 | cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); |
| 1156 | if (strlcpy(identity_file, cp, sizeof(identity_file)) >= |
| 1157 | sizeof(identity_file)) |
| 1158 | fatal("Specified known hosts path too long"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1159 | free(cp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1160 | have_identity = 1; |
| 1161 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1162 | |
| 1163 | memset(&ctx, 0, sizeof(ctx)); |
| 1164 | ctx.out = stdout; |
| 1165 | ctx.host = name; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1166 | |
| 1167 | /* |
| 1168 | * Find hosts goes to stdout, hash and deletions happen in-place |
| 1169 | * A corner case is ssh-keygen -HF foo, which should go to stdout |
| 1170 | */ |
| 1171 | if (!find_host && (hash_hosts || delete_host)) { |
| 1172 | if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp) || |
| 1173 | strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp) || |
| 1174 | strlcpy(old, identity_file, sizeof(old)) >= sizeof(old) || |
| 1175 | strlcat(old, ".old", sizeof(old)) >= sizeof(old)) |
| 1176 | fatal("known_hosts path too long"); |
| 1177 | umask(077); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1178 | if ((fd = mkstemp(tmp)) == -1) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1179 | fatal("mkstemp: %s", strerror(errno)); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1180 | if ((ctx.out = fdopen(fd, "w")) == NULL) { |
| 1181 | oerrno = errno; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1182 | unlink(tmp); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1183 | fatal("fdopen: %s", strerror(oerrno)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1184 | } |
| 1185 | inplace = 1; |
| 1186 | } |
| 1187 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1188 | /* XXX support identity_file == "-" for stdin */ |
| 1189 | if ((r = hostkeys_foreach(identity_file, |
| 1190 | hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, |
| 1191 | name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0) |
| 1192 | fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1193 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1194 | if (inplace) |
| 1195 | fclose(ctx.out); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1196 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1197 | if (ctx.invalid) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1198 | fprintf(stderr, "%s is not a valid known_hosts file.\n", |
| 1199 | identity_file); |
| 1200 | if (inplace) { |
| 1201 | fprintf(stderr, "Not replacing existing known_hosts " |
| 1202 | "file because of errors\n"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1203 | unlink(tmp); |
| 1204 | } |
| 1205 | exit(1); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1206 | } else if (delete_host && !ctx.found_key) { |
| 1207 | fprintf(stderr, "Host %s not found in %s\n", |
| 1208 | name, identity_file); |
| 1209 | unlink(tmp); |
| 1210 | } else if (inplace) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1211 | /* Backup existing file */ |
| 1212 | if (unlink(old) == -1 && errno != ENOENT) |
| 1213 | fatal("unlink %.100s: %s", old, strerror(errno)); |
| 1214 | if (link(identity_file, old) == -1) |
| 1215 | fatal("link %.100s to %.100s: %s", identity_file, old, |
| 1216 | strerror(errno)); |
| 1217 | /* Move new one into place */ |
| 1218 | if (rename(tmp, identity_file) == -1) { |
| 1219 | error("rename\"%s\" to \"%s\": %s", tmp, identity_file, |
| 1220 | strerror(errno)); |
| 1221 | unlink(tmp); |
| 1222 | unlink(old); |
| 1223 | exit(1); |
| 1224 | } |
| 1225 | |
| 1226 | fprintf(stderr, "%s updated.\n", identity_file); |
| 1227 | fprintf(stderr, "Original contents retained as %s\n", old); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1228 | if (ctx.has_unhashed) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1229 | fprintf(stderr, "WARNING: %s contains unhashed " |
| 1230 | "entries\n", old); |
| 1231 | fprintf(stderr, "Delete this file to ensure privacy " |
| 1232 | "of hostnames\n"); |
| 1233 | } |
| 1234 | } |
| 1235 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1236 | exit (find_host && !ctx.found_key); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1237 | } |
| 1238 | |
| 1239 | /* |
| 1240 | * Perform changing a passphrase. The argument is the passwd structure |
| 1241 | * for the current user. |
| 1242 | */ |
| 1243 | static void |
| 1244 | do_change_passphrase(struct passwd *pw) |
| 1245 | { |
| 1246 | char *comment; |
| 1247 | char *old_passphrase, *passphrase1, *passphrase2; |
| 1248 | struct stat st; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1249 | struct sshkey *private; |
| 1250 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1251 | |
| 1252 | if (!have_identity) |
| 1253 | ask_filename(pw, "Enter file in which the key is"); |
| 1254 | if (stat(identity_file, &st) < 0) { |
| 1255 | perror(identity_file); |
| 1256 | exit(1); |
| 1257 | } |
| 1258 | /* Try to load the file with empty passphrase. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1259 | r = sshkey_load_private(identity_file, "", &private, &comment); |
| 1260 | if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1261 | if (identity_passphrase) |
| 1262 | old_passphrase = xstrdup(identity_passphrase); |
| 1263 | else |
| 1264 | old_passphrase = |
| 1265 | read_passphrase("Enter old passphrase: ", |
| 1266 | RP_ALLOW_STDIN); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1267 | r = sshkey_load_private(identity_file, old_passphrase, |
| 1268 | &private, &comment); |
| 1269 | explicit_bzero(old_passphrase, strlen(old_passphrase)); |
| 1270 | free(old_passphrase); |
| 1271 | if (r != 0) |
| 1272 | goto badkey; |
| 1273 | } else if (r != 0) { |
| 1274 | badkey: |
| 1275 | fprintf(stderr, "Failed to load key \"%s\": %s\n", |
| 1276 | identity_file, ssh_err(r)); |
| 1277 | exit(1); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1278 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1279 | if (comment) |
| 1280 | printf("Key has comment '%s'\n", comment); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1281 | |
| 1282 | /* Ask the new passphrase (twice). */ |
| 1283 | if (identity_new_passphrase) { |
| 1284 | passphrase1 = xstrdup(identity_new_passphrase); |
| 1285 | passphrase2 = NULL; |
| 1286 | } else { |
| 1287 | passphrase1 = |
| 1288 | read_passphrase("Enter new passphrase (empty for no " |
| 1289 | "passphrase): ", RP_ALLOW_STDIN); |
| 1290 | passphrase2 = read_passphrase("Enter same passphrase again: ", |
| 1291 | RP_ALLOW_STDIN); |
| 1292 | |
| 1293 | /* Verify that they are the same. */ |
| 1294 | if (strcmp(passphrase1, passphrase2) != 0) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1295 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| 1296 | explicit_bzero(passphrase2, strlen(passphrase2)); |
| 1297 | free(passphrase1); |
| 1298 | free(passphrase2); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1299 | printf("Pass phrases do not match. Try again.\n"); |
| 1300 | exit(1); |
| 1301 | } |
| 1302 | /* Destroy the other copy. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1303 | explicit_bzero(passphrase2, strlen(passphrase2)); |
| 1304 | free(passphrase2); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1305 | } |
| 1306 | |
| 1307 | /* Save the file using the new passphrase. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1308 | if ((r = sshkey_save_private(private, identity_file, passphrase1, |
| 1309 | comment, use_new_format, new_format_cipher, rounds)) != 0) { |
| 1310 | printf("Saving key \"%s\" failed: %s.\n", |
| 1311 | identity_file, ssh_err(r)); |
| 1312 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| 1313 | free(passphrase1); |
| 1314 | sshkey_free(private); |
| 1315 | free(comment); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1316 | exit(1); |
| 1317 | } |
| 1318 | /* Destroy the passphrase and the copy of the key in memory. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1319 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| 1320 | free(passphrase1); |
| 1321 | sshkey_free(private); /* Destroys contents */ |
| 1322 | free(comment); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1323 | |
| 1324 | printf("Your identification has been saved with the new passphrase.\n"); |
| 1325 | exit(0); |
| 1326 | } |
| 1327 | |
| 1328 | /* |
| 1329 | * Print the SSHFP RR. |
| 1330 | */ |
| 1331 | static int |
| 1332 | do_print_resource_record(struct passwd *pw, char *fname, char *hname) |
| 1333 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1334 | struct sshkey *public; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1335 | char *comment = NULL; |
| 1336 | struct stat st; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1337 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1338 | |
| 1339 | if (fname == NULL) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1340 | fatal("%s: no filename", __func__); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1341 | if (stat(fname, &st) < 0) { |
| 1342 | if (errno == ENOENT) |
| 1343 | return 0; |
| 1344 | perror(fname); |
| 1345 | exit(1); |
| 1346 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1347 | if ((r = sshkey_load_public(fname, &public, &comment)) != 0) { |
| 1348 | printf("Failed to read v2 public key from \"%s\": %s.\n", |
| 1349 | fname, ssh_err(r)); |
| 1350 | exit(1); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1351 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1352 | export_dns_rr(hname, public, stdout, print_generic); |
| 1353 | sshkey_free(public); |
| 1354 | free(comment); |
| 1355 | return 1; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1356 | } |
| 1357 | |
| 1358 | /* |
| 1359 | * Change the comment of a private key file. |
| 1360 | */ |
| 1361 | static void |
| 1362 | do_change_comment(struct passwd *pw) |
| 1363 | { |
| 1364 | char new_comment[1024], *comment, *passphrase; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1365 | struct sshkey *private; |
| 1366 | struct sshkey *public; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1367 | struct stat st; |
| 1368 | FILE *f; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1369 | int r, fd; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1370 | |
| 1371 | if (!have_identity) |
| 1372 | ask_filename(pw, "Enter file in which the key is"); |
| 1373 | if (stat(identity_file, &st) < 0) { |
| 1374 | perror(identity_file); |
| 1375 | exit(1); |
| 1376 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1377 | if ((r = sshkey_load_private(identity_file, "", |
| 1378 | &private, &comment)) == 0) |
| 1379 | passphrase = xstrdup(""); |
| 1380 | else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) { |
| 1381 | printf("Cannot load private key \"%s\": %s.\n", |
| 1382 | identity_file, ssh_err(r)); |
| 1383 | exit(1); |
| 1384 | } else { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1385 | if (identity_passphrase) |
| 1386 | passphrase = xstrdup(identity_passphrase); |
| 1387 | else if (identity_new_passphrase) |
| 1388 | passphrase = xstrdup(identity_new_passphrase); |
| 1389 | else |
| 1390 | passphrase = read_passphrase("Enter passphrase: ", |
| 1391 | RP_ALLOW_STDIN); |
| 1392 | /* Try to load using the passphrase. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1393 | if ((r = sshkey_load_private(identity_file, passphrase, |
| 1394 | &private, &comment)) != 0) { |
| 1395 | explicit_bzero(passphrase, strlen(passphrase)); |
| 1396 | free(passphrase); |
| 1397 | printf("Cannot load private key \"%s\": %s.\n", |
| 1398 | identity_file, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1399 | exit(1); |
| 1400 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1401 | } |
| 1402 | if (private->type != KEY_RSA1) { |
| 1403 | fprintf(stderr, "Comments are only supported for RSA1 keys.\n"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1404 | sshkey_free(private); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1405 | exit(1); |
| 1406 | } |
| 1407 | printf("Key now has comment '%s'\n", comment); |
| 1408 | |
| 1409 | if (identity_comment) { |
| 1410 | strlcpy(new_comment, identity_comment, sizeof(new_comment)); |
| 1411 | } else { |
| 1412 | printf("Enter new comment: "); |
| 1413 | fflush(stdout); |
| 1414 | if (!fgets(new_comment, sizeof(new_comment), stdin)) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1415 | explicit_bzero(passphrase, strlen(passphrase)); |
| 1416 | sshkey_free(private); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1417 | exit(1); |
| 1418 | } |
| 1419 | new_comment[strcspn(new_comment, "\n")] = '\0'; |
| 1420 | } |
| 1421 | |
| 1422 | /* Save the file using the new passphrase. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1423 | if ((r = sshkey_save_private(private, identity_file, passphrase, |
| 1424 | new_comment, use_new_format, new_format_cipher, rounds)) != 0) { |
| 1425 | printf("Saving key \"%s\" failed: %s\n", |
| 1426 | identity_file, ssh_err(r)); |
| 1427 | explicit_bzero(passphrase, strlen(passphrase)); |
| 1428 | free(passphrase); |
| 1429 | sshkey_free(private); |
| 1430 | free(comment); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1431 | exit(1); |
| 1432 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1433 | explicit_bzero(passphrase, strlen(passphrase)); |
| 1434 | free(passphrase); |
| 1435 | if ((r = sshkey_from_private(private, &public)) != 0) |
| 1436 | fatal("key_from_private failed: %s", ssh_err(r)); |
| 1437 | sshkey_free(private); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1438 | |
| 1439 | strlcat(identity_file, ".pub", sizeof(identity_file)); |
| 1440 | fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); |
| 1441 | if (fd == -1) { |
| 1442 | printf("Could not save your public key in %s\n", identity_file); |
| 1443 | exit(1); |
| 1444 | } |
| 1445 | f = fdopen(fd, "w"); |
| 1446 | if (f == NULL) { |
| 1447 | printf("fdopen %s failed\n", identity_file); |
| 1448 | exit(1); |
| 1449 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1450 | if ((r = sshkey_write(public, f)) != 0) |
| 1451 | fprintf(stderr, "write key failed: %s\n", ssh_err(r)); |
| 1452 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1453 | fprintf(f, " %s\n", new_comment); |
| 1454 | fclose(f); |
| 1455 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1456 | free(comment); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1457 | |
| 1458 | printf("The comment in your key file has been changed.\n"); |
| 1459 | exit(0); |
| 1460 | } |
| 1461 | |
| 1462 | static const char * |
| 1463 | fmt_validity(u_int64_t valid_from, u_int64_t valid_to) |
| 1464 | { |
| 1465 | char from[32], to[32]; |
| 1466 | static char ret[64]; |
| 1467 | time_t tt; |
| 1468 | struct tm *tm; |
| 1469 | |
| 1470 | *from = *to = '\0'; |
| 1471 | if (valid_from == 0 && valid_to == 0xffffffffffffffffULL) |
| 1472 | return "forever"; |
| 1473 | |
| 1474 | if (valid_from != 0) { |
| 1475 | /* XXX revisit INT_MAX in 2038 :) */ |
| 1476 | tt = valid_from > INT_MAX ? INT_MAX : valid_from; |
| 1477 | tm = localtime(&tt); |
| 1478 | strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); |
| 1479 | } |
| 1480 | if (valid_to != 0xffffffffffffffffULL) { |
| 1481 | /* XXX revisit INT_MAX in 2038 :) */ |
| 1482 | tt = valid_to > INT_MAX ? INT_MAX : valid_to; |
| 1483 | tm = localtime(&tt); |
| 1484 | strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); |
| 1485 | } |
| 1486 | |
| 1487 | if (valid_from == 0) { |
| 1488 | snprintf(ret, sizeof(ret), "before %s", to); |
| 1489 | return ret; |
| 1490 | } |
| 1491 | if (valid_to == 0xffffffffffffffffULL) { |
| 1492 | snprintf(ret, sizeof(ret), "after %s", from); |
| 1493 | return ret; |
| 1494 | } |
| 1495 | |
| 1496 | snprintf(ret, sizeof(ret), "from %s to %s", from, to); |
| 1497 | return ret; |
| 1498 | } |
| 1499 | |
| 1500 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1501 | add_flag_option(struct sshbuf *c, const char *name) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1502 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1503 | int r; |
| 1504 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1505 | debug3("%s: %s", __func__, name); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1506 | if ((r = sshbuf_put_cstring(c, name)) != 0 || |
| 1507 | (r = sshbuf_put_string(c, NULL, 0)) != 0) |
| 1508 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1509 | } |
| 1510 | |
| 1511 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1512 | add_string_option(struct sshbuf *c, const char *name, const char *value) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1513 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1514 | struct sshbuf *b; |
| 1515 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1516 | |
| 1517 | debug3("%s: %s=%s", __func__, name, value); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1518 | if ((b = sshbuf_new()) == NULL) |
| 1519 | fatal("%s: sshbuf_new failed", __func__); |
| 1520 | if ((r = sshbuf_put_cstring(b, value)) != 0 || |
| 1521 | (r = sshbuf_put_cstring(c, name)) != 0 || |
| 1522 | (r = sshbuf_put_stringb(c, b)) != 0) |
| 1523 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1524 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1525 | sshbuf_free(b); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1526 | } |
| 1527 | |
| 1528 | #define OPTIONS_CRITICAL 1 |
| 1529 | #define OPTIONS_EXTENSIONS 2 |
| 1530 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1531 | prepare_options_buf(struct sshbuf *c, int which) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1532 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1533 | sshbuf_reset(c); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1534 | if ((which & OPTIONS_CRITICAL) != 0 && |
| 1535 | certflags_command != NULL) |
| 1536 | add_string_option(c, "force-command", certflags_command); |
| 1537 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1538 | (certflags_flags & CERTOPT_X_FWD) != 0) |
| 1539 | add_flag_option(c, "permit-X11-forwarding"); |
| 1540 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1541 | (certflags_flags & CERTOPT_AGENT_FWD) != 0) |
| 1542 | add_flag_option(c, "permit-agent-forwarding"); |
| 1543 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1544 | (certflags_flags & CERTOPT_PORT_FWD) != 0) |
| 1545 | add_flag_option(c, "permit-port-forwarding"); |
| 1546 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1547 | (certflags_flags & CERTOPT_PTY) != 0) |
| 1548 | add_flag_option(c, "permit-pty"); |
| 1549 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
| 1550 | (certflags_flags & CERTOPT_USER_RC) != 0) |
| 1551 | add_flag_option(c, "permit-user-rc"); |
| 1552 | if ((which & OPTIONS_CRITICAL) != 0 && |
| 1553 | certflags_src_addr != NULL) |
| 1554 | add_string_option(c, "source-address", certflags_src_addr); |
| 1555 | } |
| 1556 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1557 | static struct sshkey * |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1558 | load_pkcs11_key(char *path) |
| 1559 | { |
| 1560 | #ifdef ENABLE_PKCS11 |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1561 | struct sshkey **keys = NULL, *public, *private = NULL; |
| 1562 | int r, i, nkeys; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1563 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1564 | if ((r = sshkey_load_public(path, &public, NULL)) != 0) |
| 1565 | fatal("Couldn't load CA public key \"%s\": %s", |
| 1566 | path, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1567 | |
| 1568 | nkeys = pkcs11_add_provider(pkcs11provider, identity_passphrase, &keys); |
| 1569 | debug3("%s: %d keys", __func__, nkeys); |
| 1570 | if (nkeys <= 0) |
| 1571 | fatal("cannot read public key from pkcs11"); |
| 1572 | for (i = 0; i < nkeys; i++) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1573 | if (sshkey_equal_public(public, keys[i])) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1574 | private = keys[i]; |
| 1575 | continue; |
| 1576 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1577 | sshkey_free(keys[i]); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1578 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1579 | free(keys); |
| 1580 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1581 | return private; |
| 1582 | #else |
| 1583 | fatal("no pkcs11 support"); |
| 1584 | #endif /* ENABLE_PKCS11 */ |
| 1585 | } |
| 1586 | |
| 1587 | static void |
| 1588 | do_ca_sign(struct passwd *pw, int argc, char **argv) |
| 1589 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1590 | int r, i, fd; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1591 | u_int n; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1592 | struct sshkey *ca, *public; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1593 | char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; |
| 1594 | FILE *f; |
| 1595 | int v00 = 0; /* legacy keys */ |
| 1596 | |
| 1597 | if (key_type_name != NULL) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1598 | switch (sshkey_type_from_name(key_type_name)) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1599 | case KEY_RSA_CERT_V00: |
| 1600 | case KEY_DSA_CERT_V00: |
| 1601 | v00 = 1; |
| 1602 | break; |
| 1603 | case KEY_UNSPEC: |
| 1604 | if (strcasecmp(key_type_name, "v00") == 0) { |
| 1605 | v00 = 1; |
| 1606 | break; |
| 1607 | } else if (strcasecmp(key_type_name, "v01") == 0) |
| 1608 | break; |
| 1609 | /* FALLTHROUGH */ |
| 1610 | default: |
| 1611 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
| 1612 | exit(1); |
| 1613 | } |
| 1614 | } |
| 1615 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1616 | #ifdef ENABLE_PKCS11 |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1617 | pkcs11_init(1); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1618 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1619 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
| 1620 | if (pkcs11provider != NULL) { |
| 1621 | if ((ca = load_pkcs11_key(tmp)) == NULL) |
| 1622 | fatal("No PKCS#11 key matching %s found", ca_key_path); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1623 | } else |
| 1624 | ca = load_identity(tmp); |
| 1625 | free(tmp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1626 | |
| 1627 | for (i = 0; i < argc; i++) { |
| 1628 | /* Split list of principals */ |
| 1629 | n = 0; |
| 1630 | if (cert_principals != NULL) { |
| 1631 | otmp = tmp = xstrdup(cert_principals); |
| 1632 | plist = NULL; |
| 1633 | for (; (cp = strsep(&tmp, ",")) != NULL; n++) { |
| 1634 | plist = xrealloc(plist, n + 1, sizeof(*plist)); |
| 1635 | if (*(plist[n] = xstrdup(cp)) == '\0') |
| 1636 | fatal("Empty principal name"); |
| 1637 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1638 | free(otmp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1639 | } |
| 1640 | |
| 1641 | tmp = tilde_expand_filename(argv[i], pw->pw_uid); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1642 | if ((r = sshkey_load_public(tmp, &public, &comment)) != 0) |
| 1643 | fatal("%s: unable to open \"%s\": %s", |
| 1644 | __func__, tmp, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1645 | if (public->type != KEY_RSA && public->type != KEY_DSA && |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1646 | public->type != KEY_ECDSA && public->type != KEY_ED25519) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1647 | fatal("%s: key \"%s\" type %s cannot be certified", |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1648 | __func__, tmp, sshkey_type(public)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1649 | |
| 1650 | /* Prepare certificate to sign */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1651 | if ((r = sshkey_to_certified(public, v00)) != 0) |
| 1652 | fatal("Could not upgrade key %s to certificate: %s", |
| 1653 | tmp, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1654 | public->cert->type = cert_key_type; |
| 1655 | public->cert->serial = (u_int64_t)cert_serial; |
| 1656 | public->cert->key_id = xstrdup(cert_key_id); |
| 1657 | public->cert->nprincipals = n; |
| 1658 | public->cert->principals = plist; |
| 1659 | public->cert->valid_after = cert_valid_from; |
| 1660 | public->cert->valid_before = cert_valid_to; |
| 1661 | if (v00) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1662 | prepare_options_buf(public->cert->critical, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1663 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); |
| 1664 | } else { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1665 | prepare_options_buf(public->cert->critical, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1666 | OPTIONS_CRITICAL); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1667 | prepare_options_buf(public->cert->extensions, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1668 | OPTIONS_EXTENSIONS); |
| 1669 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1670 | if ((r = sshkey_from_private(ca, |
| 1671 | &public->cert->signature_key)) != 0) |
| 1672 | fatal("key_from_private (ca key): %s", ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1673 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1674 | if (sshkey_certify(public, ca) != 0) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1675 | fatal("Couldn't not certify key %s", tmp); |
| 1676 | |
| 1677 | if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) |
| 1678 | *cp = '\0'; |
| 1679 | xasprintf(&out, "%s-cert.pub", tmp); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1680 | free(tmp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1681 | |
| 1682 | if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) |
| 1683 | fatal("Could not open \"%s\" for writing: %s", out, |
| 1684 | strerror(errno)); |
| 1685 | if ((f = fdopen(fd, "w")) == NULL) |
| 1686 | fatal("%s: fdopen: %s", __func__, strerror(errno)); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1687 | if ((r = sshkey_write(public, f)) != 0) |
| 1688 | fatal("Could not write certified key to %s: %s", |
| 1689 | out, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1690 | fprintf(f, " %s\n", comment); |
| 1691 | fclose(f); |
| 1692 | |
| 1693 | if (!quiet) { |
| 1694 | logit("Signed %s key %s: id \"%s\" serial %llu%s%s " |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1695 | "valid %s", sshkey_cert_type(public), |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1696 | out, public->cert->key_id, |
| 1697 | (unsigned long long)public->cert->serial, |
| 1698 | cert_principals != NULL ? " for " : "", |
| 1699 | cert_principals != NULL ? cert_principals : "", |
| 1700 | fmt_validity(cert_valid_from, cert_valid_to)); |
| 1701 | } |
| 1702 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1703 | sshkey_free(public); |
| 1704 | free(out); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1705 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1706 | #ifdef ENABLE_PKCS11 |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1707 | pkcs11_terminate(); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1708 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1709 | exit(0); |
| 1710 | } |
| 1711 | |
| 1712 | static u_int64_t |
| 1713 | parse_relative_time(const char *s, time_t now) |
| 1714 | { |
| 1715 | int64_t mul, secs; |
| 1716 | |
| 1717 | mul = *s == '-' ? -1 : 1; |
| 1718 | |
| 1719 | if ((secs = convtime(s + 1)) == -1) |
| 1720 | fatal("Invalid relative certificate time %s", s); |
| 1721 | if (mul == -1 && secs > now) |
| 1722 | fatal("Certificate time %s cannot be represented", s); |
| 1723 | return now + (u_int64_t)(secs * mul); |
| 1724 | } |
| 1725 | |
| 1726 | static u_int64_t |
| 1727 | parse_absolute_time(const char *s) |
| 1728 | { |
| 1729 | struct tm tm; |
| 1730 | time_t tt; |
| 1731 | char buf[32], *fmt; |
| 1732 | |
| 1733 | /* |
| 1734 | * POSIX strptime says "The application shall ensure that there |
| 1735 | * is white-space or other non-alphanumeric characters between |
| 1736 | * any two conversion specifications" so arrange things this way. |
| 1737 | */ |
| 1738 | switch (strlen(s)) { |
| 1739 | case 8: |
| 1740 | fmt = "%Y-%m-%d"; |
| 1741 | snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); |
| 1742 | break; |
| 1743 | case 14: |
| 1744 | fmt = "%Y-%m-%dT%H:%M:%S"; |
| 1745 | snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s", |
| 1746 | s, s + 4, s + 6, s + 8, s + 10, s + 12); |
| 1747 | break; |
| 1748 | default: |
| 1749 | fatal("Invalid certificate time format %s", s); |
| 1750 | } |
| 1751 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1752 | memset(&tm, 0, sizeof(tm)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1753 | if (strptime(buf, fmt, &tm) == NULL) |
| 1754 | fatal("Invalid certificate time %s", s); |
| 1755 | if ((tt = mktime(&tm)) < 0) |
| 1756 | fatal("Certificate time %s cannot be represented", s); |
| 1757 | return (u_int64_t)tt; |
| 1758 | } |
| 1759 | |
| 1760 | static void |
| 1761 | parse_cert_times(char *timespec) |
| 1762 | { |
| 1763 | char *from, *to; |
| 1764 | time_t now = time(NULL); |
| 1765 | int64_t secs; |
| 1766 | |
| 1767 | /* +timespec relative to now */ |
| 1768 | if (*timespec == '+' && strchr(timespec, ':') == NULL) { |
| 1769 | if ((secs = convtime(timespec + 1)) == -1) |
| 1770 | fatal("Invalid relative certificate life %s", timespec); |
| 1771 | cert_valid_to = now + secs; |
| 1772 | /* |
| 1773 | * Backdate certificate one minute to avoid problems on hosts |
| 1774 | * with poorly-synchronised clocks. |
| 1775 | */ |
| 1776 | cert_valid_from = ((now - 59)/ 60) * 60; |
| 1777 | return; |
| 1778 | } |
| 1779 | |
| 1780 | /* |
| 1781 | * from:to, where |
| 1782 | * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS |
| 1783 | * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS |
| 1784 | */ |
| 1785 | from = xstrdup(timespec); |
| 1786 | to = strchr(from, ':'); |
| 1787 | if (to == NULL || from == to || *(to + 1) == '\0') |
| 1788 | fatal("Invalid certificate life specification %s", timespec); |
| 1789 | *to++ = '\0'; |
| 1790 | |
| 1791 | if (*from == '-' || *from == '+') |
| 1792 | cert_valid_from = parse_relative_time(from, now); |
| 1793 | else |
| 1794 | cert_valid_from = parse_absolute_time(from); |
| 1795 | |
| 1796 | if (*to == '-' || *to == '+') |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1797 | cert_valid_to = parse_relative_time(to, now); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1798 | else |
| 1799 | cert_valid_to = parse_absolute_time(to); |
| 1800 | |
| 1801 | if (cert_valid_to <= cert_valid_from) |
| 1802 | fatal("Empty certificate validity interval"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1803 | free(from); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1804 | } |
| 1805 | |
| 1806 | static void |
| 1807 | add_cert_option(char *opt) |
| 1808 | { |
| 1809 | char *val; |
| 1810 | |
| 1811 | if (strcasecmp(opt, "clear") == 0) |
| 1812 | certflags_flags = 0; |
| 1813 | else if (strcasecmp(opt, "no-x11-forwarding") == 0) |
| 1814 | certflags_flags &= ~CERTOPT_X_FWD; |
| 1815 | else if (strcasecmp(opt, "permit-x11-forwarding") == 0) |
| 1816 | certflags_flags |= CERTOPT_X_FWD; |
| 1817 | else if (strcasecmp(opt, "no-agent-forwarding") == 0) |
| 1818 | certflags_flags &= ~CERTOPT_AGENT_FWD; |
| 1819 | else if (strcasecmp(opt, "permit-agent-forwarding") == 0) |
| 1820 | certflags_flags |= CERTOPT_AGENT_FWD; |
| 1821 | else if (strcasecmp(opt, "no-port-forwarding") == 0) |
| 1822 | certflags_flags &= ~CERTOPT_PORT_FWD; |
| 1823 | else if (strcasecmp(opt, "permit-port-forwarding") == 0) |
| 1824 | certflags_flags |= CERTOPT_PORT_FWD; |
| 1825 | else if (strcasecmp(opt, "no-pty") == 0) |
| 1826 | certflags_flags &= ~CERTOPT_PTY; |
| 1827 | else if (strcasecmp(opt, "permit-pty") == 0) |
| 1828 | certflags_flags |= CERTOPT_PTY; |
| 1829 | else if (strcasecmp(opt, "no-user-rc") == 0) |
| 1830 | certflags_flags &= ~CERTOPT_USER_RC; |
| 1831 | else if (strcasecmp(opt, "permit-user-rc") == 0) |
| 1832 | certflags_flags |= CERTOPT_USER_RC; |
| 1833 | else if (strncasecmp(opt, "force-command=", 14) == 0) { |
| 1834 | val = opt + 14; |
| 1835 | if (*val == '\0') |
| 1836 | fatal("Empty force-command option"); |
| 1837 | if (certflags_command != NULL) |
| 1838 | fatal("force-command already specified"); |
| 1839 | certflags_command = xstrdup(val); |
| 1840 | } else if (strncasecmp(opt, "source-address=", 15) == 0) { |
| 1841 | val = opt + 15; |
| 1842 | if (*val == '\0') |
| 1843 | fatal("Empty source-address option"); |
| 1844 | if (certflags_src_addr != NULL) |
| 1845 | fatal("source-address already specified"); |
| 1846 | if (addr_match_cidr_list(NULL, val) != 0) |
| 1847 | fatal("Invalid source-address list"); |
| 1848 | certflags_src_addr = xstrdup(val); |
| 1849 | } else |
| 1850 | fatal("Unsupported certificate option \"%s\"", opt); |
| 1851 | } |
| 1852 | |
| 1853 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1854 | show_options(struct sshbuf *optbuf, int v00, int in_critical) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1855 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1856 | char *name, *arg; |
| 1857 | struct sshbuf *options, *option = NULL; |
| 1858 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1859 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1860 | if ((options = sshbuf_fromb(optbuf)) == NULL) |
| 1861 | fatal("%s: sshbuf_fromb failed", __func__); |
| 1862 | while (sshbuf_len(options) != 0) { |
| 1863 | sshbuf_free(option); |
| 1864 | option = NULL; |
| 1865 | if ((r = sshbuf_get_cstring(options, &name, NULL)) != 0 || |
| 1866 | (r = sshbuf_froms(options, &option)) != 0) |
| 1867 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1868 | printf(" %s", name); |
| 1869 | if ((v00 || !in_critical) && |
| 1870 | (strcmp(name, "permit-X11-forwarding") == 0 || |
| 1871 | strcmp(name, "permit-agent-forwarding") == 0 || |
| 1872 | strcmp(name, "permit-port-forwarding") == 0 || |
| 1873 | strcmp(name, "permit-pty") == 0 || |
| 1874 | strcmp(name, "permit-user-rc") == 0)) |
| 1875 | printf("\n"); |
| 1876 | else if ((v00 || in_critical) && |
| 1877 | (strcmp(name, "force-command") == 0 || |
| 1878 | strcmp(name, "source-address") == 0)) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1879 | if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) |
| 1880 | fatal("%s: buffer error: %s", |
| 1881 | __func__, ssh_err(r)); |
| 1882 | printf(" %s\n", arg); |
| 1883 | free(arg); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1884 | } else { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1885 | printf(" UNKNOWN OPTION (len %zu)\n", |
| 1886 | sshbuf_len(option)); |
| 1887 | sshbuf_reset(option); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1888 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1889 | free(name); |
| 1890 | if (sshbuf_len(option) != 0) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1891 | fatal("Option corrupt: extra data at end"); |
| 1892 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1893 | sshbuf_free(option); |
| 1894 | sshbuf_free(options); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1895 | } |
| 1896 | |
| 1897 | static void |
| 1898 | do_show_cert(struct passwd *pw) |
| 1899 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1900 | struct sshkey *key; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1901 | struct stat st; |
| 1902 | char *key_fp, *ca_fp; |
| 1903 | u_int i, v00; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1904 | int r; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1905 | |
| 1906 | if (!have_identity) |
| 1907 | ask_filename(pw, "Enter file in which the key is"); |
| 1908 | if (stat(identity_file, &st) < 0) |
| 1909 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1910 | if ((r = sshkey_load_public(identity_file, &key, NULL)) != 0) |
| 1911 | fatal("Cannot load public key \"%s\": %s", |
| 1912 | identity_file, ssh_err(r)); |
| 1913 | if (!sshkey_is_cert(key)) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1914 | fatal("%s is not a certificate", identity_file); |
| 1915 | v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; |
| 1916 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1917 | key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
| 1918 | ca_fp = sshkey_fingerprint(key->cert->signature_key, |
| 1919 | fingerprint_hash, SSH_FP_DEFAULT); |
| 1920 | if (key_fp == NULL || ca_fp == NULL) |
| 1921 | fatal("%s: sshkey_fingerprint fail", __func__); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1922 | |
| 1923 | printf("%s:\n", identity_file); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1924 | printf(" Type: %s %s certificate\n", sshkey_ssh_name(key), |
| 1925 | sshkey_cert_type(key)); |
| 1926 | printf(" Public key: %s %s\n", sshkey_type(key), key_fp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1927 | printf(" Signing CA: %s %s\n", |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1928 | sshkey_type(key->cert->signature_key), ca_fp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1929 | printf(" Key ID: \"%s\"\n", key->cert->key_id); |
| 1930 | if (!v00) { |
| 1931 | printf(" Serial: %llu\n", |
| 1932 | (unsigned long long)key->cert->serial); |
| 1933 | } |
| 1934 | printf(" Valid: %s\n", |
| 1935 | fmt_validity(key->cert->valid_after, key->cert->valid_before)); |
| 1936 | printf(" Principals: "); |
| 1937 | if (key->cert->nprincipals == 0) |
| 1938 | printf("(none)\n"); |
| 1939 | else { |
| 1940 | for (i = 0; i < key->cert->nprincipals; i++) |
| 1941 | printf("\n %s", |
| 1942 | key->cert->principals[i]); |
| 1943 | printf("\n"); |
| 1944 | } |
| 1945 | printf(" Critical Options: "); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1946 | if (sshbuf_len(key->cert->critical) == 0) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1947 | printf("(none)\n"); |
| 1948 | else { |
| 1949 | printf("\n"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1950 | show_options(key->cert->critical, v00, 1); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1951 | } |
| 1952 | if (!v00) { |
| 1953 | printf(" Extensions: "); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1954 | if (sshbuf_len(key->cert->extensions) == 0) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1955 | printf("(none)\n"); |
| 1956 | else { |
| 1957 | printf("\n"); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1958 | show_options(key->cert->extensions, v00, 0); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1959 | } |
| 1960 | } |
| 1961 | exit(0); |
| 1962 | } |
| 1963 | |
| 1964 | static void |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1965 | load_krl(const char *path, struct ssh_krl **krlp) |
| 1966 | { |
| 1967 | struct sshbuf *krlbuf; |
| 1968 | int r, fd; |
| 1969 | |
| 1970 | if ((krlbuf = sshbuf_new()) == NULL) |
| 1971 | fatal("sshbuf_new failed"); |
| 1972 | if ((fd = open(path, O_RDONLY)) == -1) |
| 1973 | fatal("open %s: %s", path, strerror(errno)); |
| 1974 | if ((r = sshkey_load_file(fd, krlbuf)) != 0) |
| 1975 | fatal("Unable to load KRL: %s", ssh_err(r)); |
| 1976 | close(fd); |
| 1977 | /* XXX check sigs */ |
| 1978 | if ((r = ssh_krl_from_blob(krlbuf, krlp, NULL, 0)) != 0 || |
| 1979 | *krlp == NULL) |
| 1980 | fatal("Invalid KRL file: %s", ssh_err(r)); |
| 1981 | sshbuf_free(krlbuf); |
| 1982 | } |
| 1983 | |
| 1984 | static void |
| 1985 | update_krl_from_file(struct passwd *pw, const char *file, int wild_ca, |
| 1986 | const struct sshkey *ca, struct ssh_krl *krl) |
| 1987 | { |
| 1988 | struct sshkey *key = NULL; |
| 1989 | u_long lnum = 0; |
| 1990 | char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES]; |
| 1991 | unsigned long long serial, serial2; |
| 1992 | int i, was_explicit_key, was_sha1, r; |
| 1993 | FILE *krl_spec; |
| 1994 | |
| 1995 | path = tilde_expand_filename(file, pw->pw_uid); |
| 1996 | if (strcmp(path, "-") == 0) { |
| 1997 | krl_spec = stdin; |
| 1998 | free(path); |
| 1999 | path = xstrdup("(standard input)"); |
| 2000 | } else if ((krl_spec = fopen(path, "r")) == NULL) |
| 2001 | fatal("fopen %s: %s", path, strerror(errno)); |
| 2002 | |
| 2003 | if (!quiet) |
| 2004 | printf("Revoking from %s\n", path); |
| 2005 | while (read_keyfile_line(krl_spec, path, line, sizeof(line), |
| 2006 | &lnum) == 0) { |
| 2007 | was_explicit_key = was_sha1 = 0; |
| 2008 | cp = line + strspn(line, " \t"); |
| 2009 | /* Trim trailing space, comments and strip \n */ |
| 2010 | for (i = 0, r = -1; cp[i] != '\0'; i++) { |
| 2011 | if (cp[i] == '#' || cp[i] == '\n') { |
| 2012 | cp[i] = '\0'; |
| 2013 | break; |
| 2014 | } |
| 2015 | if (cp[i] == ' ' || cp[i] == '\t') { |
| 2016 | /* Remember the start of a span of whitespace */ |
| 2017 | if (r == -1) |
| 2018 | r = i; |
| 2019 | } else |
| 2020 | r = -1; |
| 2021 | } |
| 2022 | if (r != -1) |
| 2023 | cp[r] = '\0'; |
| 2024 | if (*cp == '\0') |
| 2025 | continue; |
| 2026 | if (strncasecmp(cp, "serial:", 7) == 0) { |
| 2027 | if (ca == NULL && !wild_ca) { |
| 2028 | fatal("revoking certificates by serial number " |
| 2029 | "requires specification of a CA key"); |
| 2030 | } |
| 2031 | cp += 7; |
| 2032 | cp = cp + strspn(cp, " \t"); |
| 2033 | errno = 0; |
| 2034 | serial = strtoull(cp, &ep, 0); |
| 2035 | if (*cp == '\0' || (*ep != '\0' && *ep != '-')) |
| 2036 | fatal("%s:%lu: invalid serial \"%s\"", |
| 2037 | path, lnum, cp); |
| 2038 | if (errno == ERANGE && serial == ULLONG_MAX) |
| 2039 | fatal("%s:%lu: serial out of range", |
| 2040 | path, lnum); |
| 2041 | serial2 = serial; |
| 2042 | if (*ep == '-') { |
| 2043 | cp = ep + 1; |
| 2044 | errno = 0; |
| 2045 | serial2 = strtoull(cp, &ep, 0); |
| 2046 | if (*cp == '\0' || *ep != '\0') |
| 2047 | fatal("%s:%lu: invalid serial \"%s\"", |
| 2048 | path, lnum, cp); |
| 2049 | if (errno == ERANGE && serial2 == ULLONG_MAX) |
| 2050 | fatal("%s:%lu: serial out of range", |
| 2051 | path, lnum); |
| 2052 | if (serial2 <= serial) |
| 2053 | fatal("%s:%lu: invalid serial range " |
| 2054 | "%llu:%llu", path, lnum, |
| 2055 | (unsigned long long)serial, |
| 2056 | (unsigned long long)serial2); |
| 2057 | } |
| 2058 | if (ssh_krl_revoke_cert_by_serial_range(krl, |
| 2059 | ca, serial, serial2) != 0) { |
| 2060 | fatal("%s: revoke serial failed", |
| 2061 | __func__); |
| 2062 | } |
| 2063 | } else if (strncasecmp(cp, "id:", 3) == 0) { |
| 2064 | if (ca == NULL && !wild_ca) { |
| 2065 | fatal("revoking certificates by key ID " |
| 2066 | "requires specification of a CA key"); |
| 2067 | } |
| 2068 | cp += 3; |
| 2069 | cp = cp + strspn(cp, " \t"); |
| 2070 | if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0) |
| 2071 | fatal("%s: revoke key ID failed", __func__); |
| 2072 | } else { |
| 2073 | if (strncasecmp(cp, "key:", 4) == 0) { |
| 2074 | cp += 4; |
| 2075 | cp = cp + strspn(cp, " \t"); |
| 2076 | was_explicit_key = 1; |
| 2077 | } else if (strncasecmp(cp, "sha1:", 5) == 0) { |
| 2078 | cp += 5; |
| 2079 | cp = cp + strspn(cp, " \t"); |
| 2080 | was_sha1 = 1; |
| 2081 | } else { |
| 2082 | /* |
| 2083 | * Just try to process the line as a key. |
| 2084 | * Parsing will fail if it isn't. |
| 2085 | */ |
| 2086 | } |
| 2087 | if ((key = sshkey_new(KEY_UNSPEC)) == NULL) |
| 2088 | fatal("key_new"); |
| 2089 | if ((r = sshkey_read(key, &cp)) != 0) |
| 2090 | fatal("%s:%lu: invalid key: %s", |
| 2091 | path, lnum, ssh_err(r)); |
| 2092 | if (was_explicit_key) |
| 2093 | r = ssh_krl_revoke_key_explicit(krl, key); |
| 2094 | else if (was_sha1) |
| 2095 | r = ssh_krl_revoke_key_sha1(krl, key); |
| 2096 | else |
| 2097 | r = ssh_krl_revoke_key(krl, key); |
| 2098 | if (r != 0) |
| 2099 | fatal("%s: revoke key failed: %s", |
| 2100 | __func__, ssh_err(r)); |
| 2101 | sshkey_free(key); |
| 2102 | } |
| 2103 | } |
| 2104 | if (strcmp(path, "-") != 0) |
| 2105 | fclose(krl_spec); |
| 2106 | free(path); |
| 2107 | } |
| 2108 | |
| 2109 | static void |
| 2110 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) |
| 2111 | { |
| 2112 | struct ssh_krl *krl; |
| 2113 | struct stat sb; |
| 2114 | struct sshkey *ca = NULL; |
| 2115 | int fd, i, r, wild_ca = 0; |
| 2116 | char *tmp; |
| 2117 | struct sshbuf *kbuf; |
| 2118 | |
| 2119 | if (*identity_file == '\0') |
| 2120 | fatal("KRL generation requires an output file"); |
| 2121 | if (stat(identity_file, &sb) == -1) { |
| 2122 | if (errno != ENOENT) |
| 2123 | fatal("Cannot access KRL \"%s\": %s", |
| 2124 | identity_file, strerror(errno)); |
| 2125 | if (updating) |
| 2126 | fatal("KRL \"%s\" does not exist", identity_file); |
| 2127 | } |
| 2128 | if (ca_key_path != NULL) { |
| 2129 | if (strcasecmp(ca_key_path, "none") == 0) |
| 2130 | wild_ca = 1; |
| 2131 | else { |
| 2132 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
| 2133 | if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0) |
| 2134 | fatal("Cannot load CA public key %s: %s", |
| 2135 | tmp, ssh_err(r)); |
| 2136 | free(tmp); |
| 2137 | } |
| 2138 | } |
| 2139 | |
| 2140 | if (updating) |
| 2141 | load_krl(identity_file, &krl); |
| 2142 | else if ((krl = ssh_krl_init()) == NULL) |
| 2143 | fatal("couldn't create KRL"); |
| 2144 | |
| 2145 | if (cert_serial != 0) |
| 2146 | ssh_krl_set_version(krl, cert_serial); |
| 2147 | if (identity_comment != NULL) |
| 2148 | ssh_krl_set_comment(krl, identity_comment); |
| 2149 | |
| 2150 | for (i = 0; i < argc; i++) |
| 2151 | update_krl_from_file(pw, argv[i], wild_ca, ca, krl); |
| 2152 | |
| 2153 | if ((kbuf = sshbuf_new()) == NULL) |
| 2154 | fatal("sshbuf_new failed"); |
| 2155 | if (ssh_krl_to_blob(krl, kbuf, NULL, 0) != 0) |
| 2156 | fatal("Couldn't generate KRL"); |
| 2157 | if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) |
| 2158 | fatal("open %s: %s", identity_file, strerror(errno)); |
| 2159 | if (atomicio(vwrite, fd, (void *)sshbuf_ptr(kbuf), sshbuf_len(kbuf)) != |
| 2160 | sshbuf_len(kbuf)) |
| 2161 | fatal("write %s: %s", identity_file, strerror(errno)); |
| 2162 | close(fd); |
| 2163 | sshbuf_free(kbuf); |
| 2164 | ssh_krl_free(krl); |
| 2165 | if (ca != NULL) |
| 2166 | sshkey_free(ca); |
| 2167 | } |
| 2168 | |
| 2169 | static void |
| 2170 | do_check_krl(struct passwd *pw, int argc, char **argv) |
| 2171 | { |
| 2172 | int i, r, ret = 0; |
| 2173 | char *comment; |
| 2174 | struct ssh_krl *krl; |
| 2175 | struct sshkey *k; |
| 2176 | |
| 2177 | if (*identity_file == '\0') |
| 2178 | fatal("KRL checking requires an input file"); |
| 2179 | load_krl(identity_file, &krl); |
| 2180 | for (i = 0; i < argc; i++) { |
| 2181 | if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0) |
| 2182 | fatal("Cannot load public key %s: %s", |
| 2183 | argv[i], ssh_err(r)); |
| 2184 | r = ssh_krl_check_key(krl, k); |
| 2185 | printf("%s%s%s%s: %s\n", argv[i], |
| 2186 | *comment ? " (" : "", comment, *comment ? ")" : "", |
| 2187 | r == 0 ? "ok" : "REVOKED"); |
| 2188 | if (r != 0) |
| 2189 | ret = 1; |
| 2190 | sshkey_free(k); |
| 2191 | free(comment); |
| 2192 | } |
| 2193 | ssh_krl_free(krl); |
| 2194 | exit(ret); |
| 2195 | } |
| 2196 | |
| 2197 | static void |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2198 | usage(void) |
| 2199 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2200 | fprintf(stderr, |
| 2201 | "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n" |
| 2202 | " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
| 2203 | " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
| 2204 | " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
| 2205 | " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" |
| 2206 | " ssh-keygen -y [-f input_keyfile]\n" |
| 2207 | " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
| 2208 | " ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" |
| 2209 | " ssh-keygen -B [-f input_keyfile]\n"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2210 | #ifdef ENABLE_PKCS11 |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2211 | fprintf(stderr, |
| 2212 | " ssh-keygen -D pkcs11\n"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2213 | #endif |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2214 | fprintf(stderr, |
| 2215 | " ssh-keygen -F hostname [-f known_hosts_file] [-l]\n" |
| 2216 | " ssh-keygen -H [-f known_hosts_file]\n" |
| 2217 | " ssh-keygen -R hostname [-f known_hosts_file]\n" |
| 2218 | " ssh-keygen -r hostname [-f input_keyfile] [-g]\n" |
| 2219 | " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" |
| 2220 | " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
| 2221 | " [-j start_line] [-K checkpt] [-W generator]\n" |
| 2222 | " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" |
| 2223 | " [-O option] [-V validity_interval] [-z serial_number] file ...\n" |
| 2224 | " ssh-keygen -L [-f input_keyfile]\n" |
| 2225 | " ssh-keygen -A\n" |
| 2226 | " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
| 2227 | " file ...\n" |
| 2228 | " ssh-keygen -Q -f krl_file file ...\n"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2229 | exit(1); |
| 2230 | } |
| 2231 | |
| 2232 | /* |
| 2233 | * Main program for key management. |
| 2234 | */ |
| 2235 | int |
| 2236 | main(int argc, char **argv) |
| 2237 | { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2238 | char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; |
| 2239 | char *checkpoint = NULL; |
| 2240 | char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra; |
| 2241 | struct sshkey *private, *public; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2242 | struct passwd *pw; |
| 2243 | struct stat st; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2244 | int r, opt, type, fd; |
| 2245 | u_int32_t memory = 0, generator_wanted = 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2246 | int do_gen_candidates = 0, do_screen_candidates = 0; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2247 | int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; |
| 2248 | unsigned long start_lineno = 0, lines_to_process = 0; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2249 | BIGNUM *start = NULL; |
| 2250 | FILE *f; |
| 2251 | const char *errstr; |
| 2252 | |
| 2253 | extern int optind; |
| 2254 | extern char *optarg; |
| 2255 | |
| 2256 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
| 2257 | sanitise_stdfd(); |
| 2258 | |
| 2259 | __progname = ssh_get_progname(argv[0]); |
| 2260 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2261 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2262 | OpenSSL_add_all_algorithms(); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2263 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2264 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
| 2265 | |
| 2266 | seed_rng(); |
| 2267 | |
| 2268 | /* we need this for the home * directory. */ |
| 2269 | pw = getpwuid(getuid()); |
| 2270 | if (!pw) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2271 | printf("No user exists for uid %lu\n", (u_long)getuid()); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2272 | exit(1); |
| 2273 | } |
| 2274 | if (gethostname(hostname, sizeof(hostname)) < 0) { |
| 2275 | perror("gethostname"); |
| 2276 | exit(1); |
| 2277 | } |
| 2278 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2279 | /* Remaining characters: UYdw */ |
| 2280 | while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" |
| 2281 | "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" |
| 2282 | "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2283 | switch (opt) { |
| 2284 | case 'A': |
| 2285 | gen_all_hostkeys = 1; |
| 2286 | break; |
| 2287 | case 'b': |
| 2288 | bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); |
| 2289 | if (errstr) |
| 2290 | fatal("Bits has bad value %s (%s)", |
| 2291 | optarg, errstr); |
| 2292 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2293 | case 'E': |
| 2294 | fingerprint_hash = ssh_digest_alg_by_name(optarg); |
| 2295 | if (fingerprint_hash == -1) |
| 2296 | fatal("Invalid hash algorithm \"%s\"", optarg); |
| 2297 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2298 | case 'F': |
| 2299 | find_host = 1; |
| 2300 | rr_hostname = optarg; |
| 2301 | break; |
| 2302 | case 'H': |
| 2303 | hash_hosts = 1; |
| 2304 | break; |
| 2305 | case 'I': |
| 2306 | cert_key_id = optarg; |
| 2307 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2308 | case 'J': |
| 2309 | lines_to_process = strtoul(optarg, NULL, 10); |
| 2310 | break; |
| 2311 | case 'j': |
| 2312 | start_lineno = strtoul(optarg, NULL, 10); |
| 2313 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2314 | case 'R': |
| 2315 | delete_host = 1; |
| 2316 | rr_hostname = optarg; |
| 2317 | break; |
| 2318 | case 'L': |
| 2319 | show_cert = 1; |
| 2320 | break; |
| 2321 | case 'l': |
| 2322 | print_fingerprint = 1; |
| 2323 | break; |
| 2324 | case 'B': |
| 2325 | print_bubblebabble = 1; |
| 2326 | break; |
| 2327 | case 'm': |
| 2328 | if (strcasecmp(optarg, "RFC4716") == 0 || |
| 2329 | strcasecmp(optarg, "ssh2") == 0) { |
| 2330 | convert_format = FMT_RFC4716; |
| 2331 | break; |
| 2332 | } |
| 2333 | if (strcasecmp(optarg, "PKCS8") == 0) { |
| 2334 | convert_format = FMT_PKCS8; |
| 2335 | break; |
| 2336 | } |
| 2337 | if (strcasecmp(optarg, "PEM") == 0) { |
| 2338 | convert_format = FMT_PEM; |
| 2339 | break; |
| 2340 | } |
| 2341 | fatal("Unsupported conversion format \"%s\"", optarg); |
| 2342 | case 'n': |
| 2343 | cert_principals = optarg; |
| 2344 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2345 | case 'o': |
| 2346 | use_new_format = 1; |
| 2347 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2348 | case 'p': |
| 2349 | change_passphrase = 1; |
| 2350 | break; |
| 2351 | case 'c': |
| 2352 | change_comment = 1; |
| 2353 | break; |
| 2354 | case 'f': |
| 2355 | if (strlcpy(identity_file, optarg, sizeof(identity_file)) >= |
| 2356 | sizeof(identity_file)) |
| 2357 | fatal("Identity filename too long"); |
| 2358 | have_identity = 1; |
| 2359 | break; |
| 2360 | case 'g': |
| 2361 | print_generic = 1; |
| 2362 | break; |
| 2363 | case 'P': |
| 2364 | identity_passphrase = optarg; |
| 2365 | break; |
| 2366 | case 'N': |
| 2367 | identity_new_passphrase = optarg; |
| 2368 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2369 | case 'Q': |
| 2370 | check_krl = 1; |
| 2371 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2372 | case 'O': |
| 2373 | add_cert_option(optarg); |
| 2374 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2375 | case 'Z': |
| 2376 | new_format_cipher = optarg; |
| 2377 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2378 | case 'C': |
| 2379 | identity_comment = optarg; |
| 2380 | break; |
| 2381 | case 'q': |
| 2382 | quiet = 1; |
| 2383 | break; |
| 2384 | case 'e': |
| 2385 | case 'x': |
| 2386 | /* export key */ |
| 2387 | convert_to = 1; |
| 2388 | break; |
| 2389 | case 'h': |
| 2390 | cert_key_type = SSH2_CERT_TYPE_HOST; |
| 2391 | certflags_flags = 0; |
| 2392 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2393 | case 'k': |
| 2394 | gen_krl = 1; |
| 2395 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2396 | case 'i': |
| 2397 | case 'X': |
| 2398 | /* import key */ |
| 2399 | convert_from = 1; |
| 2400 | break; |
| 2401 | case 'y': |
| 2402 | print_public = 1; |
| 2403 | break; |
| 2404 | case 's': |
| 2405 | ca_key_path = optarg; |
| 2406 | break; |
| 2407 | case 't': |
| 2408 | key_type_name = optarg; |
| 2409 | break; |
| 2410 | case 'D': |
| 2411 | pkcs11provider = optarg; |
| 2412 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2413 | case 'u': |
| 2414 | update_krl = 1; |
| 2415 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2416 | case 'v': |
| 2417 | if (log_level == SYSLOG_LEVEL_INFO) |
| 2418 | log_level = SYSLOG_LEVEL_DEBUG1; |
| 2419 | else { |
| 2420 | if (log_level >= SYSLOG_LEVEL_DEBUG1 && |
| 2421 | log_level < SYSLOG_LEVEL_DEBUG3) |
| 2422 | log_level++; |
| 2423 | } |
| 2424 | break; |
| 2425 | case 'r': |
| 2426 | rr_hostname = optarg; |
| 2427 | break; |
| 2428 | case 'W': |
| 2429 | generator_wanted = (u_int32_t)strtonum(optarg, 1, |
| 2430 | UINT_MAX, &errstr); |
| 2431 | if (errstr) |
| 2432 | fatal("Desired generator has bad value: %s (%s)", |
| 2433 | optarg, errstr); |
| 2434 | break; |
| 2435 | case 'a': |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2436 | rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2437 | if (errstr) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2438 | fatal("Invalid number: %s (%s)", |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2439 | optarg, errstr); |
| 2440 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2441 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2442 | case 'M': |
| 2443 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); |
| 2444 | if (errstr) |
| 2445 | fatal("Memory limit is %s: %s", errstr, optarg); |
| 2446 | break; |
| 2447 | case 'G': |
| 2448 | do_gen_candidates = 1; |
| 2449 | if (strlcpy(out_file, optarg, sizeof(out_file)) >= |
| 2450 | sizeof(out_file)) |
| 2451 | fatal("Output filename too long"); |
| 2452 | break; |
| 2453 | case 'T': |
| 2454 | do_screen_candidates = 1; |
| 2455 | if (strlcpy(out_file, optarg, sizeof(out_file)) >= |
| 2456 | sizeof(out_file)) |
| 2457 | fatal("Output filename too long"); |
| 2458 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2459 | case 'K': |
| 2460 | if (strlen(optarg) >= PATH_MAX) |
| 2461 | fatal("Checkpoint filename too long"); |
| 2462 | checkpoint = xstrdup(optarg); |
| 2463 | break; |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2464 | case 'S': |
| 2465 | /* XXX - also compare length against bits */ |
| 2466 | if (BN_hex2bn(&start, optarg) == 0) |
| 2467 | fatal("Invalid start point."); |
| 2468 | break; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2469 | #endif /* WITH_OPENSSL */ |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2470 | case 'V': |
| 2471 | parse_cert_times(optarg); |
| 2472 | break; |
| 2473 | case 'z': |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2474 | errno = 0; |
| 2475 | cert_serial = strtoull(optarg, &ep, 10); |
| 2476 | if (*optarg < '0' || *optarg > '9' || *ep != '\0' || |
| 2477 | (errno == ERANGE && cert_serial == ULLONG_MAX)) |
| 2478 | fatal("Invalid serial number \"%s\"", optarg); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2479 | break; |
| 2480 | case '?': |
| 2481 | default: |
| 2482 | usage(); |
| 2483 | } |
| 2484 | } |
| 2485 | |
| 2486 | /* reinit */ |
| 2487 | log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1); |
| 2488 | |
| 2489 | argv += optind; |
| 2490 | argc -= optind; |
| 2491 | |
| 2492 | if (ca_key_path != NULL) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2493 | if (argc < 1 && !gen_krl) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2494 | printf("Too few arguments.\n"); |
| 2495 | usage(); |
| 2496 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2497 | } else if (argc > 0 && !gen_krl && !check_krl) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2498 | printf("Too many arguments.\n"); |
| 2499 | usage(); |
| 2500 | } |
| 2501 | if (change_passphrase && change_comment) { |
| 2502 | printf("Can only have one of -p and -c.\n"); |
| 2503 | usage(); |
| 2504 | } |
| 2505 | if (print_fingerprint && (delete_host || hash_hosts)) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2506 | printf("Cannot use -l with -H or -R.\n"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2507 | usage(); |
| 2508 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2509 | if (gen_krl) { |
| 2510 | do_gen_krl(pw, update_krl, argc, argv); |
| 2511 | return (0); |
| 2512 | } |
| 2513 | if (check_krl) { |
| 2514 | do_check_krl(pw, argc, argv); |
| 2515 | return (0); |
| 2516 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2517 | if (ca_key_path != NULL) { |
| 2518 | if (cert_key_id == NULL) |
| 2519 | fatal("Must specify key id (-I) when certifying"); |
| 2520 | do_ca_sign(pw, argc, argv); |
| 2521 | } |
| 2522 | if (show_cert) |
| 2523 | do_show_cert(pw); |
| 2524 | if (delete_host || hash_hosts || find_host) |
| 2525 | do_known_hosts(pw, rr_hostname); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2526 | if (pkcs11provider != NULL) |
| 2527 | do_download(pw); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2528 | if (print_fingerprint || print_bubblebabble) |
| 2529 | do_fingerprint(pw); |
| 2530 | if (change_passphrase) |
| 2531 | do_change_passphrase(pw); |
| 2532 | if (change_comment) |
| 2533 | do_change_comment(pw); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2534 | #ifdef WITH_OPENSSL |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2535 | if (convert_to) |
| 2536 | do_convert_to(pw); |
| 2537 | if (convert_from) |
| 2538 | do_convert_from(pw); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2539 | #endif |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2540 | if (print_public) |
| 2541 | do_print_public(pw); |
| 2542 | if (rr_hostname != NULL) { |
| 2543 | unsigned int n = 0; |
| 2544 | |
| 2545 | if (have_identity) { |
| 2546 | n = do_print_resource_record(pw, |
| 2547 | identity_file, rr_hostname); |
| 2548 | if (n == 0) { |
| 2549 | perror(identity_file); |
| 2550 | exit(1); |
| 2551 | } |
| 2552 | exit(0); |
| 2553 | } else { |
| 2554 | |
| 2555 | n += do_print_resource_record(pw, |
| 2556 | _PATH_HOST_RSA_KEY_FILE, rr_hostname); |
| 2557 | n += do_print_resource_record(pw, |
| 2558 | _PATH_HOST_DSA_KEY_FILE, rr_hostname); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2559 | n += do_print_resource_record(pw, |
| 2560 | _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); |
| 2561 | n += do_print_resource_record(pw, |
| 2562 | _PATH_HOST_ED25519_KEY_FILE, rr_hostname); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2563 | if (n == 0) |
| 2564 | fatal("no keys found."); |
| 2565 | exit(0); |
| 2566 | } |
| 2567 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2568 | |
| 2569 | if (do_gen_candidates) { |
| 2570 | FILE *out = fopen(out_file, "w"); |
| 2571 | |
| 2572 | if (out == NULL) { |
| 2573 | error("Couldn't open modulus candidate file \"%s\": %s", |
| 2574 | out_file, strerror(errno)); |
| 2575 | return (1); |
| 2576 | } |
| 2577 | if (bits == 0) |
| 2578 | bits = DEFAULT_BITS; |
| 2579 | if (gen_candidates(out, memory, bits, start) != 0) |
| 2580 | fatal("modulus candidate generation failed"); |
| 2581 | |
| 2582 | return (0); |
| 2583 | } |
| 2584 | |
| 2585 | if (do_screen_candidates) { |
| 2586 | FILE *in; |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2587 | FILE *out = fopen(out_file, "a"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2588 | |
| 2589 | if (have_identity && strcmp(identity_file, "-") != 0) { |
| 2590 | if ((in = fopen(identity_file, "r")) == NULL) { |
| 2591 | fatal("Couldn't open modulus candidate " |
| 2592 | "file \"%s\": %s", identity_file, |
| 2593 | strerror(errno)); |
| 2594 | } |
| 2595 | } else |
| 2596 | in = stdin; |
| 2597 | |
| 2598 | if (out == NULL) { |
| 2599 | fatal("Couldn't open moduli file \"%s\": %s", |
| 2600 | out_file, strerror(errno)); |
| 2601 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2602 | if (prime_test(in, out, rounds == 0 ? 100 : rounds, |
| 2603 | generator_wanted, checkpoint, |
| 2604 | start_lineno, lines_to_process) != 0) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2605 | fatal("modulus screening failed"); |
| 2606 | return (0); |
| 2607 | } |
| 2608 | |
| 2609 | if (gen_all_hostkeys) { |
| 2610 | do_gen_all_hostkeys(pw); |
| 2611 | return (0); |
| 2612 | } |
| 2613 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2614 | if (key_type_name == NULL) |
| 2615 | key_type_name = "rsa"; |
| 2616 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2617 | type = sshkey_type_from_name(key_type_name); |
| 2618 | type_bits_valid(type, key_type_name, &bits); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2619 | |
| 2620 | if (!quiet) |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2621 | printf("Generating public/private %s key pair.\n", |
| 2622 | key_type_name); |
| 2623 | if ((r = sshkey_generate(type, bits, &private)) != 0) { |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2624 | fprintf(stderr, "key_generate failed\n"); |
| 2625 | exit(1); |
| 2626 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2627 | if ((r = sshkey_from_private(private, &public)) != 0) { |
| 2628 | fprintf(stderr, "key_from_private failed: %s\n", ssh_err(r)); |
| 2629 | exit(1); |
| 2630 | } |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2631 | |
| 2632 | if (!have_identity) |
| 2633 | ask_filename(pw, "Enter file in which to save the key"); |
| 2634 | |
| 2635 | /* Create ~/.ssh directory if it doesn't already exist. */ |
| 2636 | snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", |
| 2637 | pw->pw_dir, _PATH_SSH_USER_DIR); |
| 2638 | if (strstr(identity_file, dotsshdir) != NULL) { |
| 2639 | if (stat(dotsshdir, &st) < 0) { |
| 2640 | if (errno != ENOENT) { |
| 2641 | error("Could not stat %s: %s", dotsshdir, |
| 2642 | strerror(errno)); |
| 2643 | } else if (mkdir(dotsshdir, 0700) < 0) { |
| 2644 | error("Could not create directory '%s': %s", |
| 2645 | dotsshdir, strerror(errno)); |
| 2646 | } else if (!quiet) |
| 2647 | printf("Created directory '%s'.\n", dotsshdir); |
| 2648 | } |
| 2649 | } |
| 2650 | /* If the file already exists, ask the user to confirm. */ |
| 2651 | if (stat(identity_file, &st) >= 0) { |
| 2652 | char yesno[3]; |
| 2653 | printf("%s already exists.\n", identity_file); |
| 2654 | printf("Overwrite (y/n)? "); |
| 2655 | fflush(stdout); |
| 2656 | if (fgets(yesno, sizeof(yesno), stdin) == NULL) |
| 2657 | exit(1); |
| 2658 | if (yesno[0] != 'y' && yesno[0] != 'Y') |
| 2659 | exit(1); |
| 2660 | } |
| 2661 | /* Ask for a passphrase (twice). */ |
| 2662 | if (identity_passphrase) |
| 2663 | passphrase1 = xstrdup(identity_passphrase); |
| 2664 | else if (identity_new_passphrase) |
| 2665 | passphrase1 = xstrdup(identity_new_passphrase); |
| 2666 | else { |
| 2667 | passphrase_again: |
| 2668 | passphrase1 = |
| 2669 | read_passphrase("Enter passphrase (empty for no " |
| 2670 | "passphrase): ", RP_ALLOW_STDIN); |
| 2671 | passphrase2 = read_passphrase("Enter same passphrase again: ", |
| 2672 | RP_ALLOW_STDIN); |
| 2673 | if (strcmp(passphrase1, passphrase2) != 0) { |
| 2674 | /* |
| 2675 | * The passphrases do not match. Clear them and |
| 2676 | * retry. |
| 2677 | */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2678 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| 2679 | explicit_bzero(passphrase2, strlen(passphrase2)); |
| 2680 | free(passphrase1); |
| 2681 | free(passphrase2); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2682 | printf("Passphrases do not match. Try again.\n"); |
| 2683 | goto passphrase_again; |
| 2684 | } |
| 2685 | /* Clear the other copy of the passphrase. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2686 | explicit_bzero(passphrase2, strlen(passphrase2)); |
| 2687 | free(passphrase2); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2688 | } |
| 2689 | |
| 2690 | if (identity_comment) { |
| 2691 | strlcpy(comment, identity_comment, sizeof(comment)); |
| 2692 | } else { |
| 2693 | /* Create default comment field for the passphrase. */ |
| 2694 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); |
| 2695 | } |
| 2696 | |
| 2697 | /* Save the key with the given passphrase and comment. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2698 | if ((r = sshkey_save_private(private, identity_file, passphrase1, |
| 2699 | comment, use_new_format, new_format_cipher, rounds)) != 0) { |
| 2700 | printf("Saving key \"%s\" failed: %s\n", |
| 2701 | identity_file, ssh_err(r)); |
| 2702 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| 2703 | free(passphrase1); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2704 | exit(1); |
| 2705 | } |
| 2706 | /* Clear the passphrase. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2707 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| 2708 | free(passphrase1); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2709 | |
| 2710 | /* Clear the private key and the random number generator. */ |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2711 | sshkey_free(private); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2712 | |
| 2713 | if (!quiet) |
| 2714 | printf("Your identification has been saved in %s.\n", identity_file); |
| 2715 | |
| 2716 | strlcat(identity_file, ".pub", sizeof(identity_file)); |
| 2717 | fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); |
| 2718 | if (fd == -1) { |
| 2719 | printf("Could not save your public key in %s\n", identity_file); |
| 2720 | exit(1); |
| 2721 | } |
| 2722 | f = fdopen(fd, "w"); |
| 2723 | if (f == NULL) { |
| 2724 | printf("fdopen %s failed\n", identity_file); |
| 2725 | exit(1); |
| 2726 | } |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2727 | if ((r = sshkey_write(public, f)) != 0) |
| 2728 | fprintf(stderr, "write key failed: %s\n", ssh_err(r)); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2729 | fprintf(f, " %s\n", comment); |
| 2730 | fclose(f); |
| 2731 | |
| 2732 | if (!quiet) { |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2733 | fp = sshkey_fingerprint(public, fingerprint_hash, |
| 2734 | SSH_FP_DEFAULT); |
| 2735 | ra = sshkey_fingerprint(public, fingerprint_hash, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2736 | SSH_FP_RANDOMART); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2737 | if (fp == NULL || ra == NULL) |
| 2738 | fatal("sshkey_fingerprint failed"); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2739 | printf("Your public key has been saved in %s.\n", |
| 2740 | identity_file); |
| 2741 | printf("The key fingerprint is:\n"); |
| 2742 | printf("%s %s\n", fp, comment); |
| 2743 | printf("The key's randomart image is:\n"); |
| 2744 | printf("%s\n", ra); |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2745 | free(ra); |
| 2746 | free(fp); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2747 | } |
| 2748 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 2749 | sshkey_free(public); |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2750 | exit(0); |
| 2751 | } |