Attachment 2447 Details for Bug 2241 – preserve markers when hashing/removing known_hosts

[patch] preserve markers when hashing/removing known_hosts

keygen-marks.diff (text/plain), 4.90 KB, created by Damien Miller on 2014-07-03 12:55:49 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2014-07-03 12:55:49 AEST

Size: 4.90 KB

patch

obsolete

>diff --git ssh-keygen.c ssh-keygen.c
>index 3bf4114..c85610b 100644
>--- ssh-keygen.c
>+++ ssh-keygen.c
>@@ -972,7 +972,7 @@ do_gen_all_hostkeys(struct passwd *pw)
> }
> 
> static void
>-printhost(FILE *f, const char *name, Key *public, int ca, int hash)
>+printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
> {
> 	if (print_fingerprint) {
> 		enum fp_rep rep;
>@@ -992,7 +992,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
> 	} else {
> 		if (hash && (name = host_hash(name, NULL, 0)) == NULL)
> 			fatal("hash_host failed");
>-		fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name);
>+		fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",
>+		    revoked ? REVOKE_MARKER " " : "" , name);
> 		if (!key_write(public, f))
> 			fatal("key_write failed");
> 		fprintf(f, "\n");
>@@ -1007,7 +1008,7 @@ do_known_hosts(struct passwd *pw, const char *name)
> 	char *cp, *cp2, *kp, *kp2;
> 	char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
> 	int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
>-	int ca;
>+	int ca, revoked;
> 	int found_key = 0;
> 
> 	if (!have_identity) {
>@@ -1021,6 +1022,7 @@ do_known_hosts(struct passwd *pw, const char *name)
> 	if ((in = fopen(identity_file, "r")) == NULL)
> 		fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
> 
>+	/* XXX this code is a mess; refactor -djm */
> 	/*
> 	 * Find hosts goes to stdout, hash and deletions happen in-place
> 	 * A corner case is ssh-keygen -HF foo, which should go to stdout
>@@ -1064,7 +1066,7 @@ do_known_hosts(struct passwd *pw, const char *name)
> 				fprintf(out, "%s\n", cp);
> 			continue;
> 		}
>-		/* Check whether this is a CA key */
>+		/* Check whether this is a CA key or revocation marker */
> 		if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
> 		    (cp[sizeof(CA_MARKER) - 1] == ' ' ||
> 		    cp[sizeof(CA_MARKER) - 1] == '\t')) {
>@@ -1072,6 +1074,14 @@ do_known_hosts(struct passwd *pw, const char *name)
> 			cp += sizeof(CA_MARKER);
> 		} else
> 			ca = 0;
>+		if (strncasecmp(cp, REVOKE_MARKER,
>+		    sizeof(REVOKE_MARKER) - 1) == 0 &&
>+		    (cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||
>+		    cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {
>+ 			revoked = 1;
>+			cp += sizeof(REVOKE_MARKER);
>+		} else
>+			revoked = 0;
> 
> 		/* Find the end of the host name portion. */
> 		for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
>@@ -1115,20 +1125,23 @@ do_known_hosts(struct passwd *pw, const char *name)
> 						printf("# Host %s found: "
> 						    "line %d type %s%s\n", name,
> 						    num, key_type(pub),
>-						    ca ? " (CA key)" : "");
>-					printhost(out, cp, pub, ca, 0);
>+						    ca ? " (CA key)" :
>+						    revoked? " (revoked)" : "");
>+					printhost(out, cp, pub, ca, revoked, 0);
> 					found_key = 1;
> 				}
> 				if (delete_host) {
>-					if (!c && !ca)
>-						printhost(out, cp, pub, ca, 0);
>-					else
>+					if (!c || ca || revoked) {
>+						printhost(out, cp, pub,
>+						    ca, revoked, 0);
>+					} else {
> 						printf("# Host %s found: "
> 						    "line %d type %s\n", name,
> 						    num, key_type(pub));
>+					}
> 				}
> 			} else if (hash_hosts)
>-				printhost(out, cp, pub, ca, 0);
>+				printhost(out, cp, pub, ca, revoked, 0);
> 		} else {
> 			if (find_host || delete_host) {
> 				c = (match_hostname(name, cp,
>@@ -1139,38 +1152,43 @@ do_known_hosts(struct passwd *pw, const char *name)
> 						    "line %d type %s%s\n", name,
> 						    num, key_type(pub),
> 						    ca ? " (CA key)" : "");
>-					printhost(out, name, pub,
>-					    ca, hash_hosts && !ca);
>+					printhost(out, name, pub, ca, revoked,
>+					    hash_hosts && !(ca || revoked));
> 					found_key = 1;
> 				}
> 				if (delete_host) {
>-					if (!c && !ca)
>-						printhost(out, cp, pub, ca, 0);
>-					else
>+					if (!c || ca || revoked) {
>+						printhost(out, cp, pub,
>+						    ca, revoked, 0);
>+					} else {
> 						printf("# Host %s found: "
> 						    "line %d type %s\n", name,
> 						    num, key_type(pub));
>+					}
> 				}
>+			} else if (hash_hosts && (ca || revoked)) {
>+				/* Don't hash CA and revoked keys' hostnames */
>+				printhost(out, cp, pub, ca, revoked, 0);
>+				has_unhashed = 1;
> 			} else if (hash_hosts) {
>+				/* Hash each hostname separately */
> 				for (cp2 = strsep(&cp, ",");
> 				    cp2 != NULL && *cp2 != '\0';
> 				    cp2 = strsep(&cp, ",")) {
>-					if (ca) {
>-						fprintf(stderr, "Warning: "
>-						    "ignoring CA key for host: "
>-						    "%.64s\n", cp2);
>-						printhost(out, cp2, pub, ca, 0);
>-					} else if (strcspn(cp2, "*?!") !=
>+					if (strcspn(cp2, "*?!") !=
> 					    strlen(cp2)) {
> 						fprintf(stderr, "Warning: "
> 						    "ignoring host name with "
> 						    "metacharacters: %.64s\n",
> 						    cp2);
>-						printhost(out, cp2, pub, ca, 0);
>-					} else
>-						printhost(out, cp2, pub, ca, 1);
>+						printhost(out, cp2, pub, ca,
>+						    revoked, 0);
>+						has_unhashed = 1;
>+					} else {
>+						printhost(out, cp2, pub, ca,
>+						    revoked, 1);
>+					}
> 				}
>-				has_unhashed = 1;
> 			}
> 		}
> 		key_free(pub);

Actions: View | Diff

Attachments on bug 2241: 2447