]> andersk Git - openssh.git/blobdiff - ssh-keygen.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- stevesk@cvs.openbsd.org 2002/01/18 18:14:17
[openssh.git] / ssh-keygen.c
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8daa52833b7e2cd2a87246ac6723b8954686b6eb..49137fbeb51eb589ded03c93a3900b7a83af2276 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.59 2001/04/23 21:57:07 markus Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.91 2002/01/18 18:14:17 stevesk Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -28,6 +28,12 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.59 2001/04/23 21:57:07 markus Exp $");
 #include "log.h"
 #include "readpass.h"
 
+#ifdef SMARTCARD
+#include <sectok.h>
+#include <openssl/engine.h>
+#include "scard.h"
+#endif
+
 /* Number of bits in the RSA/DSA key.  This value can be changed on the command line. */
 int bits = 1024;
 
@@ -67,8 +73,7 @@ int convert_to_ssh2 = 0;
 int convert_from_ssh2 = 0;
 int print_public = 0;
 
-/* default to RSA for SSH-1 */
-char *key_type_name = "rsa1";
+char *key_type_name = NULL;
 
 /* argv0 */
 #ifdef HAVE___PROGNAME
@@ -79,7 +84,7 @@ char *__progname;
 
 char hostname[MAXHOSTNAMELEN];
 
-void
+static void
 ask_filename(struct passwd *pw, const char *prompt)
 {
        char buf[1024];
@@ -112,15 +117,19 @@ ask_filename(struct passwd *pw, const char *prompt)
        have_identity = 1;
 }
 
-Key *
-try_load_pem_key(char *filename)
+static Key *
+load_identity(char *filename)
 {
        char *pass;
        Key *prv;
 
        prv = key_load_private(filename, "", NULL);
        if (prv == NULL) {
-               pass = read_passphrase("Enter passphrase: ", 1);
+               if (identity_passphrase)
+                       pass = xstrdup(identity_passphrase);
+               else
+                       pass = read_passphrase("Enter passphrase: ",
+                           RP_ALLOW_STDIN);
                prv = key_load_private(filename, pass, NULL);
                memset(pass, 0, strlen(pass));
                xfree(pass);
@@ -133,7 +142,7 @@ try_load_pem_key(char *filename)
 #define SSH_COM_PRIVATE_BEGIN          "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
 #define        SSH_COM_PRIVATE_KEY_MAGIC       0x3f6ff9eb
 
-void
+static void
 do_convert_to_ssh2(struct passwd *pw)
 {
        Key *k;
@@ -148,12 +157,15 @@ do_convert_to_ssh2(struct passwd *pw)
                exit(1);
        }
        if ((k = key_load_public(identity_file, NULL)) == NULL) {
-               if ((k = try_load_pem_key(identity_file)) == NULL) {
+               if ((k = load_identity(identity_file)) == NULL) {
                        fprintf(stderr, "load failed\n");
                        exit(1);
                }
        }
-       key_to_blob(k, &blob, &len);
+       if (key_to_blob(k, &blob, &len) <= 0) {
+               fprintf(stderr, "key_to_blob failed\n");
+               exit(1);
+       }
        fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
        fprintf(stdout,
            "Comment: \"%d-bit %s, converted from OpenSSH by %s@%s\"\n",
@@ -166,7 +178,7 @@ do_convert_to_ssh2(struct passwd *pw)
        exit(0);
 }
 
-void
+static void
 buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
 {
        int bits = buffer_get_int(b);
@@ -175,17 +187,20 @@ buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
        if (buffer_len(b) < bytes)
                fatal("buffer_get_bignum_bits: input buffer too small: "
                    "need %d have %d", bytes, buffer_len(b));
-       BN_bin2bn((u_char *)buffer_ptr(b), bytes, value);
+       BN_bin2bn(buffer_ptr(b), bytes, value);
        buffer_consume(b, bytes);
 }
 
-Key *
-do_convert_private_ssh2_from_blob(char *blob, int blen)
+static Key *
+do_convert_private_ssh2_from_blob(u_char *blob, int blen)
 {
        Buffer b;
        Key *key = NULL;
-       int ignore, magic, rlen, ktype;
        char *type, *cipher;
+       u_char *sig, data[] = "abcde12345";
+       int magic, rlen, ktype, i1, i2, i3, i4;
+       u_int slen;
+       u_long e;
 
        buffer_init(&b);
        buffer_append(&b, blob, blen);
@@ -196,13 +211,13 @@ do_convert_private_ssh2_from_blob(char *blob, int blen)
                buffer_free(&b);
                return NULL;
        }
-       ignore = buffer_get_int(&b);
+       i1 = buffer_get_int(&b);
        type   = buffer_get_string(&b, NULL);
        cipher = buffer_get_string(&b, NULL);
-       ignore = buffer_get_int(&b);
-       ignore = buffer_get_int(&b);
-       ignore = buffer_get_int(&b);
-
+       i2 = buffer_get_int(&b);
+       i3 = buffer_get_int(&b);
+       i4 = buffer_get_int(&b);
+       debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
        if (strcmp(cipher, "none") != 0) {
                error("unsupported cipher %s", cipher);
                xfree(cipher);
@@ -232,7 +247,17 @@ do_convert_private_ssh2_from_blob(char *blob, int blen)
                buffer_get_bignum_bits(&b, key->dsa->priv_key);
                break;
        case KEY_RSA:
-               if (!BN_set_word(key->rsa->e, (u_long) buffer_get_char(&b))) {
+               e  = buffer_get_char(&b);
+               debug("e %lx", e);
+               if (e < 30) {
+                       e <<= 8;
+                       e += buffer_get_char(&b);
+                       debug("e %lx", e);
+                       e <<= 8;
+                       e += buffer_get_char(&b);
+                       debug("e %lx", e);
+               }
+               if (!BN_set_word(key->rsa->e, e)) {
                        buffer_free(&b);
                        key_free(key);
                        return NULL;
@@ -242,34 +267,29 @@ do_convert_private_ssh2_from_blob(char *blob, int blen)
                buffer_get_bignum_bits(&b, key->rsa->iqmp);
                buffer_get_bignum_bits(&b, key->rsa->q);
                buffer_get_bignum_bits(&b, key->rsa->p);
-               generate_additional_parameters(key->rsa);
+               rsa_generate_additional_parameters(key->rsa);
                break;
        }
        rlen = buffer_len(&b);
-       if(rlen != 0)
+       if (rlen != 0)
                error("do_convert_private_ssh2_from_blob: "
                    "remaining bytes in key blob %d", rlen);
        buffer_free(&b);
-#ifdef DEBUG_PK
-       {
-               u_int slen;
-               u_char *sig, data[10] = "abcde12345";
 
-               key_sign(key, &sig, &slen, data, sizeof data);
-               key_verify(key, sig, slen, data, sizeof data);
-               xfree(sig);
-       }
-#endif
+       /* try the key */
+       key_sign(key, &sig, &slen, data, sizeof(data));
+       key_verify(key, sig, slen, data, sizeof(data));
+       xfree(sig);
        return key;
 }
 
-void
+static void
 do_convert_from_ssh2(struct passwd *pw)
 {
        Key *k;
        int blen;
        char line[1024], *p;
-       char blob[8096];
+       u_char blob[8096];
        char encoded[8096];
        struct stat st;
        int escaped = 0, private = 0, ok;
@@ -298,18 +318,21 @@ do_convert_from_ssh2(struct passwd *pw)
                    strstr(line, ": ") != NULL) {
                        if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
                                private = 1;
-                       fprintf(stderr, "ignore: %s", line);
+                       if (strstr(line, " END ") != NULL) {
+                               break;
+                       }
+                       /* fprintf(stderr, "ignore: %s", line); */
                        continue;
                }
                if (escaped) {
                        escaped--;
-                       fprintf(stderr, "escaped: %s", line);
+                       /* fprintf(stderr, "escaped: %s", line); */
                        continue;
                }
                *p = '\0';
                strlcat(encoded, line, sizeof(encoded));
        }
-       blen = uudecode(encoded, (u_char *)blob, sizeof(blob));
+       blen = uudecode(encoded, blob, sizeof(blob));
        if (blen < 0) {
                fprintf(stderr, "uudecode failed.\n");
                exit(1);
@@ -331,12 +354,13 @@ do_convert_from_ssh2(struct passwd *pw)
                exit(1);
        }
        key_free(k);
-       fprintf(stdout, "\n");
+       if (!private)
+               fprintf(stdout, "\n");
        fclose(fp);
        exit(0);
 }
 
-void
+static void
 do_print_public(struct passwd *pw)
 {
        Key *prv;
@@ -348,7 +372,7 @@ do_print_public(struct passwd *pw)
                perror(identity_file);
                exit(1);
        }
-       prv = try_load_pem_key(identity_file);
+       prv = load_identity(identity_file);
        if (prv == NULL) {
                fprintf(stderr, "load failed\n");
                exit(1);
@@ -360,13 +384,159 @@ do_print_public(struct passwd *pw)
        exit(0);
 }
 
-void
+#ifdef SMARTCARD
+#define NUM_RSA_KEY_ELEMENTS 5+1
+#define COPY_RSA_KEY(x, i) \
+       do { \
+               len = BN_num_bytes(prv->rsa->x); \
+               elements[i] = xmalloc(len); \
+               debug("#bytes %d", len); \
+               if (BN_bn2bin(prv->rsa->x, elements[i]) < 0) \
+                       goto done; \
+       } while (0)
+
+static int
+get_AUT0(char *aut0)
+{
+       EVP_MD *evp_md = EVP_sha1();
+       EVP_MD_CTX md;
+       char *pass;
+
+       pass = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
+       if (pass == NULL)
+               return -1;
+       EVP_DigestInit(&md, evp_md);
+       EVP_DigestUpdate(&md, pass, strlen(pass));
+       EVP_DigestFinal(&md, aut0, NULL);
+       memset(pass, 0, strlen(pass));
+       xfree(pass);
+       return 0;
+}
+
+static void
+do_upload(struct passwd *pw, const char *sc_reader_id)
+{
+       Key *prv = NULL;
+       struct stat st;
+       u_char *elements[NUM_RSA_KEY_ELEMENTS];
+       u_char key_fid[2];
+       u_char DEFAUT0[] = {0xad, 0x9f, 0x61, 0xfe, 0xfa, 0x20, 0xce, 0x63};
+       u_char AUT0[EVP_MAX_MD_SIZE];
+       int len, status = 1, i, fd = -1, ret;
+       int sw = 0, cla = 0x00;
+
+       for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
+               elements[i] = NULL;
+       if (!have_identity)
+               ask_filename(pw, "Enter file in which the key is");
+       if (stat(identity_file, &st) < 0) {
+               perror(identity_file);
+               goto done;
+       }
+       prv = load_identity(identity_file);
+       if (prv == NULL) {
+               error("load failed");
+               goto done;
+       }
+       COPY_RSA_KEY(q, 0);
+       COPY_RSA_KEY(p, 1);
+       COPY_RSA_KEY(iqmp, 2);
+       COPY_RSA_KEY(dmq1, 3);
+       COPY_RSA_KEY(dmp1, 4);
+       COPY_RSA_KEY(n, 5);
+       len = BN_num_bytes(prv->rsa->n);
+       fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw);
+       if (fd < 0) {
+               error("sectok_open failed: %s", sectok_get_sw(sw));
+               goto done;
+       }
+       if (! sectok_cardpresent(fd)) {
+               error("smartcard in reader %s not present",
+                   sc_reader_id);
+               goto done;
+       }
+       ret = sectok_reset(fd, 0, NULL, &sw);
+       if (ret <= 0) {
+               error("sectok_reset failed: %s", sectok_get_sw(sw));
+               goto done;
+       }
+       if ((cla = cyberflex_inq_class(fd)) < 0) {
+               error("cyberflex_inq_class failed");
+               goto done;
+       }
+       memcpy(AUT0, DEFAUT0, sizeof(DEFAUT0));
+       if (cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
+               if (get_AUT0(AUT0) < 0 ||
+                   cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
+                       error("cyberflex_verify_AUT0 failed");
+                       goto done;
+               }
+       }
+       key_fid[0] = 0x00;
+       key_fid[1] = 0x12;
+       if (cyberflex_load_rsa_priv(fd, cla, key_fid, 5, 8*len, elements,
+           &sw) < 0) {
+               error("cyberflex_load_rsa_priv failed: %s", sectok_get_sw(sw));
+               goto done;
+       }
+       if (!sectok_swOK(sw))
+               goto done;
+       log("cyberflex_load_rsa_priv done");
+       key_fid[0] = 0x73;
+       key_fid[1] = 0x68;
+       if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5],
+           &sw) < 0) {
+               error("cyberflex_load_rsa_pub failed: %s", sectok_get_sw(sw));
+               goto done;
+       }
+       if (!sectok_swOK(sw))
+               goto done;
+       log("cyberflex_load_rsa_pub done");
+       status = 0;
+       log("loading key done");
+done:
+
+       memset(elements[0], '\0', BN_num_bytes(prv->rsa->q));
+       memset(elements[1], '\0', BN_num_bytes(prv->rsa->p));
+       memset(elements[2], '\0', BN_num_bytes(prv->rsa->iqmp));
+       memset(elements[3], '\0', BN_num_bytes(prv->rsa->dmq1));
+       memset(elements[4], '\0', BN_num_bytes(prv->rsa->dmp1));
+       memset(elements[5], '\0', BN_num_bytes(prv->rsa->n));
+
+       if (prv)
+               key_free(prv);
+       for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
+               if (elements[i])
+                       xfree(elements[i]);
+       if (fd != -1)
+               sectok_close(fd);
+       exit(status);
+}
+
+static void
+do_download(struct passwd *pw, const char *sc_reader_id)
+{
+       Key *pub = NULL;
+
+       pub = sc_get_key(sc_reader_id);
+       if (pub == NULL)
+               fatal("cannot read public key from smartcard");
+       key_write(pub, stdout);
+       key_free(pub);
+       fprintf(stdout, "\n");
+       exit(0);
+}
+#endif /* SMARTCARD */
+
+static void
 do_fingerprint(struct passwd *pw)
 {
        FILE *f;
        Key *public;
        char *comment = NULL, *cp, *ep, line[16*1024], *fp;
-       int i, skip = 0, num = 1, invalid = 1, rep, fptype;
+       int i, skip = 0, num = 1, invalid = 1;
+       enum fp_rep rep;
+       enum fp_type fptype;
        struct stat st;
 
        fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
@@ -447,7 +617,7 @@ do_fingerprint(struct passwd *pw)
                fclose(f);
        }
        if (invalid) {
-               printf("%s is not a valid key file.\n", identity_file);
+               printf("%s is not a public key file.\n", identity_file);
                exit(1);
        }
        exit(0);
@@ -457,7 +627,7 @@ do_fingerprint(struct passwd *pw)
  * Perform changing a passphrase.  The argument is the passwd structure
  * for the current user.
  */
-void
+static void
 do_change_passphrase(struct passwd *pw)
 {
        char *comment;
@@ -477,8 +647,11 @@ do_change_passphrase(struct passwd *pw)
                if (identity_passphrase)
                        old_passphrase = xstrdup(identity_passphrase);
                else
-                       old_passphrase = read_passphrase("Enter old passphrase: ", 1);
-               private = key_load_private(identity_file, old_passphrase , &comment);
+                       old_passphrase =
+                           read_passphrase("Enter old passphrase: ",
+                           RP_ALLOW_STDIN);
+               private = key_load_private(identity_file, old_passphrase,
+                   &comment);
                memset(old_passphrase, 0, strlen(old_passphrase));
                xfree(old_passphrase);
                if (private == NULL) {
@@ -494,8 +667,10 @@ do_change_passphrase(struct passwd *pw)
                passphrase2 = NULL;
        } else {
                passphrase1 =
-                       read_passphrase("Enter new passphrase (empty for no passphrase): ", 1);
-               passphrase2 = read_passphrase("Enter same passphrase again: ", 1);
+                       read_passphrase("Enter new passphrase (empty for no "
+                           "passphrase): ", RP_ALLOW_STDIN);
+               passphrase2 = read_passphrase("Enter same passphrase again: ",
+                   RP_ALLOW_STDIN);
 
                /* Verify that they are the same. */
                if (strcmp(passphrase1, passphrase2) != 0) {
@@ -533,7 +708,7 @@ do_change_passphrase(struct passwd *pw)
 /*
  * Change the comment of a private key file.
  */
-void
+static void
 do_change_comment(struct passwd *pw)
 {
        char new_comment[1024], *comment, *passphrase;
@@ -556,7 +731,8 @@ do_change_comment(struct passwd *pw)
                else if (identity_new_passphrase)
                        passphrase = xstrdup(identity_new_passphrase);
                else
-                       passphrase = read_passphrase("Enter passphrase: ", 1);
+                       passphrase = read_passphrase("Enter passphrase: ",
+                           RP_ALLOW_STDIN);
                /* Try to load using the passphrase. */
                private = key_load_private(identity_file, passphrase, &comment);
                if (private == NULL) {
@@ -572,7 +748,7 @@ do_change_comment(struct passwd *pw)
                fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
                key_free(private);
                exit(1);
-       }       
+       }
        printf("Key now has comment '%s'\n", comment);
 
        if (identity_comment) {
@@ -626,11 +802,30 @@ do_change_comment(struct passwd *pw)
        exit(0);
 }
 
-void
+static void
 usage(void)
 {
-       printf("Usage: %s [-ceilpqyB] [-t type] [-b bits] [-f file] [-C comment] "
-           "[-N new-pass] [-P pass]\n", __progname);
+       fprintf(stderr, "Usage: %s [options]\n", __progname);
+       fprintf(stderr, "Options:\n");
+       fprintf(stderr, "  -b bits     Number of bits in the key to create.\n");
+       fprintf(stderr, "  -c          Change comment in private and public key files.\n");
+       fprintf(stderr, "  -e          Convert OpenSSH to IETF SECSH key file.\n");
+       fprintf(stderr, "  -f filename Filename of the key file.\n");
+       fprintf(stderr, "  -i          Convert IETF SECSH to OpenSSH key file.\n");
+       fprintf(stderr, "  -l          Show fingerprint of key file.\n");
+       fprintf(stderr, "  -p          Change passphrase of private key file.\n");
+       fprintf(stderr, "  -q          Quiet.\n");
+       fprintf(stderr, "  -y          Read private key file and print public key.\n");
+       fprintf(stderr, "  -t type     Specify type of key to create.\n");
+       fprintf(stderr, "  -B          Show bubblebabble digest of key file.\n");
+       fprintf(stderr, "  -C comment  Provide new comment.\n");
+       fprintf(stderr, "  -N phrase   Provide new passphrase.\n");
+       fprintf(stderr, "  -P phrase   Provide old passphrase.\n");
+#ifdef SMARTCARD
+       fprintf(stderr, "  -D reader   Download public key from smartcard.\n");
+       fprintf(stderr, "  -U reader   Upload private key to smartcard.\n");
+#endif /* SMARTCARD */
+
        exit(1);
 }
 
@@ -640,11 +835,12 @@ usage(void)
 int
 main(int ac, char **av)
 {
-       char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2;
+       char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
+       char *reader_id = NULL;
        Key *private, *public;
        struct passwd *pw;
-       int opt, type, fd;
        struct stat st;
+       int opt, type, fd, download = 0;
        FILE *f;
 
        extern int optind;
@@ -667,7 +863,7 @@ main(int ac, char **av)
                exit(1);
        }
 
-       while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:P:N:C:")) != -1) {
+       while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:U:D:P:N:C:")) != -1) {
                switch (opt) {
                case 'b':
                        bits = atoi(optarg);
@@ -676,73 +872,62 @@ main(int ac, char **av)
                                exit(1);
                        }
                        break;
-
                case 'l':
                        print_fingerprint = 1;
                        break;
-
                case 'B':
                        print_bubblebabble = 1;
                        break;
-
                case 'p':
                        change_passphrase = 1;
                        break;
-
                case 'c':
                        change_comment = 1;
                        break;
-
                case 'f':
                        strlcpy(identity_file, optarg, sizeof(identity_file));
                        have_identity = 1;
                        break;
-
                case 'P':
                        identity_passphrase = optarg;
                        break;
-
                case 'N':
                        identity_new_passphrase = optarg;
                        break;
-
                case 'C':
                        identity_comment = optarg;
                        break;
-
                case 'q':
                        quiet = 1;
                        break;
-
                case 'R':
                        /* unused */
                        exit(0);
                        break;
-
                case 'e':
                case 'x':
                        /* export key */
                        convert_to_ssh2 = 1;
                        break;
-
                case 'i':
                case 'X':
                        /* import key */
                        convert_from_ssh2 = 1;
                        break;
-
                case 'y':
                        print_public = 1;
                        break;
-
                case 'd':
                        key_type_name = "dsa";
                        break;
-
                case 't':
                        key_type_name = optarg;
                        break;
-
+               case 'D':
+                       download = 1;
+               case 'U':
+                       reader_id = optarg;
+                       break;
                case '?':
                default:
                        usage();
@@ -768,9 +953,23 @@ main(int ac, char **av)
                do_convert_from_ssh2(pw);
        if (print_public)
                do_print_public(pw);
+       if (reader_id != NULL) {
+#ifdef SMARTCARD
+               if (download)
+                       do_download(pw, reader_id);
+               else
+                       do_upload(pw, reader_id);
+#else /* SMARTCARD */
+               fatal("no support for smartcards.");
+#endif /* SMARTCARD */
+       }
 
        arc4random_stir();
 
+       if (key_type_name == NULL) {
+               printf("You must specify a key type (-t).\n");
+               usage();
+       }
        type = key_type_from_name(key_type_name);
        if (type == KEY_UNSPEC) {
                fprintf(stderr, "unknown key type %s\n", key_type_name);
@@ -816,10 +1015,15 @@ main(int ac, char **av)
        else {
 passphrase_again:
                passphrase1 =
-                       read_passphrase("Enter passphrase (empty for no passphrase): ", 1);
-               passphrase2 = read_passphrase("Enter same passphrase again: ", 1);
+                       read_passphrase("Enter passphrase (empty for no "
+                           "passphrase): ", RP_ALLOW_STDIN);
+               passphrase2 = read_passphrase("Enter same passphrase again: ",
+                   RP_ALLOW_STDIN);
                if (strcmp(passphrase1, passphrase2) != 0) {
-                       /* The passphrases do not match.  Clear them and retry. */
+                       /*
+                        * The passphrases do not match.  Clear them and
+                        * retry.
+                        */
                        memset(passphrase1, 0, strlen(passphrase1));
                        memset(passphrase2, 0, strlen(passphrase2));
                        xfree(passphrase1);
git-cvsimport mirror of OpenSSH
This page took 0.242012 seconds and 4 git commands to generate.