summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2019-01-23 04:16:23 +0000
committerDamien Miller <djm@cvs.openbsd.org>2019-01-23 04:16:23 +0000
commitb789f17b25afab74f9fc21b00ace5d03da0f4f2e (patch)
tree00feff57f95e0f8ea58571a684812db4232f42e5 /usr.bin
parentbd5217ff170d9ca737f571d92e7db199161d6077 (diff)
move a bunch of global flag variables to main(); make the rest static
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/ssh-keygen.c176
1 files changed, 82 insertions, 94 deletions
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 57a3b7d955d..ef695b482a4 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.324 2019/01/22 20:48:01 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.325 2019/01/23 04:16:22 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -64,75 +64,38 @@
#define DEFAULT_BITS 2048
#define DEFAULT_BITS_DSA 1024
#define DEFAULT_BITS_ECDSA 256
-u_int32_t bits = 0;
-/*
- * Flag indicating that we just want to change the passphrase. This can be
- * set on the command line.
- */
-int change_passphrase = 0;
-
-/*
- * Flag indicating that we just want to change the comment. This can be set
- * on the command line.
- */
-int change_comment = 0;
-
-int quiet = 0;
-
-int log_level = SYSLOG_LEVEL_INFO;
-
-/* Flag indicating that we want to hash a known_hosts file */
-int hash_hosts = 0;
-/* Flag indicating that we want lookup a host in known_hosts file */
-int find_host = 0;
-/* Flag indicating that we want to delete a host from a known_hosts file */
-int delete_host = 0;
-
-/* Flag indicating that we want to show the contents of a certificate */
-int show_cert = 0;
+static int quiet = 0;
/* Flag indicating that we just want to see the key fingerprint */
-int print_fingerprint = 0;
-int print_bubblebabble = 0;
+static int print_fingerprint = 0;
+static int print_bubblebabble = 0;
/* Hash algorithm to use for fingerprints. */
-int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* The identity file name, given on the command line or entered by the user. */
-char identity_file[1024];
-int have_identity = 0;
+static char identity_file[1024];
+static int have_identity = 0;
/* This is set to the passphrase if given on the command line. */
-char *identity_passphrase = NULL;
+static char *identity_passphrase = NULL;
/* This is set to the new passphrase if given on the command line. */
-char *identity_new_passphrase = NULL;
-
-/* This is set to the new comment if given on the command line. */
-char *identity_comment = NULL;
-
-/* Path to CA key when certifying keys. */
-char *ca_key_path = NULL;
-
-/* Prefer to use agent keys for CA signing */
-int prefer_agent = 0;
-
-/* Certificate serial number */
-unsigned long long cert_serial = 0;
+static char *identity_new_passphrase = NULL;
/* Key type when certifying */
-u_int cert_key_type = SSH2_CERT_TYPE_USER;
+static u_int cert_key_type = SSH2_CERT_TYPE_USER;
/* "key ID" of signed key */
-char *cert_key_id = NULL;
+static char *cert_key_id = NULL;
/* Comma-separated list of principal names for certifying keys */
-char *cert_principals = NULL;
+static char *cert_principals = NULL;
/* Validity period for certificates */
-u_int64_t cert_valid_from = 0;
-u_int64_t cert_valid_to = ~0ULL;
+static u_int64_t cert_valid_from = 0;
+static u_int64_t cert_valid_to = ~0ULL;
/* Certificate options */
#define CERTOPT_X_FWD (1)
@@ -142,9 +105,9 @@ u_int64_t cert_valid_to = ~0ULL;
#define CERTOPT_USER_RC (1<<4)
#define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \
CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC)
-u_int32_t certflags_flags = CERTOPT_DEFAULT;
-char *certflags_command = NULL;
-char *certflags_src_addr = NULL;
+static u_int32_t certflags_flags = CERTOPT_DEFAULT;
+static char *certflags_command = NULL;
+static char *certflags_src_addr = NULL;
/* Arbitrary extensions specified by user */
struct cert_userext {
@@ -152,41 +115,37 @@ struct cert_userext {
char *val;
int crit;
};
-struct cert_userext *cert_userext;
-size_t ncert_userext;
+static struct cert_userext *cert_userext;
+static size_t ncert_userext;
/* Conversion to/from various formats */
-int convert_to = 0;
-int convert_from = 0;
enum {
FMT_RFC4716,
FMT_PKCS8,
FMT_PEM
} convert_format = FMT_RFC4716;
-int print_public = 0;
-int print_generic = 0;
-char *key_type_name = NULL;
+static char *key_type_name = NULL;
/* Load key from this PKCS#11 provider */
-char *pkcs11provider = NULL;
+static char *pkcs11provider = NULL;
/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
-int use_new_format = 1;
+static int use_new_format = 1;
/* Cipher for new-format private keys */
-char *new_format_cipher = NULL;
+static char *new_format_cipher = NULL;
/*
* Number of KDF rounds to derive new format keys /
* number of primality trials when screening moduli.
*/
-int rounds = 0;
+static int rounds = 0;
/* argv0 */
extern char *__progname;
-char hostname[NI_MAXHOST];
+static char hostname[NI_MAXHOST];
#ifdef WITH_OPENSSL
/* moduli.c */
@@ -804,7 +763,7 @@ do_download(struct passwd *pw)
fatal("%s: sshkey_fingerprint fail", __func__);
printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),
fp, sshkey_type(keys[i]));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ if (log_level_get() >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
free(ra);
free(fp);
@@ -852,7 +811,7 @@ fingerprint_one_key(const struct sshkey *public, const char *comment)
fatal("%s: sshkey_fingerprint failed", __func__);
mprintf("%u %s %s (%s)\n", sshkey_size(public), fp,
comment ? comment : "no comment", sshkey_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ if (log_level_get() >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
free(ra);
free(fp);
@@ -998,6 +957,7 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
+ u_int bits = 0;
int first = 0;
struct stat st;
struct sshkey *private, *public;
@@ -1121,6 +1081,9 @@ struct known_hosts_ctx {
int has_unhashed; /* When hashing, original had unhashed hosts */
int found_key; /* For find/delete, host was found */
int invalid; /* File contained invalid items; don't delete */
+ int hash_hosts; /* Hash hostnames as we go */
+ int find_host; /* Search for specific hostname */
+ int delete_host; /* Delete host from known_hosts */
};
static int
@@ -1140,7 +1103,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
*/
if (was_hashed || has_wild || l->marker != MRK_NONE) {
fprintf(ctx->out, "%s\n", l->line);
- if (has_wild && !find_host) {
+ if (has_wild && !ctx->find_host) {
logit("%s:%lu: ignoring host name "
"with wildcard: %.64s", l->path,
l->linenum, l->hosts);
@@ -1186,7 +1149,7 @@ known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
if (l->status == HKF_STATUS_MATCHED) {
- if (delete_host) {
+ if (ctx->delete_host) {
if (l->marker != MRK_NONE) {
/* Don't remove CA and revocation lines */
fprintf(ctx->out, "%s\n", l->line);
@@ -1202,7 +1165,7 @@ known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
ctx->host, l->linenum);
}
return 0;
- } else if (find_host) {
+ } else if (ctx->find_host) {
ctx->found_key = 1;
if (!quiet) {
printf("# Host %s found: line %lu %s\n",
@@ -1210,7 +1173,7 @@ known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
l->linenum, l->marker == MRK_CA ? "CA" :
(l->marker == MRK_REVOKE ? "REVOKED" : ""));
}
- if (hash_hosts)
+ if (ctx->hash_hosts)
known_hosts_hash(l, ctx);
else if (print_fingerprint) {
fp = sshkey_fingerprint(l->key, fptype, rep);
@@ -1221,7 +1184,7 @@ known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
fprintf(ctx->out, "%s\n", l->line);
return 0;
}
- } else if (delete_host) {
+ } else if (ctx->delete_host) {
/* Retain non-matching hosts when deleting */
if (l->status == HKF_STATUS_INVALID) {
ctx->invalid = 1;
@@ -1233,7 +1196,8 @@ known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
}
static void
-do_known_hosts(struct passwd *pw, const char *name)
+do_known_hosts(struct passwd *pw, const char *name, int find_host,
+ int delete_host, int hash_hosts)
{
char *cp, tmp[PATH_MAX], old[PATH_MAX];
int r, fd, oerrno, inplace = 0;
@@ -1252,6 +1216,9 @@ do_known_hosts(struct passwd *pw, const char *name)
memset(&ctx, 0, sizeof(ctx));
ctx.out = stdout;
ctx.host = name;
+ ctx.hash_hosts = hash_hosts;
+ ctx.find_host = find_host;
+ ctx.delete_host = delete_host;
/*
* Find hosts goes to stdout, hash and deletions happen in-place
@@ -1416,7 +1383,8 @@ do_change_passphrase(struct passwd *pw)
* Print the SSHFP RR.
*/
static int
-do_print_resource_record(struct passwd *pw, char *fname, char *hname)
+do_print_resource_record(struct passwd *pw, char *fname, char *hname,
+ int print_generic)
{
struct sshkey *public;
char *comment = NULL;
@@ -1443,7 +1411,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname)
* Change the comment of a private key file.
*/
static void
-do_change_comment(struct passwd *pw)
+do_change_comment(struct passwd *pw, const char *identity_comment)
{
char new_comment[1024], *comment, *passphrase;
struct sshkey *private;
@@ -1655,7 +1623,8 @@ agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp,
}
static void
-do_ca_sign(struct passwd *pw, int argc, char **argv)
+do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
+ unsigned long long cert_serial, int argc, char **argv)
{
int r, i, fd, found, agent_fd = -1;
u_int n;
@@ -2282,7 +2251,9 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
}
static void
-do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
+do_gen_krl(struct passwd *pw, int updating, const char *ca_key_path,
+ unsigned long long krl_version, const char *krl_comment,
+ int argc, char **argv)
{
struct ssh_krl *krl;
struct stat sb;
@@ -2317,10 +2288,10 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
else if ((krl = ssh_krl_init()) == NULL)
fatal("couldn't create KRL");
- if (cert_serial != 0)
- ssh_krl_set_version(krl, cert_serial);
- if (identity_comment != NULL)
- ssh_krl_set_comment(krl, identity_comment);
+ if (krl_version != 0)
+ ssh_krl_set_version(krl, krl_version);
+ if (krl_comment != NULL)
+ ssh_krl_set_comment(krl, krl_comment);
for (i = 0; i < argc; i++)
update_krl_from_file(pw, argv[i], wild_ca, ca, krl);
@@ -2420,9 +2391,17 @@ main(int argc, char **argv)
struct passwd *pw;
struct stat st;
int r, opt, type, fd;
+ int change_passphrase = 0, change_comment = 0, show_cert = 0;
+ int find_host = 0, delete_host = 0, hash_hosts = 0;
int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
+ int prefer_agent = 0, convert_to = 0, convert_from = 0;
+ int print_public = 0, print_generic = 0;
+ unsigned long long cert_serial = 0;
+ char *identity_comment = NULL, *ca_key_path = NULL;
+ u_int bits = 0;
FILE *f;
const char *errstr;
+ int log_level = SYSLOG_LEVEL_INFO;
#ifdef WITH_OPENSSL
/* Moduli generation/screening */
char out_file[PATH_MAX], *checkpoint = NULL;
@@ -2689,7 +2668,8 @@ main(int argc, char **argv)
}
#ifdef WITH_OPENSSL
if (gen_krl) {
- do_gen_krl(pw, update_krl, argc, argv);
+ do_gen_krl(pw, update_krl, ca_key_path,
+ cert_serial, identity_comment, argc, argv);
return (0);
}
if (check_krl) {
@@ -2700,12 +2680,15 @@ main(int argc, char **argv)
if (ca_key_path != NULL) {
if (cert_key_id == NULL)
fatal("Must specify key id (-I) when certifying");
- do_ca_sign(pw, argc, argv);
+ do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial,
+ argc, argv);
}
if (show_cert)
do_show_cert(pw);
- if (delete_host || hash_hosts || find_host)
- do_known_hosts(pw, rr_hostname);
+ if (delete_host || hash_hosts || find_host) {
+ do_known_hosts(pw, rr_hostname, find_host,
+ delete_host, hash_hosts);
+ }
if (pkcs11provider != NULL)
do_download(pw);
if (print_fingerprint || print_bubblebabble)
@@ -2713,7 +2696,7 @@ main(int argc, char **argv)
if (change_passphrase)
do_change_passphrase(pw);
if (change_comment)
- do_change_comment(pw);
+ do_change_comment(pw, identity_comment);
#ifdef WITH_OPENSSL
if (convert_to)
do_convert_to(pw);
@@ -2726,23 +2709,28 @@ main(int argc, char **argv)
unsigned int n = 0;
if (have_identity) {
- n = do_print_resource_record(pw,
- identity_file, rr_hostname);
+ n = do_print_resource_record(pw, identity_file,
+ rr_hostname, print_generic);
if (n == 0)
fatal("%s: %s", identity_file, strerror(errno));
exit(0);
} else {
n += do_print_resource_record(pw,
- _PATH_HOST_RSA_KEY_FILE, rr_hostname);
+ _PATH_HOST_RSA_KEY_FILE, rr_hostname,
+ print_generic);
n += do_print_resource_record(pw,
- _PATH_HOST_DSA_KEY_FILE, rr_hostname);
+ _PATH_HOST_DSA_KEY_FILE, rr_hostname,
+ print_generic);
n += do_print_resource_record(pw,
- _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
+ _PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
+ print_generic);
n += do_print_resource_record(pw,
- _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
+ _PATH_HOST_ED25519_KEY_FILE, rr_hostname,
+ print_generic);
n += do_print_resource_record(pw,
- _PATH_HOST_XMSS_KEY_FILE, rr_hostname);
+ _PATH_HOST_XMSS_KEY_FILE, rr_hostname,
+ print_generic);
if (n == 0)
fatal("no keys found.");
exit(0);