1 typedef unsigned int __u_int;
2 typedef unsigned long int __u_long;
3 __extension__ typedef unsigned int __uid_t;
4 __extension__ typedef long int __time_t;
5 __extension__ typedef int __ssize_t;
7 typedef __u_long u_long;
8 typedef __ssize_t ssize_t;
9 typedef __time_t time_t;
10 typedef unsigned int size_t;
11 typedef unsigned int u_int32_t __attribute__ ((__mode__(__SI__)));
12 typedef unsigned int u_int64_t __attribute__ ((__mode__(__DI__)));
15 extern int *__errno_location(void) __attribute__ ((__nothrow__, __leaf__))
16 __attribute__ ((__const__));
22 typedef struct _IO_FILE FILE;
23 extern struct _IO_FILE *stdin;
24 extern struct _IO_FILE *stdout;
25 extern struct _IO_FILE *stderr;
28 typedef struct bignum_st BIGNUM;
29 extern ssize_t write(int __fd, const void *__buf, size_t __n)
30 __attribute__ ((__warn_unused_result__));
31 typedef struct Key Key;
33 KEY_RSA1, KEY_RSA, KEY_DSA, KEY_ECDSA, KEY_ED25519, KEY_RSA_CERT,
34 KEY_DSA_CERT, KEY_ECDSA_CERT, KEY_ED25519_CERT, KEY_RSA_CERT_V00,
35 KEY_DSA_CERT_V00, KEY_UNSPEC
38 SSH_FP_SHA1, SSH_FP_MD5, SSH_FP_SHA256
41 SSH_FP_HEX, SSH_FP_BUBBLEBABBLE, SSH_FP_RANDOMART
48 u_int64_t valid_after, valid_before;
58 SYSLOG_FACILITY_DAEMON, SYSLOG_FACILITY_USER, SYSLOG_FACILITY_AUTH,
59 SYSLOG_FACILITY_LOCAL0, SYSLOG_FACILITY_LOCAL1,
60 SYSLOG_FACILITY_LOCAL2, SYSLOG_FACILITY_LOCAL3,
61 SYSLOG_FACILITY_LOCAL4, SYSLOG_FACILITY_LOCAL5,
62 SYSLOG_FACILITY_LOCAL6, SYSLOG_FACILITY_LOCAL7,
63 SYSLOG_FACILITY_NOT_SET = -1
66 SYSLOG_LEVEL_QUIET, SYSLOG_LEVEL_FATAL, SYSLOG_LEVEL_ERROR,
67 SYSLOG_LEVEL_INFO, SYSLOG_LEVEL_VERBOSE, SYSLOG_LEVEL_DEBUG1,
68 SYSLOG_LEVEL_DEBUG2, SYSLOG_LEVEL_DEBUG3, SYSLOG_LEVEL_NOT_SET = -1
71 int change_passphrase = 0;
72 int change_comment = 0;
74 int log_level = SYSLOG_LEVEL_INFO;
79 int print_fingerprint = 0;
80 int print_bubblebabble = 0;
81 char identity_file[1024];
82 int have_identity = 0;
83 char *identity_passphrase = ((void *)0);
84 char *identity_new_passphrase = ((void *)0);
85 char *identity_comment = ((void *)0);
86 char *ca_key_path = ((void *)0);
87 unsigned long long cert_serial = 0;
88 u_int cert_key_type = 1;
89 char *cert_key_id = ((void *)0);
90 char *cert_principals = ((void *)0);
91 u_int32_t certflags_flags = ((1) | (1 << 1) | (1 << 2) | (1 << 3) | (1 << 4));
95 FMT_RFC4716, FMT_PKCS8, FMT_PEM
96 } convert_format = FMT_RFC4716;
98 int print_generic = 0;
99 char *key_type_name = ((void *)0);
100 char *pkcs11provider = ((void *)0);
101 int use_new_format = 0;
102 char *new_format_cipher = ((void *)0);
104 extern char *__progname;
106 static void do_download(struct passwd *pw)
108 Key **keys = ((void *)0);
113 fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
114 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
116 nkeys = pkcs11_add_provider(pkcs11provider, ((void *)0), &keys);
118 fatal("cannot read public key from pkcs11");
119 for (i = 0; i < nkeys; i++) {
120 if (print_fingerprint) {
121 fp = key_fingerprint(keys[i], fptype, rep);
122 ra = key_fingerprint(keys[i], SSH_FP_MD5,
124 printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), fp,
126 if (log_level >= SYSLOG_LEVEL_VERBOSE)
130 key_write(keys[i], stdout);
131 fprintf(stdout, "\n");
139 static void do_fingerprint(struct passwd *pw)
143 char *comment = ((void *)0), *cp, *ep, line[16 * 1024], *fp, *ra;
144 int i, skip = 0, num = 0, invalid = 1;
148 fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
149 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
151 ask_filename(pw, "Enter file in which the key is");
152 if (stat(identity_file, &st) < 0) {
153 perror(identity_file);
156 public = key_load_public(identity_file, &comment);
157 if (public != ((void *)0)) {
158 fp = key_fingerprint(public, fptype, rep);
159 ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
160 printf("%u %s %s (%s)\n", key_size(public), fp, comment,
162 if (log_level >= SYSLOG_LEVEL_VERBOSE)
173 if ((f = fopen(identity_file, "r")) == ((void *)0))
174 fatal("%s: %s: %s", __progname, identity_file,
175 strerror((*__errno_location())));
176 while (fgets(line, sizeof(line), f)) {
179 (__builtin_constant_p('\n') && !__builtin_constant_p(line)
180 && ('\n') == '\0' ? (char *)__rawmemchr(line,
182 __builtin_strchr(line, '\n')))) == ((void *)0)) {
183 error("line %d too long: %.40s...", num + 1, line);
191 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ;
192 if (!*cp || *cp == '\n' || *cp == '#')
194 i = strtol(cp, &ep, 10);
195 if (i == 0 || ep == ((void *)0) || (*ep != ' ' && *ep != '\t')) {
199 *cp && (quoted || (*cp != ' ' && *cp != '\t'));
201 if (*cp == '\\' && cp[1] == '"')
211 public = key_new(KEY_RSA1);
212 if (key_read(public, &cp) != 1) {
215 public = key_new(KEY_UNSPEC);
216 if (key_read(public, &cp) != 1) {
220 comment = *cp ? cp : comment;
221 fp = key_fingerprint(public, fptype, rep);
222 ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
223 printf("%u %s %s (%s)\n", key_size(public), fp,
224 comment ? comment : "no comment", key_type(public));
225 if (log_level >= SYSLOG_LEVEL_VERBOSE)
234 printf("%s is not a public key file.\n", identity_file);
239 static void do_gen_all_hostkeys(struct passwd *pw)
243 char *key_type_display;
247 "rsa1", "RSA1", "/etc/ssh" "/ssh_host_key"}
249 "rsa", "RSA", "/etc/ssh" "/ssh_host_rsa_key"}
251 ((void *)0), ((void *)0), ((void *)0)}
255 Key *private, *public;
259 for (i = 0; key_types[i].key_type; i++) {
260 if (stat(key_types[i].path, &st) == 0)
262 if ((*__errno_location()) != 2) {
263 printf("Could not stat %s: %s", key_types[i].path,
264 strerror((*__errno_location())));
268 printf("%s: generating new host keys: ", __progname);
270 printf("%s ", key_types[i].key_type_display);
272 type = key_type_from_name(key_types[i].key_type);
273 strlcpy(identity_file, key_types[i].path,
274 sizeof(identity_file));
276 type_bits_valid(type, &bits);
277 private = key_generate(type, bits);
278 if (private == ((void *)0)) {
279 fprintf(stderr, "key_generate failed\n");
281 public = key_from_private(private);
282 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
284 if (!key_save_private
285 (private, identity_file, "", comment, use_new_format,
286 new_format_cipher, rounds)) {
287 printf("Saving the key failed: %s.\n", identity_file);
292 strlcat(identity_file, ".pub", sizeof(identity_file));
293 fd = open(identity_file, 01 | 00000400 | 01000, 0644);
295 printf("Could not save your public key in %s\n",
300 if (f == ((void *)0)) {
301 printf("fdopen %s failed\n", identity_file);
304 if (!key_write(public, f)) {
305 fprintf(stderr, "write key failed\n");
308 fprintf(f, " %s\n", comment);
316 static void do_known_hosts(struct passwd *pw, const char *name)
318 FILE *in, *out = stdout;
320 char *cp, *cp2, *kp, *kp2;
321 char line[16 * 1024], tmp[4096], old[4096];
322 int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
325 if (!have_identity) {
326 cp = tilde_expand_filename("~/" ".ssh" "/known_hosts",
328 if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
329 sizeof(identity_file))
330 fatal("Specified known hosts path too long");
333 if ((in = fopen(identity_file, "r")) == ((void *)0))
334 fatal("%s: %s: %s", __progname, identity_file,
335 strerror((*__errno_location())));
336 if (!find_host && (hash_hosts || delete_host)) {
337 if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp)
338 || strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp)
339 || strlcpy(old, identity_file, sizeof(old)) >= sizeof(old)
340 || strlcat(old, ".old", sizeof(old)) >= sizeof(old))
341 fatal("known_hosts path too long");
343 if ((c = mkstemp(tmp)) == -1)
344 fatal("mkstemp: %s", strerror((*__errno_location())));
345 if ((out = fdopen(c, "w")) == ((void *)0)) {
346 c = (*__errno_location());
348 fatal("fdopen: %s", strerror(c));
352 while (fgets(line, sizeof(line), in)) {
355 (__builtin_constant_p('\n') && !__builtin_constant_p(line)
356 && ('\n') == '\0' ? (char *)__rawmemchr(line,
358 __builtin_strchr(line, '\n')))) == ((void *)0)) {
359 error("line %d too long: %.40s...", num + 1, line);
368 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ;
369 if (!*cp || *cp == '\n' || *cp == '#') {
371 fprintf(out, "%s\n", cp);
374 (cp, "@cert-authority", sizeof("@cert-authority") - 1) == 0
375 && (cp[sizeof("@cert-authority") - 1] == ' '
376 || cp[sizeof("@cert-authority") - 1] == '\t')) {
378 cp += sizeof("@cert-authority");
381 for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) ;
382 if (*kp == '\0' || *(kp + 1) == '\0') {
383 error("line %d missing key: %.40s...", num, line);
386 pub = key_new(KEY_RSA1);
387 if (key_read(pub, &kp) != 1) {
390 pub = key_new(KEY_UNSPEC);
391 if (key_read(pub, &kp) != 1) {
392 error("line %d invalid key: %.40s...", num,
398 if (find_host || delete_host) {
399 cp2 = host_hash(name, cp, strlen(cp));
400 if (cp2 == ((void *)0)) {
401 error("line %d: invalid hashed "
402 "name: %.64s...", num, line);
404 c = (__extension__( {
405 size_t __s1_len, __s2_len;
406 (__builtin_constant_p(cp2)
407 && __builtin_constant_p(cp)
409 strlen(cp2), __s2_len =
419 (const void *)((cp) +
426 __builtin_strcmp(cp2,
428 : (__builtin_constant_p(cp2)
430 ((size_t) (const void *)
438 ? (__builtin_constant_p
442 (const void *)((cp) +
447 __builtin_strcmp(cp2,
467 (((const unsigned char *)(const char *)(cp2))[0] - __s2[0]); if (__s1_len > 0 && __result == 0) {
471 (__builtin_constant_p(cp)
473 ((size_t) (const void *)
481 ? (__builtin_constant_p
491 __builtin_strcmp(cp2,
514 ((const unsigned char *)(const char *)(cp))[0]; __result;}
516 __builtin_strcmp(cp2,
519 if (find_host && c) {
521 printf("# Host %s found: "
522 "line %d type %s%s\n",
523 name, num, key_type(pub),
524 ca ? " (CA key)" : "");
525 printhost(out, cp, pub, ca, 0);
530 printhost(out, cp, pub, ca, 0);
532 printf("# Host %s found: "
537 } else if (hash_hosts)
538 printhost(out, cp, pub, ca, 0);
539 if (find_host || delete_host) {
540 c = (match_hostname(name, cp, strlen(cp)) == 1);
541 if (find_host && c) {
543 printf("# Host %s found: "
544 "line %d type %s%s\n",
545 name, num, key_type(pub),
546 ca ? " (CA key)" : "");
547 printhost(out, name, pub, ca, hash_hosts
552 printhost(out, cp, pub, ca, 0);
554 printf("# Host %s found: "
559 } else if (hash_hosts) {
560 for (cp2 = __extension__( {
561 char __r0, __r1, __r2;
562 (__builtin_constant_p
593 ((const char *)(","))[2], __r2 == '\0') ? __strsep_2c(&cp, __r0, __r1) : (((const char *)(","))[3] == '\0' ? __strsep_3c(&cp, __r0, __r1, __r2) : __strsep_g(&cp, ",")))) : __strsep_g(&cp, ","));}
594 ); cp2 != ((void *)0) && *cp2 != '\0';
595 cp2 = __extension__( {
596 char __r0, __r1, __r2;
597 (__builtin_constant_p
628 ((const char *)(","))[2], __r2 == '\0') ? __strsep_2c(&cp, __r0, __r1) : (((const char *)(","))[3] == '\0' ? __strsep_3c(&cp, __r0, __r1, __r2) : __strsep_g(&cp, ",")))) : __strsep_g(&cp, ","));}
633 "ignoring CA key for host: "
635 printhost(out, cp2, pub, ca, 0);
636 } else if (__extension__( {
639 (__builtin_constant_p
650 ? ((__builtin_constant_p(cp2) && ((size_t) (const void *)((cp2) + 1) - (size_t) (const void *)(cp2) == 1)) ? __builtin_strcspn(cp2, "*?!") : ((__r0 = ((const char *)("*?!"))[0], __r0 == '\0') ? strlen(cp2) : ((__r1 = ((const char *)("*?!"))[1], __r1 == '\0') ? __strcspn_c1(cp2, __r0) : ((__r2 = ((const char *)("*?!"))[2], __r2 == '\0') ? __strcspn_c2(cp2, __r0, __r1) : (((const char *)("*?!"))[3] == '\0' ? __strcspn_c3(cp2, __r0, __r1, __r2) : __builtin_strcspn(cp2, "*?!")))))) : __builtin_strcspn(cp2, "*?!"));}
654 "ignoring host name with "
655 "metacharacters: %.64s\n",
657 printhost(out, cp2, pub, ca, 0);
659 printhost(out, cp2, pub, ca, 1);
668 fprintf(stderr, "%s is not a valid known_hosts file.\n",
672 "Not replacing existing known_hosts "
673 "file because of errors\n");
681 if (unlink(old) == -1 && (*__errno_location()) != 2)
682 fatal("unlink %.100s: %s", old,
683 strerror((*__errno_location())));
684 if (link(identity_file, old) == -1)
685 fatal("link %.100s to %.100s: %s", identity_file, old,
686 strerror((*__errno_location())));
687 if (rename(tmp, identity_file) == -1) {
688 error("rename\"%s\" to \"%s\": %s", tmp, identity_file,
689 strerror((*__errno_location())));
694 fprintf(stderr, "%s updated.\n", identity_file);
695 fprintf(stderr, "Original contents retained as %s\n", old);
698 "WARNING: %s contains unhashed " "entries\n",
701 "Delete this file to ensure privacy "
705 exit(find_host && !found_key);
708 static void do_change_passphrase(struct passwd *pw)
711 char *old_passphrase, *passphrase1, *passphrase2;
715 ask_filename(pw, "Enter file in which the key is");
716 if (stat(identity_file, &st) < 0) {
717 perror(identity_file);
720 private = key_load_private(identity_file, "", &comment);
721 if (private == ((void *)0)) {
722 if (identity_passphrase)
723 old_passphrase = xstrdup(identity_passphrase);
726 read_passphrase("Enter old passphrase: ", 0x0002);
728 key_load_private(identity_file, old_passphrase, &comment);
729 explicit_bzero(old_passphrase, strlen(old_passphrase));
730 free(old_passphrase);
731 if (private == ((void *)0)) {
732 printf("Bad passphrase.\n");
736 printf("Key has comment '%s'\n", comment);
737 if (identity_new_passphrase) {
738 passphrase1 = xstrdup(identity_new_passphrase);
741 read_passphrase("Enter new passphrase (empty for no "
742 "passphrase): ", 0x0002);
744 read_passphrase("Enter same passphrase again: ", 0x0002);
746 size_t __s1_len, __s2_len;
747 (__builtin_constant_p(passphrase1)
748 && __builtin_constant_p(passphrase2)
750 strlen(passphrase1), __s2_len =
752 (!((size_t) (const void *)
753 ((passphrase1) + 1) -
754 (size_t) (const void *)(passphrase1)
755 == 1) || __s1_len >= 4)
757 (!((size_t) (const void *)
758 ((passphrase2) + 1) -
759 (size_t) (const void *)(passphrase2)
762 4)) ? __builtin_strcmp(passphrase1,
764 : (__builtin_constant_p(passphrase1)
766 ((size_t) (const void *)
767 ((passphrase1) + 1) -
768 (size_t) (const void *)(passphrase1) ==
774 ? (__builtin_constant_p(passphrase2)
776 ((size_t) (const void *)
777 ((passphrase2) + 1) -
778 (size_t) (const void *)(passphrase2)
779 == 1) ? __builtin_strcmp(passphrase1,
787 register int __result
789 (((const unsigned char
794 ))): (__builtin_constant_p(passphrase2)
796 ((size_t) (const void *)
797 ((passphrase2) + 1) -
799 *)(passphrase2) == 1)
804 ? (__builtin_constant_p
807 ((size_t) (const void *)
808 ((passphrase1) + 1) -
812 __builtin_strcmp(passphrase1,
837 ))): __builtin_strcmp(passphrase1,
840 explicit_bzero(passphrase1, strlen(passphrase1));
841 explicit_bzero(passphrase2, strlen(passphrase2));
844 printf("Pass phrases do not match. Try again.\n");
847 explicit_bzero(passphrase2, strlen(passphrase2));
850 if (!key_save_private
851 (private, identity_file, passphrase1, comment, use_new_format,
852 new_format_cipher, rounds)) {
853 printf("Saving the key failed: %s.\n", identity_file);
854 explicit_bzero(passphrase1, strlen(passphrase1));
860 explicit_bzero(passphrase1, strlen(passphrase1));
864 printf("Your identification has been saved with the new passphrase.\n");
868 static void do_change_comment(struct passwd *pw)
870 char new_comment[1024], *comment, *passphrase;
877 ask_filename(pw, "Enter file in which the key is");
878 if (stat(identity_file, &st) < 0) {
879 perror(identity_file);
882 private = key_load_private(identity_file, "", &comment);
883 if (private == ((void *)0)) {
884 if (identity_passphrase)
885 passphrase = xstrdup(identity_passphrase);
886 else if (identity_new_passphrase)
887 passphrase = xstrdup(identity_new_passphrase);
890 read_passphrase("Enter passphrase: ", 0x0002);
891 private = key_load_private(identity_file, passphrase, &comment);
892 if (private == ((void *)0)) {
893 explicit_bzero(passphrase, strlen(passphrase));
895 printf("Bad passphrase.\n");
898 passphrase = xstrdup("");
900 if (private->type != KEY_RSA1) {
901 fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
905 printf("Key now has comment '%s'\n", comment);
906 if (identity_comment) {
907 strlcpy(new_comment, identity_comment, sizeof(new_comment));
908 printf("Enter new comment: ");
910 if (!fgets(new_comment, sizeof(new_comment), stdin)) {
911 explicit_bzero(passphrase, strlen(passphrase));
915 new_comment[__extension__( {
916 char __r0, __r1, __r2;
917 (__builtin_constant_p("\n")
919 ((size_t) (const void *)(("\n") + 1)
920 - (size_t) (const void *)("\n") ==
922 ? ((__builtin_constant_p(new_comment)
924 ((size_t) (const void *)
925 ((new_comment) + 1) -
929 __builtin_strcspn(new_comment,
931 ((const char *)("\n"))[0], __r0 == '\0') ? strlen(new_comment) : ((__r1 = ((const char *)("\n"))[1], __r1 == '\0') ? __strcspn_c1(new_comment, __r0) : ((__r2 = ((const char *)("\n"))[2], __r2 == '\0') ? __strcspn_c2(new_comment, __r0, __r1) : (((const char *)("\n"))[3] == '\0' ? __strcspn_c3(new_comment, __r0, __r1, __r2) : __builtin_strcspn(new_comment, "\n")))))) : __builtin_strcspn(new_comment, "\n"));}
934 if (!key_save_private
935 (private, identity_file, passphrase, new_comment, use_new_format,
936 new_format_cipher, rounds)) {
937 printf("Saving the key failed: %s.\n", identity_file);
938 explicit_bzero(passphrase, strlen(passphrase));
944 explicit_bzero(passphrase, strlen(passphrase));
946 public = key_from_private(private);
948 strlcat(identity_file, ".pub", sizeof(identity_file));
949 fd = open(identity_file, 01 | 00000400 | 01000, 0644);
951 printf("Could not save your public key in %s\n", identity_file);
955 if (f == ((void *)0)) {
956 printf("fdopen %s failed\n", identity_file);
959 if (!key_write(public, f))
960 fprintf(stderr, "write key failed\n");
962 fprintf(f, " %s\n", new_comment);
965 printf("The comment in your key file has been changed.\n");
969 static const char *fmt_validity(u_int64_t valid_from, u_int64_t valid_to)
971 char from[32], to[32];
976 if (valid_from == 0 && valid_to == 0xffffffffffffffffULL)
978 if (valid_from != 0) {
979 tt = valid_from > 2147483647 ? 2147483647 : valid_from;
981 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
983 if (valid_to != 0xffffffffffffffffULL) {
984 tt = valid_to > 2147483647 ? 2147483647 : valid_to;
986 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
988 if (valid_from == 0) {
989 snprintf(ret, sizeof(ret), "before %s", to);
991 if (valid_to == 0xffffffffffffffffULL) {
992 snprintf(ret, sizeof(ret), "after %s", from);
994 snprintf(ret, sizeof(ret), "from %s to %s", from, to);
997 static void do_show_cert(struct passwd *pw)
1001 char *key_fp, *ca_fp;
1004 ask_filename(pw, "Enter file in which the key is");
1005 if (stat(identity_file, &st) < 0)
1006 fatal("%s: %s: %s", __progname, identity_file,
1007 strerror((*__errno_location())));
1008 if ((key = key_load_public(identity_file, ((void *)0))) == ((void *)0))
1009 fatal("%s is not a public key", identity_file);
1010 if (!key_is_cert(key))
1011 fatal("%s is not a certificate", identity_file);
1012 v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
1013 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
1015 key_fingerprint(key->cert->signature_key, SSH_FP_MD5, SSH_FP_HEX);
1016 printf("%s:\n", identity_file);
1017 printf(" Type: %s %s certificate\n", key_ssh_name(key),
1018 key_cert_type(key));
1019 printf(" Public key: %s %s\n", key_type(key), key_fp);
1020 printf(" Signing CA: %s %s\n",
1021 key_type(key->cert->signature_key), ca_fp);
1022 printf(" Key ID: \"%s\"\n", key->cert->key_id);
1024 printf(" Serial: %llu\n",
1025 (unsigned long long)key->cert->serial);
1027 printf(" Valid: %s\n",
1028 fmt_validity(key->cert->valid_after, key->cert->valid_before));
1029 printf(" Principals: ");
1030 if (key->cert->nprincipals == 0)
1033 for (i = 0; i < key->cert->nprincipals; i++)
1035 key->cert->principals[i]);
1038 printf(" Critical Options: ");
1039 if (buffer_len(&key->cert->critical) == 0)
1043 show_options(&key->cert->critical, v00, 1);
1046 printf(" Extensions: ");
1047 if (buffer_len(&key->cert->extensions) == 0)
1051 show_options(&key->cert->extensions, v00, 0);
1057 static void do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
1059 struct ssh_krl *krl;
1061 Key *ca = ((void *)0);
1065 if (*identity_file == '\0')
1066 fatal("KRL generation requires an output file");
1067 if (stat(identity_file, &sb) == -1) {
1068 if ((*__errno_location()) != 2)
1069 fatal("Cannot access KRL \"%s\": %s", identity_file,
1070 strerror((*__errno_location())));
1072 fatal("KRL \"%s\" does not exist", identity_file);
1074 if (ca_key_path != ((void *)0)) {
1075 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
1076 if ((ca = key_load_public(tmp, ((void *)0))) == ((void *)0))
1077 fatal("Cannot load CA public key %s", tmp);
1081 load_krl(identity_file, &krl);
1082 else if ((krl = ssh_krl_init()) == ((void *)0))
1083 fatal("couldn't create KRL");
1084 if (cert_serial != 0)
1085 ssh_krl_set_version(krl, cert_serial);
1086 if (identity_comment != ((void *)0))
1087 ssh_krl_set_comment(krl, identity_comment);
1088 for (i = 0; i < argc; i++)
1089 update_krl_from_file(pw, argv[i], ca, krl);
1091 if (ssh_krl_to_blob(krl, &kbuf, ((void *)0), 0) != 0)
1092 fatal("Couldn't generate KRL");
1093 if ((fd = open(identity_file, 01 | 00000400 | 01000, 0644)) == -1)
1094 fatal("open %s: %s", identity_file,
1095 strerror((*__errno_location())));
1097 ((ssize_t(*)(int, void *, size_t))write, fd, buffer_ptr(&kbuf),
1098 buffer_len(&kbuf)) != buffer_len(&kbuf))
1099 fatal("write %s: %s", identity_file,
1100 strerror((*__errno_location())));
1104 if (ca != ((void *)0))
1108 static void usage(void)
1113 int main(int argc, char **argv)
1115 char dotsshdir[4096], comment[1024], *passphrase1, *passphrase2;
1116 char *checkpoint = ((void *)0);
1117 char out_file[4096], *ep, *rr_hostname = ((void *)0);
1118 Key *private, *public;
1122 u_int32_t memory = 0, generator_wanted = 0;
1123 int do_gen_candidates = 0, do_screen_candidates = 0;
1124 int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
1125 unsigned long start_lineno = 0, lines_to_process = 0;
1126 BIGNUM *start = ((void *)0);
1129 extern char *BSDoptarg;
1131 __progname = ssh_get_progname(argv[0]);
1132 ssh_OpenSSL_add_all_algorithms();
1133 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1135 pw = getpwuid(getuid());
1137 printf("No user exists for uid %lu\n", (u_long) getuid());
1140 if (gethostname(hostname, sizeof(hostname)) < 0) {
1141 perror("gethostname");
1145 BSDgetopt(argc, argv,
1146 "ABHLQXceghiklopquvxy"
1147 "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:"))
1151 gen_all_hostkeys = 1;
1154 (u_int32_t) strtonum(BSDoptarg, 256, 32768,
1157 fatal("Bits has bad value %s (%s)", BSDoptarg,
1161 rr_hostname = BSDoptarg;
1166 cert_key_id = BSDoptarg;
1168 lines_to_process = strtoul(BSDoptarg, ((void *)0), 10);
1170 start_lineno = strtoul(BSDoptarg, ((void *)0), 10);
1173 rr_hostname = BSDoptarg;
1178 print_fingerprint = 1;
1180 print_bubblebabble = 1;
1182 if (strcasecmp(BSDoptarg, "RFC4716") == 0
1183 || strcasecmp(BSDoptarg, "ssh2") == 0) {
1184 convert_format = FMT_RFC4716;
1186 if (strcasecmp(BSDoptarg, "PKCS8") == 0) {
1187 convert_format = FMT_PKCS8;
1189 if (strcasecmp(BSDoptarg, "PEM") == 0) {
1190 convert_format = FMT_PEM;
1192 fatal("Unsupported conversion format \"%s\"",
1195 cert_principals = BSDoptarg;
1199 change_passphrase = 1;
1204 (identity_file, BSDoptarg,
1205 sizeof(identity_file)) >= sizeof(identity_file))
1206 fatal("Identity filename too long");
1211 identity_passphrase = BSDoptarg;
1213 identity_new_passphrase = BSDoptarg;
1217 add_cert_option(BSDoptarg);
1219 new_format_cipher = BSDoptarg;
1221 identity_comment = BSDoptarg;
1229 certflags_flags = 0;
1238 ca_key_path = BSDoptarg;
1240 key_type_name = BSDoptarg;
1242 pkcs11provider = BSDoptarg;
1246 if (log_level == SYSLOG_LEVEL_INFO)
1247 log_level = SYSLOG_LEVEL_DEBUG1;
1249 if (log_level >= SYSLOG_LEVEL_DEBUG1
1250 && log_level < SYSLOG_LEVEL_DEBUG3)
1254 rr_hostname = BSDoptarg;
1257 (u_int32_t) strtonum(BSDoptarg, 1,
1258 (2147483647 * 2U + 1U),
1262 ("Desired generator has bad value: %s (%s)",
1266 (int)strtonum(BSDoptarg, 1, 2147483647, &errstr);
1268 fatal("Invalid number: %s (%s)", BSDoptarg,
1272 (u_int32_t) strtonum(BSDoptarg, 1,
1273 (2147483647 * 2U + 1U),
1276 fatal("Memory limit is %s: %s", errstr,
1279 do_gen_candidates = 1;
1280 if (strlcpy(out_file, BSDoptarg, sizeof(out_file)) >=
1282 fatal("Output filename too long");
1284 do_screen_candidates = 1;
1285 if (strlcpy(out_file, BSDoptarg, sizeof(out_file)) >=
1287 fatal("Output filename too long");
1289 if (strlen(BSDoptarg) >= 4096)
1290 fatal("Checkpoint filename too long");
1291 checkpoint = xstrdup(BSDoptarg);
1294 if (BN_hex2bn(&start, BSDoptarg) == 0)
1295 fatal("Invalid start point.");
1297 parse_cert_times(BSDoptarg);
1299 (*__errno_location()) = 0;
1300 cert_serial = strtoull(BSDoptarg, &ep, 10);
1301 if (*BSDoptarg < '0' || *BSDoptarg > '9' || *ep != '\0'
1302 || ((*__errno_location()) == 34
1304 (9223372036854775807LL * 2ULL + 1)))
1305 fatal("Invalid serial number \"%s\"",
1312 log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1);
1313 if (ca_key_path != ((void *)0)) {
1314 if (argc < 1 && !gen_krl) {
1315 printf("Too few arguments.\n");
1318 } else if (argc > 0 && !gen_krl && !check_krl) {
1319 printf("Too many arguments.\n");
1321 if (change_passphrase && change_comment) {
1322 printf("Can only have one of -p and -c.\n");
1325 if (print_fingerprint && (delete_host || hash_hosts)) {
1326 printf("Cannot use -l with -H or -R.\n");
1330 do_gen_krl(pw, update_krl, argc, argv);
1334 do_check_krl(pw, argc, argv);
1336 if (ca_key_path != ((void *)0)) {
1337 if (cert_key_id == ((void *)0))
1338 fatal("Must specify key id (-I) when certifying");
1339 do_ca_sign(pw, argc, argv);
1343 if (delete_host || hash_hosts || find_host)
1344 do_known_hosts(pw, rr_hostname);
1345 if (pkcs11provider != ((void *)0))
1347 if (print_fingerprint || print_bubblebabble)
1349 if (change_passphrase)
1350 do_change_passphrase(pw);
1352 do_change_comment(pw);
1356 do_convert_from(pw);
1358 do_print_public(pw);
1359 if (rr_hostname != ((void *)0)) {
1361 if (have_identity) {
1362 n = do_print_resource_record(pw, identity_file,
1365 perror(identity_file);
1370 n += do_print_resource_record(pw,
1372 "/ssh_host_rsa_key",
1374 n += do_print_resource_record(pw,
1376 "/ssh_host_dsa_key",
1378 n += do_print_resource_record(pw,
1380 "/ssh_host_ecdsa_key",
1383 fatal("no keys found.");
1387 if (do_gen_candidates) {
1388 FILE *out = fopen(out_file, "w");
1389 if (out == ((void *)0)) {
1390 error("Couldn't open modulus candidate file \"%s\": %s",
1391 out_file, strerror((*__errno_location())));
1395 if (gen_candidates(out, memory, bits, start) != 0)
1396 fatal("modulus candidate generation failed");
1398 if (do_screen_candidates) {
1400 FILE *out = fopen(out_file, "a");
1401 if (have_identity && __extension__( {
1402 size_t __s1_len, __s2_len;
1403 (__builtin_constant_p
1405 && __builtin_constant_p("-")
1407 strlen(identity_file),
1412 *)((identity_file) +
1414 (size_t) (const void
1416 (identity_file) == 1)
1420 (const void *)(("-")
1422 (size_t) (const void
1430 : (__builtin_constant_p
1433 ((size_t) (const void *)
1434 ((identity_file) + 1) -
1435 (size_t) (const void
1437 (identity_file) == 1)
1443 ? (__builtin_constant_p
1447 (const void *)(("-")
1449 (size_t) (const void
1473 (((const unsigned char *)(const char *)(identity_file))[0] - __s2[0]); __result;}
1475 (__builtin_constant_p
1478 ((size_t) (const void *)
1480 (size_t) (const void
1486 ? (__builtin_constant_p
1493 (size_t) (const void
1521 ((const unsigned char *)(const char *)("-"))[0]; if (__s2_len > 0 && __result == 0) {
1527 ((const unsigned char *)(const char *)("-"))[1]);}
1534 if ((in = fopen(identity_file, "r")) == ((void *)0)) {
1535 fatal("Couldn't open modulus candidate "
1536 "file \"%s\": %s", identity_file,
1537 strerror((*__errno_location())));
1541 if (out == ((void *)0)) {
1542 fatal("Couldn't open moduli file \"%s\": %s", out_file,
1543 strerror((*__errno_location())));
1546 (in, out, rounds == 0 ? 100 : rounds, generator_wanted,
1547 checkpoint, start_lineno, lines_to_process) != 0)
1548 fatal("modulus screening failed");
1550 if (gen_all_hostkeys) {
1551 do_gen_all_hostkeys(pw);
1553 if (key_type_name == ((void *)0))
1554 key_type_name = "rsa";
1555 type = key_type_from_name(key_type_name);
1556 type_bits_valid(type, &bits);
1558 printf("Generating public/private %s key pair.\n",
1560 private = key_generate(type, bits);
1561 if (private == ((void *)0)) {
1562 fprintf(stderr, "key_generate failed\n");
1565 public = key_from_private(private);
1567 ask_filename(pw, "Enter file in which to save the key");
1568 snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, ".ssh");
1569 if (strstr(identity_file, dotsshdir) != ((void *)0)) {
1570 if (stat(dotsshdir, &st) < 0) {
1571 if ((*__errno_location()) != 2) {
1572 error("Could not stat %s: %s", dotsshdir,
1573 strerror((*__errno_location())));
1574 } else if (mkdir(dotsshdir, 0700) < 0) {
1575 error("Could not create directory '%s': %s",
1577 strerror((*__errno_location())));
1579 printf("Created directory '%s'.\n", dotsshdir);
1582 if (stat(identity_file, &st) >= 0) {
1584 printf("%s already exists.\n", identity_file);
1585 printf("Overwrite (y/n)? ");
1587 if (fgets(yesno, sizeof(yesno), stdin) == ((void *)0))
1589 if (yesno[0] != 'y' && yesno[0] != 'Y')
1592 if (identity_passphrase)
1593 passphrase1 = xstrdup(identity_passphrase);
1594 else if (identity_new_passphrase)
1595 passphrase1 = xstrdup(identity_new_passphrase);
1597 passphrase_again:passphrase1 =
1598 read_passphrase("Enter passphrase (empty for no "
1599 "passphrase): ", 0x0002);
1601 read_passphrase("Enter same passphrase again: ", 0x0002);
1602 if (__extension__( {
1603 size_t __s1_len, __s2_len;
1604 (__builtin_constant_p(passphrase1)
1605 && __builtin_constant_p(passphrase2)
1607 strlen(passphrase1), __s2_len =
1608 strlen(passphrase2),
1609 (!((size_t) (const void *)
1610 ((passphrase1) + 1) -
1611 (size_t) (const void *)(passphrase1)
1612 == 1) || __s1_len >= 4)
1614 (!((size_t) (const void *)
1615 ((passphrase2) + 1) -
1616 (size_t) (const void *)(passphrase2)
1619 4)) ? __builtin_strcmp(passphrase1,
1621 : (__builtin_constant_p(passphrase1)
1623 ((size_t) (const void *)
1624 ((passphrase1) + 1) -
1625 (size_t) (const void *)(passphrase1) ==
1628 strlen(passphrase1),
1631 ? (__builtin_constant_p(passphrase2)
1633 ((size_t) (const void *)
1634 ((passphrase2) + 1) -
1635 (size_t) (const void *)(passphrase2)
1636 == 1) ? __builtin_strcmp(passphrase1,
1641 (const unsigned char
1644 register int __result
1646 (((const unsigned char
1651 ))): (__builtin_constant_p(passphrase2)
1653 ((size_t) (const void *)
1654 ((passphrase2) + 1) -
1655 (size_t) (const void
1656 *)(passphrase2) == 1)
1658 strlen(passphrase2),
1661 ? (__builtin_constant_p
1664 ((size_t) (const void *)
1665 ((passphrase1) + 1) -
1666 (size_t) (const void
1669 __builtin_strcmp(passphrase1,
1688 ))): __builtin_strcmp(passphrase1,
1691 explicit_bzero(passphrase1, strlen(passphrase1));
1692 explicit_bzero(passphrase2, strlen(passphrase2));
1695 printf("Passphrases do not match. Try again.\n");
1697 explicit_bzero(passphrase2, strlen(passphrase2));
1700 if (identity_comment) {
1701 strlcpy(comment, identity_comment, sizeof(comment));
1702 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
1705 if (!key_save_private
1706 (private, identity_file, passphrase1, comment, use_new_format,
1707 new_format_cipher, rounds)) {
1708 printf("Saving the key failed: %s.\n", identity_file);
1709 explicit_bzero(passphrase1, strlen(passphrase1));
1713 explicit_bzero(passphrase1, strlen(passphrase1));
1716 printf("Your identification has been saved in %s.\n",
1718 strlcat(identity_file, ".pub", sizeof(identity_file));
1719 if (!key_write(public, f))
1720 fprintf(stderr, "write key failed\n");
1721 fprintf(f, " %s\n", comment);
1724 char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
1726 key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
1727 printf("Your public key has been saved in %s.\n",
1729 printf("The key fingerprint is:\n");
1730 printf("%s %s\n", fp, comment);
1731 printf("The key's randomart image is:\n");