diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-07-15 13:16:29 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-07-15 23:21:18 +1000 |
commit | eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a (patch) | |
tree | c5b7686e1e200aac6f3a742c7b15ed30a2c05067 /ssh-keygen.c | |
parent | e18a27eedccb024acb3cd9820b650a5dff323f01 (diff) |
upstream: support PKCS8 as an optional format for storage of
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
private keys to disk.
The OpenSSH native key format remains the default, but PKCS8 is a
superior format to PEM if interoperability with non-OpenSSH software
is required, as it may use a less terrible KDF (IIRC PEM uses a single
round of MD5 as a KDF).
adapted from patch by Jakub Jelen via bz3013; ok markus
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index b019a02ff..5dcad1f61 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.335 2019/07/05 07:32:01 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.336 2019/07/15 13:16:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -147,11 +147,11 @@ static char *key_type_name = NULL; | |||
147 | /* Load key from this PKCS#11 provider */ | 147 | /* Load key from this PKCS#11 provider */ |
148 | static char *pkcs11provider = NULL; | 148 | static char *pkcs11provider = NULL; |
149 | 149 | ||
150 | /* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ | 150 | /* Format for writing private keys */ |
151 | static int use_new_format = 1; | 151 | static int private_key_format = SSHKEY_PRIVATE_OPENSSH; |
152 | 152 | ||
153 | /* Cipher for new-format private keys */ | 153 | /* Cipher for new-format private keys */ |
154 | static char *new_format_cipher = NULL; | 154 | static char *openssh_format_cipher = NULL; |
155 | 155 | ||
156 | /* | 156 | /* |
157 | * Number of KDF rounds to derive new format keys / | 157 | * Number of KDF rounds to derive new format keys / |
@@ -1048,7 +1048,8 @@ do_gen_all_hostkeys(struct passwd *pw) | |||
1048 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, | 1048 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
1049 | hostname); | 1049 | hostname); |
1050 | if ((r = sshkey_save_private(private, prv_tmp, "", | 1050 | if ((r = sshkey_save_private(private, prv_tmp, "", |
1051 | comment, use_new_format, new_format_cipher, rounds)) != 0) { | 1051 | comment, private_key_format, openssh_format_cipher, |
1052 | rounds)) != 0) { | ||
1052 | error("Saving key \"%s\" failed: %s", | 1053 | error("Saving key \"%s\" failed: %s", |
1053 | prv_tmp, ssh_err(r)); | 1054 | prv_tmp, ssh_err(r)); |
1054 | goto failnext; | 1055 | goto failnext; |
@@ -1391,7 +1392,7 @@ do_change_passphrase(struct passwd *pw) | |||
1391 | 1392 | ||
1392 | /* Save the file using the new passphrase. */ | 1393 | /* Save the file using the new passphrase. */ |
1393 | if ((r = sshkey_save_private(private, identity_file, passphrase1, | 1394 | if ((r = sshkey_save_private(private, identity_file, passphrase1, |
1394 | comment, use_new_format, new_format_cipher, rounds)) != 0) { | 1395 | comment, private_key_format, openssh_format_cipher, rounds)) != 0) { |
1395 | error("Saving key \"%s\" failed: %s.", | 1396 | error("Saving key \"%s\" failed: %s.", |
1396 | identity_file, ssh_err(r)); | 1397 | identity_file, ssh_err(r)); |
1397 | explicit_bzero(passphrase1, strlen(passphrase1)); | 1398 | explicit_bzero(passphrase1, strlen(passphrase1)); |
@@ -1480,7 +1481,7 @@ do_change_comment(struct passwd *pw, const char *identity_comment) | |||
1480 | } | 1481 | } |
1481 | 1482 | ||
1482 | if (private->type != KEY_ED25519 && private->type != KEY_XMSS && | 1483 | if (private->type != KEY_ED25519 && private->type != KEY_XMSS && |
1483 | !use_new_format) { | 1484 | private_key_format != SSHKEY_PRIVATE_OPENSSH) { |
1484 | error("Comments are only supported for keys stored in " | 1485 | error("Comments are only supported for keys stored in " |
1485 | "the new format (-o)."); | 1486 | "the new format (-o)."); |
1486 | explicit_bzero(passphrase, strlen(passphrase)); | 1487 | explicit_bzero(passphrase, strlen(passphrase)); |
@@ -1514,7 +1515,8 @@ do_change_comment(struct passwd *pw, const char *identity_comment) | |||
1514 | 1515 | ||
1515 | /* Save the file using the new passphrase. */ | 1516 | /* Save the file using the new passphrase. */ |
1516 | if ((r = sshkey_save_private(private, identity_file, passphrase, | 1517 | if ((r = sshkey_save_private(private, identity_file, passphrase, |
1517 | new_comment, use_new_format, new_format_cipher, rounds)) != 0) { | 1518 | new_comment, private_key_format, openssh_format_cipher, |
1519 | rounds)) != 0) { | ||
1518 | error("Saving key \"%s\" failed: %s", | 1520 | error("Saving key \"%s\" failed: %s", |
1519 | identity_file, ssh_err(r)); | 1521 | identity_file, ssh_err(r)); |
1520 | explicit_bzero(passphrase, strlen(passphrase)); | 1522 | explicit_bzero(passphrase, strlen(passphrase)); |
@@ -2525,11 +2527,12 @@ main(int argc, char **argv) | |||
2525 | } | 2527 | } |
2526 | if (strcasecmp(optarg, "PKCS8") == 0) { | 2528 | if (strcasecmp(optarg, "PKCS8") == 0) { |
2527 | convert_format = FMT_PKCS8; | 2529 | convert_format = FMT_PKCS8; |
2530 | private_key_format = SSHKEY_PRIVATE_PKCS8; | ||
2528 | break; | 2531 | break; |
2529 | } | 2532 | } |
2530 | if (strcasecmp(optarg, "PEM") == 0) { | 2533 | if (strcasecmp(optarg, "PEM") == 0) { |
2531 | convert_format = FMT_PEM; | 2534 | convert_format = FMT_PEM; |
2532 | use_new_format = 0; | 2535 | private_key_format = SSHKEY_PRIVATE_PEM; |
2533 | break; | 2536 | break; |
2534 | } | 2537 | } |
2535 | fatal("Unsupported conversion format \"%s\"", optarg); | 2538 | fatal("Unsupported conversion format \"%s\"", optarg); |
@@ -2567,7 +2570,7 @@ main(int argc, char **argv) | |||
2567 | add_cert_option(optarg); | 2570 | add_cert_option(optarg); |
2568 | break; | 2571 | break; |
2569 | case 'Z': | 2572 | case 'Z': |
2570 | new_format_cipher = optarg; | 2573 | openssh_format_cipher = optarg; |
2571 | break; | 2574 | break; |
2572 | case 'C': | 2575 | case 'C': |
2573 | identity_comment = optarg; | 2576 | identity_comment = optarg; |
@@ -2912,7 +2915,7 @@ passphrase_again: | |||
2912 | 2915 | ||
2913 | /* Save the key with the given passphrase and comment. */ | 2916 | /* Save the key with the given passphrase and comment. */ |
2914 | if ((r = sshkey_save_private(private, identity_file, passphrase1, | 2917 | if ((r = sshkey_save_private(private, identity_file, passphrase1, |
2915 | comment, use_new_format, new_format_cipher, rounds)) != 0) { | 2918 | comment, private_key_format, openssh_format_cipher, rounds)) != 0) { |
2916 | error("Saving key \"%s\" failed: %s", | 2919 | error("Saving key \"%s\" failed: %s", |
2917 | identity_file, ssh_err(r)); | 2920 | identity_file, ssh_err(r)); |
2918 | explicit_bzero(passphrase1, strlen(passphrase1)); | 2921 | explicit_bzero(passphrase1, strlen(passphrase1)); |