summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-01-24 11:46:57 +0000
committerColin Watson <cjwatson@debian.org>2011-01-24 11:46:57 +0000
commit0970072c89b079b022538e3c366fbfa2c53fc821 (patch)
treeb7024712d74234bb5a8b036ccbc9109e2e211296 /ssh-keygen.c
parent4e8aa4da57000c7bba8e5c49163bc0c0ca383f78 (diff)
parent478ff799463ca926a8dfbabf058f4e84aaffc65a (diff)
merge 5.7p1
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r--ssh-keygen.c62
1 files changed, 53 insertions, 9 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index d90b1dfdd..c95e4ab29 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.197 2010/08/04 06:07:11 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -57,6 +57,7 @@
57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ 57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
58#define DEFAULT_BITS 2048 58#define DEFAULT_BITS 2048
59#define DEFAULT_BITS_DSA 1024 59#define DEFAULT_BITS_DSA 1024
60#define DEFAULT_BITS_ECDSA 256
60u_int32_t bits = 0; 61u_int32_t bits = 0;
61 62
62/* 63/*
@@ -176,6 +177,12 @@ ask_filename(struct passwd *pw, const char *prompt)
176 case KEY_DSA: 177 case KEY_DSA:
177 name = _PATH_SSH_CLIENT_ID_DSA; 178 name = _PATH_SSH_CLIENT_ID_DSA;
178 break; 179 break;
180#ifdef OPENSSL_HAS_ECC
181 case KEY_ECDSA_CERT:
182 case KEY_ECDSA:
183 name = _PATH_SSH_CLIENT_ID_ECDSA;
184 break;
185#endif
179 case KEY_RSA_CERT: 186 case KEY_RSA_CERT:
180 case KEY_RSA_CERT_V00: 187 case KEY_RSA_CERT_V00:
181 case KEY_RSA: 188 case KEY_RSA:
@@ -260,6 +267,12 @@ do_convert_to_pkcs8(Key *k)
260 if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) 267 if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
261 fatal("PEM_write_DSA_PUBKEY failed"); 268 fatal("PEM_write_DSA_PUBKEY failed");
262 break; 269 break;
270#ifdef OPENSSL_HAS_ECC
271 case KEY_ECDSA:
272 if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
273 fatal("PEM_write_EC_PUBKEY failed");
274 break;
275#endif
263 default: 276 default:
264 fatal("%s: unsupported key type %s", __func__, key_type(k)); 277 fatal("%s: unsupported key type %s", __func__, key_type(k));
265 } 278 }
@@ -280,6 +293,7 @@ do_convert_to_pem(Key *k)
280 fatal("PEM_write_DSAPublicKey failed"); 293 fatal("PEM_write_DSAPublicKey failed");
281 break; 294 break;
282#endif 295#endif
296 /* XXX ECDSA? */
283 default: 297 default:
284 fatal("%s: unsupported key type %s", __func__, key_type(k)); 298 fatal("%s: unsupported key type %s", __func__, key_type(k));
285 } 299 }
@@ -539,6 +553,14 @@ do_convert_from_pkcs8(Key **k, int *private)
539 (*k)->type = KEY_DSA; 553 (*k)->type = KEY_DSA;
540 (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); 554 (*k)->dsa = EVP_PKEY_get1_DSA(pubkey);
541 break; 555 break;
556#ifdef OPENSSL_HAS_ECC
557 case EVP_PKEY_EC:
558 *k = key_new(KEY_UNSPEC);
559 (*k)->type = KEY_ECDSA;
560 (*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey);
561 (*k)->ecdsa_nid = key_ecdsa_key_to_nid((*k)->ecdsa);
562 break;
563#endif
542 default: 564 default:
543 fatal("%s: unsupported pubkey type %d", __func__, 565 fatal("%s: unsupported pubkey type %d", __func__,
544 EVP_PKEY_type(pubkey->type)); 566 EVP_PKEY_type(pubkey->type));
@@ -574,6 +596,7 @@ do_convert_from_pem(Key **k, int *private)
574 fclose(fp); 596 fclose(fp);
575 return; 597 return;
576 } 598 }
599 /* XXX ECDSA */
577#endif 600#endif
578 fatal("%s: unrecognised raw private key format", __func__); 601 fatal("%s: unrecognised raw private key format", __func__);
579} 602}
@@ -614,6 +637,12 @@ do_convert_from(struct passwd *pw)
614 ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, 637 ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
615 NULL, 0, NULL, NULL); 638 NULL, 0, NULL, NULL);
616 break; 639 break;
640#ifdef OPENSSL_HAS_ECC
641 case KEY_ECDSA:
642 ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL,
643 NULL, 0, NULL, NULL);
644 break;
645#endif
617 case KEY_RSA: 646 case KEY_RSA:
618 ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, 647 ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL,
619 NULL, 0, NULL, NULL); 648 NULL, 0, NULL, NULL);
@@ -1404,7 +1433,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1404 tmp = tilde_expand_filename(argv[i], pw->pw_uid); 1433 tmp = tilde_expand_filename(argv[i], pw->pw_uid);
1405 if ((public = key_load_public(tmp, &comment)) == NULL) 1434 if ((public = key_load_public(tmp, &comment)) == NULL)
1406 fatal("%s: unable to open \"%s\"", __func__, tmp); 1435 fatal("%s: unable to open \"%s\"", __func__, tmp);
1407 if (public->type != KEY_RSA && public->type != KEY_DSA) 1436 if (public->type != KEY_RSA && public->type != KEY_DSA &&
1437 public->type != KEY_ECDSA)
1408 fatal("%s: key \"%s\" type %s cannot be certified", 1438 fatal("%s: key \"%s\" type %s cannot be certified",
1409 __func__, tmp, key_type(public)); 1439 __func__, tmp, key_type(public));
1410 1440
@@ -1450,7 +1480,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1450 if (!quiet) { 1480 if (!quiet) {
1451 logit("Signed %s key %s: id \"%s\" serial %llu%s%s " 1481 logit("Signed %s key %s: id \"%s\" serial %llu%s%s "
1452 "valid %s", key_cert_type(public), 1482 "valid %s", key_cert_type(public),
1453 out, public->cert->key_id, public->cert->serial, 1483 out, public->cert->key_id,
1484 (unsigned long long)public->cert->serial,
1454 cert_principals != NULL ? " for " : "", 1485 cert_principals != NULL ? " for " : "",
1455 cert_principals != NULL ? cert_principals : "", 1486 cert_principals != NULL ? cert_principals : "",
1456 fmt_validity(cert_valid_from, cert_valid_to)); 1487 fmt_validity(cert_valid_from, cert_valid_to));
@@ -1675,8 +1706,10 @@ do_show_cert(struct passwd *pw)
1675 printf(" Signing CA: %s %s\n", 1706 printf(" Signing CA: %s %s\n",
1676 key_type(key->cert->signature_key), ca_fp); 1707 key_type(key->cert->signature_key), ca_fp);
1677 printf(" Key ID: \"%s\"\n", key->cert->key_id); 1708 printf(" Key ID: \"%s\"\n", key->cert->key_id);
1678 if (!v00) 1709 if (!v00) {
1679 printf(" Serial: %llu\n", key->cert->serial); 1710 printf(" Serial: %llu\n",
1711 (unsigned long long)key->cert->serial);
1712 }
1680 printf(" Valid: %s\n", 1713 printf(" Valid: %s\n",
1681 fmt_validity(key->cert->valid_after, key->cert->valid_before)); 1714 fmt_validity(key->cert->valid_after, key->cert->valid_before));
1682 printf(" Principals: "); 1715 printf(" Principals: ");
@@ -1781,7 +1814,7 @@ main(int argc, char **argv)
1781 1814
1782 __progname = ssh_get_progname(argv[0]); 1815 __progname = ssh_get_progname(argv[0]);
1783 1816
1784 SSLeay_add_all_algorithms(); 1817 OpenSSL_add_all_algorithms();
1785 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); 1818 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1786 1819
1787 init_rng(); 1820 init_rng();
@@ -1802,7 +1835,7 @@ main(int argc, char **argv)
1802 "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { 1835 "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
1803 switch (opt) { 1836 switch (opt) {
1804 case 'b': 1837 case 'b':
1805 bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr); 1838 bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);
1806 if (errstr) 1839 if (errstr)
1807 fatal("Bits has bad value %s (%s)", 1840 fatal("Bits has bad value %s (%s)",
1808 optarg, errstr); 1841 optarg, errstr);
@@ -2086,8 +2119,14 @@ main(int argc, char **argv)
2086 fprintf(stderr, "unknown key type %s\n", key_type_name); 2119 fprintf(stderr, "unknown key type %s\n", key_type_name);
2087 exit(1); 2120 exit(1);
2088 } 2121 }
2089 if (bits == 0) 2122 if (bits == 0) {
2090 bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; 2123 if (type == KEY_DSA)
2124 bits = DEFAULT_BITS_DSA;
2125 else if (type == KEY_ECDSA)
2126 bits = DEFAULT_BITS_ECDSA;
2127 else
2128 bits = DEFAULT_BITS;
2129 }
2091 maxbits = (type == KEY_DSA) ? 2130 maxbits = (type == KEY_DSA) ?
2092 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; 2131 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
2093 if (bits > maxbits) { 2132 if (bits > maxbits) {
@@ -2096,6 +2135,11 @@ main(int argc, char **argv)
2096 } 2135 }
2097 if (type == KEY_DSA && bits != 1024) 2136 if (type == KEY_DSA && bits != 1024)
2098 fatal("DSA keys must be 1024 bits"); 2137 fatal("DSA keys must be 1024 bits");
2138 else if (type != KEY_ECDSA && bits < 768)
2139 fatal("Key must at least be 768 bits");
2140 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1)
2141 fatal("Invalid ECDSA key length - valid lengths are "
2142 "256, 384 or 521 bits");
2099 if (!quiet) 2143 if (!quiet)
2100 printf("Generating public/private %s key pair.\n", key_type_name); 2144 printf("Generating public/private %s key pair.\n", key_type_name);
2101 private = key_generate(type, bits); 2145 private = key_generate(type, bits);