diff options
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 58 |
1 files changed, 36 insertions, 22 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index e149eda3e..8daea7f76 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.250 2014/08/21 01:08:52 doug Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.251 2014/12/21 22:27:56 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -53,6 +53,7 @@ | |||
53 | #include "ssh-pkcs11.h" | 53 | #include "ssh-pkcs11.h" |
54 | #include "atomicio.h" | 54 | #include "atomicio.h" |
55 | #include "krl.h" | 55 | #include "krl.h" |
56 | #include "digest.h" | ||
56 | 57 | ||
57 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ | 58 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
58 | #define DEFAULT_BITS 2048 | 59 | #define DEFAULT_BITS 2048 |
@@ -90,6 +91,9 @@ int show_cert = 0; | |||
90 | int print_fingerprint = 0; | 91 | int print_fingerprint = 0; |
91 | int print_bubblebabble = 0; | 92 | int print_bubblebabble = 0; |
92 | 93 | ||
94 | /* Hash algorithm to use for fingerprints. */ | ||
95 | int fingerprint_hash = SSH_FP_HASH_DEFAULT; | ||
96 | |||
93 | /* The identity file name, given on the command line or entered by the user. */ | 97 | /* The identity file name, given on the command line or entered by the user. */ |
94 | char identity_file[1024]; | 98 | char identity_file[1024]; |
95 | int have_identity = 0; | 99 | int have_identity = 0; |
@@ -749,11 +753,11 @@ do_download(struct passwd *pw) | |||
749 | Key **keys = NULL; | 753 | Key **keys = NULL; |
750 | int i, nkeys; | 754 | int i, nkeys; |
751 | enum fp_rep rep; | 755 | enum fp_rep rep; |
752 | enum fp_type fptype; | 756 | int fptype; |
753 | char *fp, *ra; | 757 | char *fp, *ra; |
754 | 758 | ||
755 | fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; | 759 | fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; |
756 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; | 760 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; |
757 | 761 | ||
758 | pkcs11_init(0); | 762 | pkcs11_init(0); |
759 | nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); | 763 | nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); |
@@ -762,7 +766,7 @@ do_download(struct passwd *pw) | |||
762 | for (i = 0; i < nkeys; i++) { | 766 | for (i = 0; i < nkeys; i++) { |
763 | if (print_fingerprint) { | 767 | if (print_fingerprint) { |
764 | fp = key_fingerprint(keys[i], fptype, rep); | 768 | fp = key_fingerprint(keys[i], fptype, rep); |
765 | ra = key_fingerprint(keys[i], SSH_FP_MD5, | 769 | ra = key_fingerprint(keys[i], fingerprint_hash, |
766 | SSH_FP_RANDOMART); | 770 | SSH_FP_RANDOMART); |
767 | printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), | 771 | printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), |
768 | fp, key_type(keys[i])); | 772 | fp, key_type(keys[i])); |
@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw) | |||
792 | char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; | 796 | char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; |
793 | int i, skip = 0, num = 0, invalid = 1; | 797 | int i, skip = 0, num = 0, invalid = 1; |
794 | enum fp_rep rep; | 798 | enum fp_rep rep; |
795 | enum fp_type fptype; | 799 | int fptype; |
796 | struct stat st; | 800 | struct stat st; |
797 | 801 | ||
798 | fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; | 802 | fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; |
799 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; | 803 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; |
800 | |||
801 | if (!have_identity) | 804 | if (!have_identity) |
802 | ask_filename(pw, "Enter file in which the key is"); | 805 | ask_filename(pw, "Enter file in which the key is"); |
803 | if (stat(identity_file, &st) < 0) { | 806 | if (stat(identity_file, &st) < 0) { |
@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw) | |||
807 | public = key_load_public(identity_file, &comment); | 810 | public = key_load_public(identity_file, &comment); |
808 | if (public != NULL) { | 811 | if (public != NULL) { |
809 | fp = key_fingerprint(public, fptype, rep); | 812 | fp = key_fingerprint(public, fptype, rep); |
810 | ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); | 813 | ra = key_fingerprint(public, fingerprint_hash, |
814 | SSH_FP_RANDOMART); | ||
811 | printf("%u %s %s (%s)\n", key_size(public), fp, comment, | 815 | printf("%u %s %s (%s)\n", key_size(public), fp, comment, |
812 | key_type(public)); | 816 | key_type(public)); |
813 | if (log_level >= SYSLOG_LEVEL_VERBOSE) | 817 | if (log_level >= SYSLOG_LEVEL_VERBOSE) |
@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw) | |||
873 | } | 877 | } |
874 | comment = *cp ? cp : comment; | 878 | comment = *cp ? cp : comment; |
875 | fp = key_fingerprint(public, fptype, rep); | 879 | fp = key_fingerprint(public, fptype, rep); |
876 | ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); | 880 | ra = key_fingerprint(public, fingerprint_hash, |
881 | SSH_FP_RANDOMART); | ||
877 | printf("%u %s %s (%s)\n", key_size(public), fp, | 882 | printf("%u %s %s (%s)\n", key_size(public), fp, |
878 | comment ? comment : "no comment", key_type(public)); | 883 | comment ? comment : "no comment", key_type(public)); |
879 | if (log_level >= SYSLOG_LEVEL_VERBOSE) | 884 | if (log_level >= SYSLOG_LEVEL_VERBOSE) |
@@ -993,13 +998,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) | |||
993 | { | 998 | { |
994 | if (print_fingerprint) { | 999 | if (print_fingerprint) { |
995 | enum fp_rep rep; | 1000 | enum fp_rep rep; |
996 | enum fp_type fptype; | 1001 | int fptype; |
997 | char *fp, *ra; | 1002 | char *fp, *ra; |
998 | 1003 | ||
999 | fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; | 1004 | fptype = print_bubblebabble ? |
1000 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; | 1005 | SSH_DIGEST_SHA1 : fingerprint_hash; |
1006 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; | ||
1001 | fp = key_fingerprint(public, fptype, rep); | 1007 | fp = key_fingerprint(public, fptype, rep); |
1002 | ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); | 1008 | ra = key_fingerprint(public, fingerprint_hash, |
1009 | SSH_FP_RANDOMART); | ||
1003 | printf("%u %s %s (%s)\n", key_size(public), fp, name, | 1010 | printf("%u %s %s (%s)\n", key_size(public), fp, name, |
1004 | key_type(public)); | 1011 | key_type(public)); |
1005 | if (log_level >= SYSLOG_LEVEL_VERBOSE) | 1012 | if (log_level >= SYSLOG_LEVEL_VERBOSE) |
@@ -1908,9 +1915,9 @@ do_show_cert(struct passwd *pw) | |||
1908 | fatal("%s is not a certificate", identity_file); | 1915 | fatal("%s is not a certificate", identity_file); |
1909 | v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; | 1916 | v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; |
1910 | 1917 | ||
1911 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 1918 | key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
1912 | ca_fp = key_fingerprint(key->cert->signature_key, | 1919 | ca_fp = key_fingerprint(key->cert->signature_key, |
1913 | SSH_FP_MD5, SSH_FP_HEX); | 1920 | fingerprint_hash, SSH_FP_DEFAULT); |
1914 | 1921 | ||
1915 | printf("%s:\n", identity_file); | 1922 | printf("%s:\n", identity_file); |
1916 | printf(" Type: %s %s certificate\n", key_ssh_name(key), | 1923 | printf(" Type: %s %s certificate\n", key_ssh_name(key), |
@@ -2189,7 +2196,7 @@ usage(void) | |||
2189 | " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" | 2196 | " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" |
2190 | " ssh-keygen -y [-f input_keyfile]\n" | 2197 | " ssh-keygen -y [-f input_keyfile]\n" |
2191 | " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" | 2198 | " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
2192 | " ssh-keygen -l [-f input_keyfile]\n" | 2199 | " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" |
2193 | " ssh-keygen -B [-f input_keyfile]\n"); | 2200 | " ssh-keygen -B [-f input_keyfile]\n"); |
2194 | #ifdef ENABLE_PKCS11 | 2201 | #ifdef ENABLE_PKCS11 |
2195 | fprintf(stderr, | 2202 | fprintf(stderr, |
@@ -2258,9 +2265,10 @@ main(int argc, char **argv) | |||
2258 | exit(1); | 2265 | exit(1); |
2259 | } | 2266 | } |
2260 | 2267 | ||
2261 | /* Remaining characters: EUYdw */ | 2268 | /* Remaining characters: UYdw */ |
2262 | while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" | 2269 | while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" |
2263 | "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { | 2270 | "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" |
2271 | "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { | ||
2264 | switch (opt) { | 2272 | switch (opt) { |
2265 | case 'A': | 2273 | case 'A': |
2266 | gen_all_hostkeys = 1; | 2274 | gen_all_hostkeys = 1; |
@@ -2271,6 +2279,11 @@ main(int argc, char **argv) | |||
2271 | fatal("Bits has bad value %s (%s)", | 2279 | fatal("Bits has bad value %s (%s)", |
2272 | optarg, errstr); | 2280 | optarg, errstr); |
2273 | break; | 2281 | break; |
2282 | case 'E': | ||
2283 | fingerprint_hash = ssh_digest_alg_by_name(optarg); | ||
2284 | if (fingerprint_hash == -1) | ||
2285 | fatal("Invalid hash algorithm \"%s\"", optarg); | ||
2286 | break; | ||
2274 | case 'F': | 2287 | case 'F': |
2275 | find_host = 1; | 2288 | find_host = 1; |
2276 | rr_hostname = optarg; | 2289 | rr_hostname = optarg; |
@@ -2702,8 +2715,9 @@ passphrase_again: | |||
2702 | fclose(f); | 2715 | fclose(f); |
2703 | 2716 | ||
2704 | if (!quiet) { | 2717 | if (!quiet) { |
2705 | char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); | 2718 | char *fp = key_fingerprint(public, fingerprint_hash, |
2706 | char *ra = key_fingerprint(public, SSH_FP_MD5, | 2719 | SSH_FP_DEFAULT); |
2720 | char *ra = key_fingerprint(public, fingerprint_hash, | ||
2707 | SSH_FP_RANDOMART); | 2721 | SSH_FP_RANDOMART); |
2708 | printf("Your public key has been saved in %s.\n", | 2722 | printf("Your public key has been saved in %s.\n", |
2709 | identity_file); | 2723 | identity_file); |