summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-09-06 09:45:52 +0100
committerColin Watson <cjwatson@debian.org>2011-09-06 09:45:52 +0100
commitf38224d546cdde55f45c13d3d8225d273a3f920e (patch)
treea91a26b88ac90dc72d0ea3767feabb341eaa50a8 /ssh-keygen.c
parent338146a3fc257e216fe5c10fe40e6896b40d7739 (diff)
parente90790abaf031e037f444a6658e136e48577ea49 (diff)
merge 5.9p1
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r--ssh-keygen.c181
1 files changed, 142 insertions, 39 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index c95e4ab29..4b6218b10 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,10 +49,7 @@
49#include "hostfile.h" 49#include "hostfile.h"
50#include "dns.h" 50#include "dns.h"
51#include "ssh2.h" 51#include "ssh2.h"
52
53#ifdef ENABLE_PKCS11
54#include "ssh-pkcs11.h" 52#include "ssh-pkcs11.h"
55#endif
56 53
57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ 54/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
58#define DEFAULT_BITS 2048 55#define DEFAULT_BITS 2048
@@ -160,6 +157,38 @@ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
160int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); 157int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
161 158
162static void 159static void
160type_bits_valid(int type, u_int32_t *bitsp)
161{
162 u_int maxbits;
163
164 if (type == KEY_UNSPEC) {
165 fprintf(stderr, "unknown key type %s\n", key_type_name);
166 exit(1);
167 }
168 if (*bitsp == 0) {
169 if (type == KEY_DSA)
170 *bitsp = DEFAULT_BITS_DSA;
171 else if (type == KEY_ECDSA)
172 *bitsp = DEFAULT_BITS_ECDSA;
173 else
174 *bitsp = DEFAULT_BITS;
175 }
176 maxbits = (type == KEY_DSA) ?
177 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
178 if (*bitsp > maxbits) {
179 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
180 exit(1);
181 }
182 if (type == KEY_DSA && *bitsp != 1024)
183 fatal("DSA keys must be 1024 bits");
184 else if (type != KEY_ECDSA && *bitsp < 768)
185 fatal("Key must at least be 768 bits");
186 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
187 fatal("Invalid ECDSA key length - valid lengths are "
188 "256, 384 or 521 bits");
189}
190
191static void
163ask_filename(struct passwd *pw, const char *prompt) 192ask_filename(struct passwd *pw, const char *prompt)
164{ 193{
165 char buf[1024]; 194 char buf[1024];
@@ -818,6 +847,98 @@ do_fingerprint(struct passwd *pw)
818} 847}
819 848
820static void 849static void
850do_gen_all_hostkeys(struct passwd *pw)
851{
852 struct {
853 char *key_type;
854 char *key_type_display;
855 char *path;
856 } key_types[] = {
857 { "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
858 { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
859 { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
860 { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
861 { NULL, NULL, NULL }
862 };
863
864 int first = 0;
865 struct stat st;
866 Key *private, *public;
867 char comment[1024];
868 int i, type, fd;
869 FILE *f;
870
871 for (i = 0; key_types[i].key_type; i++) {
872 if (stat(key_types[i].path, &st) == 0)
873 continue;
874 if (errno != ENOENT) {
875 printf("Could not stat %s: %s", key_types[i].path,
876 strerror(errno));
877 first = 0;
878 continue;
879 }
880
881 if (first == 0) {
882 first = 1;
883 printf("%s: generating new host keys: ", __progname);
884 }
885 printf("%s ", key_types[i].key_type_display);
886 fflush(stdout);
887 arc4random_stir();
888 type = key_type_from_name(key_types[i].key_type);
889 strlcpy(identity_file, key_types[i].path, sizeof(identity_file));
890 bits = 0;
891 type_bits_valid(type, &bits);
892 private = key_generate(type, bits);
893 if (private == NULL) {
894 fprintf(stderr, "key_generate failed\n");
895 first = 0;
896 continue;
897 }
898 public = key_from_private(private);
899 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
900 hostname);
901 if (!key_save_private(private, identity_file, "", comment)) {
902 printf("Saving the key failed: %s.\n", identity_file);
903 key_free(private);
904 key_free(public);
905 first = 0;
906 continue;
907 }
908 key_free(private);
909 arc4random_stir();
910 strlcat(identity_file, ".pub", sizeof(identity_file));
911 fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
912 if (fd == -1) {
913 printf("Could not save your public key in %s\n",
914 identity_file);
915 key_free(public);
916 first = 0;
917 continue;
918 }
919 f = fdopen(fd, "w");
920 if (f == NULL) {
921 printf("fdopen %s failed\n", identity_file);
922 key_free(public);
923 first = 0;
924 continue;
925 }
926 if (!key_write(public, f)) {
927 fprintf(stderr, "write key failed\n");
928 key_free(public);
929 first = 0;
930 continue;
931 }
932 fprintf(f, " %s\n", comment);
933 fclose(f);
934 key_free(public);
935
936 }
937 if (first != 0)
938 printf("\n");
939}
940
941static void
821printhost(FILE *f, const char *name, Key *public, int ca, int hash) 942printhost(FILE *f, const char *name, Key *public, int ca, int hash)
822{ 943{
823 if (print_fingerprint) { 944 if (print_fingerprint) {
@@ -1330,6 +1451,9 @@ prepare_options_buf(Buffer *c, int which)
1330 certflags_command != NULL) 1451 certflags_command != NULL)
1331 add_string_option(c, "force-command", certflags_command); 1452 add_string_option(c, "force-command", certflags_command);
1332 if ((which & OPTIONS_EXTENSIONS) != 0 && 1453 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1454 (certflags_flags & CERTOPT_X_FWD) != 0)
1455 add_flag_option(c, "permit-X11-forwarding");
1456 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1333 (certflags_flags & CERTOPT_AGENT_FWD) != 0) 1457 (certflags_flags & CERTOPT_AGENT_FWD) != 0)
1334 add_flag_option(c, "permit-agent-forwarding"); 1458 add_flag_option(c, "permit-agent-forwarding");
1335 if ((which & OPTIONS_EXTENSIONS) != 0 && 1459 if ((which & OPTIONS_EXTENSIONS) != 0 &&
@@ -1341,9 +1465,6 @@ prepare_options_buf(Buffer *c, int which)
1341 if ((which & OPTIONS_EXTENSIONS) != 0 && 1465 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1342 (certflags_flags & CERTOPT_USER_RC) != 0) 1466 (certflags_flags & CERTOPT_USER_RC) != 0)
1343 add_flag_option(c, "permit-user-rc"); 1467 add_flag_option(c, "permit-user-rc");
1344 if ((which & OPTIONS_EXTENSIONS) != 0 &&
1345 (certflags_flags & CERTOPT_X_FWD) != 0)
1346 add_flag_option(c, "permit-X11-forwarding");
1347 if ((which & OPTIONS_CRITICAL) != 0 && 1468 if ((which & OPTIONS_CRITICAL) != 0 &&
1348 certflags_src_addr != NULL) 1469 certflags_src_addr != NULL)
1349 add_string_option(c, "source-address", certflags_src_addr); 1470 add_string_option(c, "source-address", certflags_src_addr);
@@ -1593,7 +1714,7 @@ add_cert_option(char *opt)
1593{ 1714{
1594 char *val; 1715 char *val;
1595 1716
1596 if (strcmp(opt, "clear") == 0) 1717 if (strcasecmp(opt, "clear") == 0)
1597 certflags_flags = 0; 1718 certflags_flags = 0;
1598 else if (strcasecmp(opt, "no-x11-forwarding") == 0) 1719 else if (strcasecmp(opt, "no-x11-forwarding") == 0)
1599 certflags_flags &= ~CERTOPT_X_FWD; 1720 certflags_flags &= ~CERTOPT_X_FWD;
@@ -1745,6 +1866,7 @@ usage(void)
1745{ 1866{
1746 fprintf(stderr, "usage: %s [options]\n", __progname); 1867 fprintf(stderr, "usage: %s [options]\n", __progname);
1747 fprintf(stderr, "Options:\n"); 1868 fprintf(stderr, "Options:\n");
1869 fprintf(stderr, " -A Generate non-existent host keys for all key types.\n");
1748 fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); 1870 fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n");
1749 fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); 1871 fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
1750 fprintf(stderr, " -b bits Number of bits in the key to create.\n"); 1872 fprintf(stderr, " -b bits Number of bits in the key to create.\n");
@@ -1799,9 +1921,9 @@ main(int argc, char **argv)
1799 struct passwd *pw; 1921 struct passwd *pw;
1800 struct stat st; 1922 struct stat st;
1801 int opt, type, fd; 1923 int opt, type, fd;
1802 u_int maxbits;
1803 u_int32_t memory = 0, generator_wanted = 0, trials = 100; 1924 u_int32_t memory = 0, generator_wanted = 0, trials = 100;
1804 int do_gen_candidates = 0, do_screen_candidates = 0; 1925 int do_gen_candidates = 0, do_screen_candidates = 0;
1926 int gen_all_hostkeys = 0;
1805 BIGNUM *start = NULL; 1927 BIGNUM *start = NULL;
1806 FILE *f; 1928 FILE *f;
1807 const char *errstr; 1929 const char *errstr;
@@ -1817,7 +1939,6 @@ main(int argc, char **argv)
1817 OpenSSL_add_all_algorithms(); 1939 OpenSSL_add_all_algorithms();
1818 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); 1940 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1819 1941
1820 init_rng();
1821 seed_rng(); 1942 seed_rng();
1822 1943
1823 /* we need this for the home * directory. */ 1944 /* we need this for the home * directory. */
@@ -1831,9 +1952,12 @@ main(int argc, char **argv)
1831 exit(1); 1952 exit(1);
1832 } 1953 }
1833 1954
1834 while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" 1955 while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
1835 "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { 1956 "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
1836 switch (opt) { 1957 switch (opt) {
1958 case 'A':
1959 gen_all_hostkeys = 1;
1960 break;
1837 case 'b': 1961 case 'b':
1838 bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); 1962 bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);
1839 if (errstr) 1963 if (errstr)
@@ -1928,9 +2052,6 @@ main(int argc, char **argv)
1928 case 'y': 2052 case 'y':
1929 print_public = 1; 2053 print_public = 1;
1930 break; 2054 break;
1931 case 'd':
1932 key_type_name = "dsa";
1933 break;
1934 case 's': 2055 case 's':
1935 ca_key_path = optarg; 2056 ca_key_path = optarg;
1936 break; 2057 break;
@@ -2109,37 +2230,19 @@ main(int argc, char **argv)
2109 return (0); 2230 return (0);
2110 } 2231 }
2111 2232
2233 if (gen_all_hostkeys) {
2234 do_gen_all_hostkeys(pw);
2235 return (0);
2236 }
2237
2112 arc4random_stir(); 2238 arc4random_stir();
2113 2239
2114 if (key_type_name == NULL) 2240 if (key_type_name == NULL)
2115 key_type_name = "rsa"; 2241 key_type_name = "rsa";
2116 2242
2117 type = key_type_from_name(key_type_name); 2243 type = key_type_from_name(key_type_name);
2118 if (type == KEY_UNSPEC) { 2244 type_bits_valid(type, &bits);
2119 fprintf(stderr, "unknown key type %s\n", key_type_name); 2245
2120 exit(1);
2121 }
2122 if (bits == 0) {
2123 if (type == KEY_DSA)
2124 bits = DEFAULT_BITS_DSA;
2125 else if (type == KEY_ECDSA)
2126 bits = DEFAULT_BITS_ECDSA;
2127 else
2128 bits = DEFAULT_BITS;
2129 }
2130 maxbits = (type == KEY_DSA) ?
2131 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
2132 if (bits > maxbits) {
2133 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
2134 exit(1);
2135 }
2136 if (type == KEY_DSA && bits != 1024)
2137 fatal("DSA keys must be 1024 bits");
2138 else if (type != KEY_ECDSA && bits < 768)
2139 fatal("Key must at least be 768 bits");
2140 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1)
2141 fatal("Invalid ECDSA key length - valid lengths are "
2142 "256, 384 or 521 bits");
2143 if (!quiet) 2246 if (!quiet)
2144 printf("Generating public/private %s key pair.\n", key_type_name); 2247 printf("Generating public/private %s key pair.\n", key_type_name);
2145 private = key_generate(type, bits); 2248 private = key_generate(type, bits);