diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 09:45:52 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 09:45:52 +0100 |
commit | f38224d546cdde55f45c13d3d8225d273a3f920e (patch) | |
tree | a91a26b88ac90dc72d0ea3767feabb341eaa50a8 /ssh-keygen.c | |
parent | 338146a3fc257e216fe5c10fe40e6896b40d7739 (diff) | |
parent | e90790abaf031e037f444a6658e136e48577ea49 (diff) |
merge 5.9p1
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 181 |
1 files changed, 142 insertions, 39 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index c95e4ab29..4b6218b10 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -49,10 +49,7 @@ | |||
49 | #include "hostfile.h" | 49 | #include "hostfile.h" |
50 | #include "dns.h" | 50 | #include "dns.h" |
51 | #include "ssh2.h" | 51 | #include "ssh2.h" |
52 | |||
53 | #ifdef ENABLE_PKCS11 | ||
54 | #include "ssh-pkcs11.h" | 52 | #include "ssh-pkcs11.h" |
55 | #endif | ||
56 | 53 | ||
57 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ | 54 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
58 | #define DEFAULT_BITS 2048 | 55 | #define DEFAULT_BITS 2048 |
@@ -160,6 +157,38 @@ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); | |||
160 | int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); | 157 | int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); |
161 | 158 | ||
162 | static void | 159 | static void |
160 | type_bits_valid(int type, u_int32_t *bitsp) | ||
161 | { | ||
162 | u_int maxbits; | ||
163 | |||
164 | if (type == KEY_UNSPEC) { | ||
165 | fprintf(stderr, "unknown key type %s\n", key_type_name); | ||
166 | exit(1); | ||
167 | } | ||
168 | if (*bitsp == 0) { | ||
169 | if (type == KEY_DSA) | ||
170 | *bitsp = DEFAULT_BITS_DSA; | ||
171 | else if (type == KEY_ECDSA) | ||
172 | *bitsp = DEFAULT_BITS_ECDSA; | ||
173 | else | ||
174 | *bitsp = DEFAULT_BITS; | ||
175 | } | ||
176 | maxbits = (type == KEY_DSA) ? | ||
177 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; | ||
178 | if (*bitsp > maxbits) { | ||
179 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | ||
180 | exit(1); | ||
181 | } | ||
182 | if (type == KEY_DSA && *bitsp != 1024) | ||
183 | fatal("DSA keys must be 1024 bits"); | ||
184 | else if (type != KEY_ECDSA && *bitsp < 768) | ||
185 | fatal("Key must at least be 768 bits"); | ||
186 | else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) | ||
187 | fatal("Invalid ECDSA key length - valid lengths are " | ||
188 | "256, 384 or 521 bits"); | ||
189 | } | ||
190 | |||
191 | static void | ||
163 | ask_filename(struct passwd *pw, const char *prompt) | 192 | ask_filename(struct passwd *pw, const char *prompt) |
164 | { | 193 | { |
165 | char buf[1024]; | 194 | char buf[1024]; |
@@ -818,6 +847,98 @@ do_fingerprint(struct passwd *pw) | |||
818 | } | 847 | } |
819 | 848 | ||
820 | static void | 849 | static void |
850 | do_gen_all_hostkeys(struct passwd *pw) | ||
851 | { | ||
852 | struct { | ||
853 | char *key_type; | ||
854 | char *key_type_display; | ||
855 | char *path; | ||
856 | } key_types[] = { | ||
857 | { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, | ||
858 | { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, | ||
859 | { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, | ||
860 | { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, | ||
861 | { NULL, NULL, NULL } | ||
862 | }; | ||
863 | |||
864 | int first = 0; | ||
865 | struct stat st; | ||
866 | Key *private, *public; | ||
867 | char comment[1024]; | ||
868 | int i, type, fd; | ||
869 | FILE *f; | ||
870 | |||
871 | for (i = 0; key_types[i].key_type; i++) { | ||
872 | if (stat(key_types[i].path, &st) == 0) | ||
873 | continue; | ||
874 | if (errno != ENOENT) { | ||
875 | printf("Could not stat %s: %s", key_types[i].path, | ||
876 | strerror(errno)); | ||
877 | first = 0; | ||
878 | continue; | ||
879 | } | ||
880 | |||
881 | if (first == 0) { | ||
882 | first = 1; | ||
883 | printf("%s: generating new host keys: ", __progname); | ||
884 | } | ||
885 | printf("%s ", key_types[i].key_type_display); | ||
886 | fflush(stdout); | ||
887 | arc4random_stir(); | ||
888 | type = key_type_from_name(key_types[i].key_type); | ||
889 | strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); | ||
890 | bits = 0; | ||
891 | type_bits_valid(type, &bits); | ||
892 | private = key_generate(type, bits); | ||
893 | if (private == NULL) { | ||
894 | fprintf(stderr, "key_generate failed\n"); | ||
895 | first = 0; | ||
896 | continue; | ||
897 | } | ||
898 | public = key_from_private(private); | ||
899 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, | ||
900 | hostname); | ||
901 | if (!key_save_private(private, identity_file, "", comment)) { | ||
902 | printf("Saving the key failed: %s.\n", identity_file); | ||
903 | key_free(private); | ||
904 | key_free(public); | ||
905 | first = 0; | ||
906 | continue; | ||
907 | } | ||
908 | key_free(private); | ||
909 | arc4random_stir(); | ||
910 | strlcat(identity_file, ".pub", sizeof(identity_file)); | ||
911 | fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); | ||
912 | if (fd == -1) { | ||
913 | printf("Could not save your public key in %s\n", | ||
914 | identity_file); | ||
915 | key_free(public); | ||
916 | first = 0; | ||
917 | continue; | ||
918 | } | ||
919 | f = fdopen(fd, "w"); | ||
920 | if (f == NULL) { | ||
921 | printf("fdopen %s failed\n", identity_file); | ||
922 | key_free(public); | ||
923 | first = 0; | ||
924 | continue; | ||
925 | } | ||
926 | if (!key_write(public, f)) { | ||
927 | fprintf(stderr, "write key failed\n"); | ||
928 | key_free(public); | ||
929 | first = 0; | ||
930 | continue; | ||
931 | } | ||
932 | fprintf(f, " %s\n", comment); | ||
933 | fclose(f); | ||
934 | key_free(public); | ||
935 | |||
936 | } | ||
937 | if (first != 0) | ||
938 | printf("\n"); | ||
939 | } | ||
940 | |||
941 | static void | ||
821 | printhost(FILE *f, const char *name, Key *public, int ca, int hash) | 942 | printhost(FILE *f, const char *name, Key *public, int ca, int hash) |
822 | { | 943 | { |
823 | if (print_fingerprint) { | 944 | if (print_fingerprint) { |
@@ -1330,6 +1451,9 @@ prepare_options_buf(Buffer *c, int which) | |||
1330 | certflags_command != NULL) | 1451 | certflags_command != NULL) |
1331 | add_string_option(c, "force-command", certflags_command); | 1452 | add_string_option(c, "force-command", certflags_command); |
1332 | if ((which & OPTIONS_EXTENSIONS) != 0 && | 1453 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
1454 | (certflags_flags & CERTOPT_X_FWD) != 0) | ||
1455 | add_flag_option(c, "permit-X11-forwarding"); | ||
1456 | if ((which & OPTIONS_EXTENSIONS) != 0 && | ||
1333 | (certflags_flags & CERTOPT_AGENT_FWD) != 0) | 1457 | (certflags_flags & CERTOPT_AGENT_FWD) != 0) |
1334 | add_flag_option(c, "permit-agent-forwarding"); | 1458 | add_flag_option(c, "permit-agent-forwarding"); |
1335 | if ((which & OPTIONS_EXTENSIONS) != 0 && | 1459 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
@@ -1341,9 +1465,6 @@ prepare_options_buf(Buffer *c, int which) | |||
1341 | if ((which & OPTIONS_EXTENSIONS) != 0 && | 1465 | if ((which & OPTIONS_EXTENSIONS) != 0 && |
1342 | (certflags_flags & CERTOPT_USER_RC) != 0) | 1466 | (certflags_flags & CERTOPT_USER_RC) != 0) |
1343 | add_flag_option(c, "permit-user-rc"); | 1467 | add_flag_option(c, "permit-user-rc"); |
1344 | if ((which & OPTIONS_EXTENSIONS) != 0 && | ||
1345 | (certflags_flags & CERTOPT_X_FWD) != 0) | ||
1346 | add_flag_option(c, "permit-X11-forwarding"); | ||
1347 | if ((which & OPTIONS_CRITICAL) != 0 && | 1468 | if ((which & OPTIONS_CRITICAL) != 0 && |
1348 | certflags_src_addr != NULL) | 1469 | certflags_src_addr != NULL) |
1349 | add_string_option(c, "source-address", certflags_src_addr); | 1470 | add_string_option(c, "source-address", certflags_src_addr); |
@@ -1593,7 +1714,7 @@ add_cert_option(char *opt) | |||
1593 | { | 1714 | { |
1594 | char *val; | 1715 | char *val; |
1595 | 1716 | ||
1596 | if (strcmp(opt, "clear") == 0) | 1717 | if (strcasecmp(opt, "clear") == 0) |
1597 | certflags_flags = 0; | 1718 | certflags_flags = 0; |
1598 | else if (strcasecmp(opt, "no-x11-forwarding") == 0) | 1719 | else if (strcasecmp(opt, "no-x11-forwarding") == 0) |
1599 | certflags_flags &= ~CERTOPT_X_FWD; | 1720 | certflags_flags &= ~CERTOPT_X_FWD; |
@@ -1745,6 +1866,7 @@ usage(void) | |||
1745 | { | 1866 | { |
1746 | fprintf(stderr, "usage: %s [options]\n", __progname); | 1867 | fprintf(stderr, "usage: %s [options]\n", __progname); |
1747 | fprintf(stderr, "Options:\n"); | 1868 | fprintf(stderr, "Options:\n"); |
1869 | fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); | ||
1748 | fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); | 1870 | fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); |
1749 | fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); | 1871 | fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); |
1750 | fprintf(stderr, " -b bits Number of bits in the key to create.\n"); | 1872 | fprintf(stderr, " -b bits Number of bits in the key to create.\n"); |
@@ -1799,9 +1921,9 @@ main(int argc, char **argv) | |||
1799 | struct passwd *pw; | 1921 | struct passwd *pw; |
1800 | struct stat st; | 1922 | struct stat st; |
1801 | int opt, type, fd; | 1923 | int opt, type, fd; |
1802 | u_int maxbits; | ||
1803 | u_int32_t memory = 0, generator_wanted = 0, trials = 100; | 1924 | u_int32_t memory = 0, generator_wanted = 0, trials = 100; |
1804 | int do_gen_candidates = 0, do_screen_candidates = 0; | 1925 | int do_gen_candidates = 0, do_screen_candidates = 0; |
1926 | int gen_all_hostkeys = 0; | ||
1805 | BIGNUM *start = NULL; | 1927 | BIGNUM *start = NULL; |
1806 | FILE *f; | 1928 | FILE *f; |
1807 | const char *errstr; | 1929 | const char *errstr; |
@@ -1817,7 +1939,6 @@ main(int argc, char **argv) | |||
1817 | OpenSSL_add_all_algorithms(); | 1939 | OpenSSL_add_all_algorithms(); |
1818 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | 1940 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
1819 | 1941 | ||
1820 | init_rng(); | ||
1821 | seed_rng(); | 1942 | seed_rng(); |
1822 | 1943 | ||
1823 | /* we need this for the home * directory. */ | 1944 | /* we need this for the home * directory. */ |
@@ -1831,9 +1952,12 @@ main(int argc, char **argv) | |||
1831 | exit(1); | 1952 | exit(1); |
1832 | } | 1953 | } |
1833 | 1954 | ||
1834 | while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" | 1955 | while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" |
1835 | "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { | 1956 | "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { |
1836 | switch (opt) { | 1957 | switch (opt) { |
1958 | case 'A': | ||
1959 | gen_all_hostkeys = 1; | ||
1960 | break; | ||
1837 | case 'b': | 1961 | case 'b': |
1838 | bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); | 1962 | bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); |
1839 | if (errstr) | 1963 | if (errstr) |
@@ -1928,9 +2052,6 @@ main(int argc, char **argv) | |||
1928 | case 'y': | 2052 | case 'y': |
1929 | print_public = 1; | 2053 | print_public = 1; |
1930 | break; | 2054 | break; |
1931 | case 'd': | ||
1932 | key_type_name = "dsa"; | ||
1933 | break; | ||
1934 | case 's': | 2055 | case 's': |
1935 | ca_key_path = optarg; | 2056 | ca_key_path = optarg; |
1936 | break; | 2057 | break; |
@@ -2109,37 +2230,19 @@ main(int argc, char **argv) | |||
2109 | return (0); | 2230 | return (0); |
2110 | } | 2231 | } |
2111 | 2232 | ||
2233 | if (gen_all_hostkeys) { | ||
2234 | do_gen_all_hostkeys(pw); | ||
2235 | return (0); | ||
2236 | } | ||
2237 | |||
2112 | arc4random_stir(); | 2238 | arc4random_stir(); |
2113 | 2239 | ||
2114 | if (key_type_name == NULL) | 2240 | if (key_type_name == NULL) |
2115 | key_type_name = "rsa"; | 2241 | key_type_name = "rsa"; |
2116 | 2242 | ||
2117 | type = key_type_from_name(key_type_name); | 2243 | type = key_type_from_name(key_type_name); |
2118 | if (type == KEY_UNSPEC) { | 2244 | type_bits_valid(type, &bits); |
2119 | fprintf(stderr, "unknown key type %s\n", key_type_name); | 2245 | |
2120 | exit(1); | ||
2121 | } | ||
2122 | if (bits == 0) { | ||
2123 | if (type == KEY_DSA) | ||
2124 | bits = DEFAULT_BITS_DSA; | ||
2125 | else if (type == KEY_ECDSA) | ||
2126 | bits = DEFAULT_BITS_ECDSA; | ||
2127 | else | ||
2128 | bits = DEFAULT_BITS; | ||
2129 | } | ||
2130 | maxbits = (type == KEY_DSA) ? | ||
2131 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; | ||
2132 | if (bits > maxbits) { | ||
2133 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | ||
2134 | exit(1); | ||
2135 | } | ||
2136 | if (type == KEY_DSA && bits != 1024) | ||
2137 | fatal("DSA keys must be 1024 bits"); | ||
2138 | else if (type != KEY_ECDSA && bits < 768) | ||
2139 | fatal("Key must at least be 768 bits"); | ||
2140 | else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1) | ||
2141 | fatal("Invalid ECDSA key length - valid lengths are " | ||
2142 | "256, 384 or 521 bits"); | ||
2143 | if (!quiet) | 2246 | if (!quiet) |
2144 | printf("Generating public/private %s key pair.\n", key_type_name); | 2247 | printf("Generating public/private %s key pair.\n", key_type_name); |
2145 | private = key_generate(type, bits); | 2248 | private = key_generate(type, bits); |