diff options
| author | Damien Miller <djm@mindrot.org> | 2015-01-15 02:21:31 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-01-15 02:28:36 +1100 |
| commit | 72ef7c148c42db7d5632a29f137f8b87b579f2d9 (patch) | |
| tree | 47954a387f4260cc8b1e0ff33bbbaf22fd6f11fc /ssh-keygen.c | |
| parent | 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 (diff) | |
support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 8daea7f76..75f8e2e09 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -19,9 +19,11 @@ | |||
| 19 | #include <sys/stat.h> | 19 | #include <sys/stat.h> |
| 20 | #include <sys/param.h> | 20 | #include <sys/param.h> |
| 21 | 21 | ||
| 22 | #ifdef WITH_OPENSSL | ||
| 22 | #include <openssl/evp.h> | 23 | #include <openssl/evp.h> |
| 23 | #include <openssl/pem.h> | 24 | #include <openssl/pem.h> |
| 24 | #include "openbsd-compat/openssl-compat.h" | 25 | #include "openbsd-compat/openssl-compat.h" |
| 26 | #endif | ||
| 25 | 27 | ||
| 26 | #include <errno.h> | 28 | #include <errno.h> |
| 27 | #include <fcntl.h> | 29 | #include <fcntl.h> |
| @@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, | |||
| 179 | static void | 181 | static void |
| 180 | type_bits_valid(int type, u_int32_t *bitsp) | 182 | type_bits_valid(int type, u_int32_t *bitsp) |
| 181 | { | 183 | { |
| 184 | #ifdef WITH_OPENSSL | ||
| 182 | u_int maxbits; | 185 | u_int maxbits; |
| 186 | #endif | ||
| 183 | 187 | ||
| 184 | if (type == KEY_UNSPEC) { | 188 | if (type == KEY_UNSPEC) { |
| 185 | fprintf(stderr, "unknown key type %s\n", key_type_name); | 189 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
| @@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
| 193 | else | 197 | else |
| 194 | *bitsp = DEFAULT_BITS; | 198 | *bitsp = DEFAULT_BITS; |
| 195 | } | 199 | } |
| 200 | #ifdef WITH_OPENSSL | ||
| 196 | maxbits = (type == KEY_DSA) ? | 201 | maxbits = (type == KEY_DSA) ? |
| 197 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; | 202 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
| 198 | if (*bitsp > maxbits) { | 203 | if (*bitsp > maxbits) { |
| 199 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | 204 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
| 200 | exit(1); | 205 | exit(1); |
| 201 | } | 206 | } |
| 202 | #ifdef WITH_OPENSSL | ||
| 203 | if (type == KEY_DSA && *bitsp != 1024) | 207 | if (type == KEY_DSA && *bitsp != 1024) |
| 204 | fatal("DSA keys must be 1024 bits"); | 208 | fatal("DSA keys must be 1024 bits"); |
| 205 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) | 209 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
| @@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, | |||
| 2102 | fclose(krl_spec); | 2106 | fclose(krl_spec); |
| 2103 | free(path); | 2107 | free(path); |
| 2104 | } | 2108 | } |
| 2109 | #endif /* WITH_OPENSSL */ | ||
| 2105 | 2110 | ||
| 2106 | static void | 2111 | static void |
| 2107 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | 2112 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) |
| 2108 | { | 2113 | { |
| 2114 | #ifdef WITH_OPENSSL | ||
| 2109 | struct ssh_krl *krl; | 2115 | struct ssh_krl *krl; |
| 2110 | struct stat sb; | 2116 | struct stat sb; |
| 2111 | Key *ca = NULL; | 2117 | Key *ca = NULL; |
| @@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | |||
| 2155 | ssh_krl_free(krl); | 2161 | ssh_krl_free(krl); |
| 2156 | if (ca != NULL) | 2162 | if (ca != NULL) |
| 2157 | key_free(ca); | 2163 | key_free(ca); |
| 2164 | #else /* WITH_OPENSSL */ | ||
| 2165 | fatal("KRLs not supported without OpenSSL"); | ||
| 2166 | #endif /* WITH_OPENSSL */ | ||
| 2158 | } | 2167 | } |
| 2159 | 2168 | ||
| 2160 | static void | 2169 | static void |
| 2161 | do_check_krl(struct passwd *pw, int argc, char **argv) | 2170 | do_check_krl(struct passwd *pw, int argc, char **argv) |
| 2162 | { | 2171 | { |
| 2172 | #ifdef WITH_OPENSSL | ||
| 2163 | int i, r, ret = 0; | 2173 | int i, r, ret = 0; |
| 2164 | char *comment; | 2174 | char *comment; |
| 2165 | struct ssh_krl *krl; | 2175 | struct ssh_krl *krl; |
| @@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv) | |||
| 2182 | } | 2192 | } |
| 2183 | ssh_krl_free(krl); | 2193 | ssh_krl_free(krl); |
| 2184 | exit(ret); | 2194 | exit(ret); |
| 2195 | #else /* WITH_OPENSSL */ | ||
| 2196 | fatal("KRLs not supported without OpenSSL"); | ||
| 2197 | #endif /* WITH_OPENSSL */ | ||
| 2185 | } | 2198 | } |
| 2186 | #endif | ||
| 2187 | 2199 | ||
| 2188 | static void | 2200 | static void |
| 2189 | usage(void) | 2201 | usage(void) |
| @@ -2249,7 +2261,9 @@ main(int argc, char **argv) | |||
| 2249 | 2261 | ||
| 2250 | __progname = ssh_get_progname(argv[0]); | 2262 | __progname = ssh_get_progname(argv[0]); |
| 2251 | 2263 | ||
| 2264 | #ifdef WITH_OPENSSL | ||
| 2252 | OpenSSL_add_all_algorithms(); | 2265 | OpenSSL_add_all_algorithms(); |
| 2266 | #endif | ||
| 2253 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | 2267 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
| 2254 | 2268 | ||
| 2255 | seed_rng(); | 2269 | seed_rng(); |
| @@ -2427,6 +2441,7 @@ main(int argc, char **argv) | |||
| 2427 | fatal("Invalid number: %s (%s)", | 2441 | fatal("Invalid number: %s (%s)", |
| 2428 | optarg, errstr); | 2442 | optarg, errstr); |
| 2429 | break; | 2443 | break; |
| 2444 | #ifdef WITH_OPENSSL | ||
| 2430 | case 'M': | 2445 | case 'M': |
| 2431 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); | 2446 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); |
| 2432 | if (errstr) | 2447 | if (errstr) |
| @@ -2454,6 +2469,7 @@ main(int argc, char **argv) | |||
| 2454 | if (BN_hex2bn(&start, optarg) == 0) | 2469 | if (BN_hex2bn(&start, optarg) == 0) |
| 2455 | fatal("Invalid start point."); | 2470 | fatal("Invalid start point."); |
| 2456 | break; | 2471 | break; |
| 2472 | #endif /* WITH_OPENSSL */ | ||
| 2457 | case 'V': | 2473 | case 'V': |
| 2458 | parse_cert_times(optarg); | 2474 | parse_cert_times(optarg); |
| 2459 | break; | 2475 | break; |
| @@ -2493,7 +2509,6 @@ main(int argc, char **argv) | |||
| 2493 | printf("Cannot use -l with -H or -R.\n"); | 2509 | printf("Cannot use -l with -H or -R.\n"); |
| 2494 | usage(); | 2510 | usage(); |
| 2495 | } | 2511 | } |
| 2496 | #ifdef WITH_OPENSSL | ||
| 2497 | if (gen_krl) { | 2512 | if (gen_krl) { |
| 2498 | do_gen_krl(pw, update_krl, argc, argv); | 2513 | do_gen_krl(pw, update_krl, argc, argv); |
| 2499 | return (0); | 2514 | return (0); |
| @@ -2502,7 +2517,6 @@ main(int argc, char **argv) | |||
| 2502 | do_check_krl(pw, argc, argv); | 2517 | do_check_krl(pw, argc, argv); |
| 2503 | return (0); | 2518 | return (0); |
| 2504 | } | 2519 | } |
| 2505 | #endif | ||
| 2506 | if (ca_key_path != NULL) { | 2520 | if (ca_key_path != NULL) { |
| 2507 | if (cert_key_id == NULL) | 2521 | if (cert_key_id == NULL) |
| 2508 | fatal("Must specify key id (-I) when certifying"); | 2522 | fatal("Must specify key id (-I) when certifying"); |