diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-07-15 13:16:29 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-07-15 23:21:18 +1000 |
| commit | eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a (patch) | |
| tree | c5b7686e1e200aac6f3a742c7b15ed30a2c05067 /ssh-keygen.c | |
| parent | e18a27eedccb024acb3cd9820b650a5dff323f01 (diff) | |
upstream: support PKCS8 as an optional format for storage of
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
private keys to disk.
The OpenSSH native key format remains the default, but PKCS8 is a
superior format to PEM if interoperability with non-OpenSSH software
is required, as it may use a less terrible KDF (IIRC PEM uses a single
round of MD5 as a KDF).
adapted from patch by Jakub Jelen via bz3013; ok markus
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index b019a02ff..5dcad1f61 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.335 2019/07/05 07:32:01 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.336 2019/07/15 13:16:29 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -147,11 +147,11 @@ static char *key_type_name = NULL; | |||
| 147 | /* Load key from this PKCS#11 provider */ | 147 | /* Load key from this PKCS#11 provider */ |
| 148 | static char *pkcs11provider = NULL; | 148 | static char *pkcs11provider = NULL; |
| 149 | 149 | ||
| 150 | /* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ | 150 | /* Format for writing private keys */ |
| 151 | static int use_new_format = 1; | 151 | static int private_key_format = SSHKEY_PRIVATE_OPENSSH; |
| 152 | 152 | ||
| 153 | /* Cipher for new-format private keys */ | 153 | /* Cipher for new-format private keys */ |
| 154 | static char *new_format_cipher = NULL; | 154 | static char *openssh_format_cipher = NULL; |
| 155 | 155 | ||
| 156 | /* | 156 | /* |
| 157 | * Number of KDF rounds to derive new format keys / | 157 | * Number of KDF rounds to derive new format keys / |
| @@ -1048,7 +1048,8 @@ do_gen_all_hostkeys(struct passwd *pw) | |||
| 1048 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, | 1048 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, |
| 1049 | hostname); | 1049 | hostname); |
| 1050 | if ((r = sshkey_save_private(private, prv_tmp, "", | 1050 | if ((r = sshkey_save_private(private, prv_tmp, "", |
| 1051 | comment, use_new_format, new_format_cipher, rounds)) != 0) { | 1051 | comment, private_key_format, openssh_format_cipher, |
| 1052 | rounds)) != 0) { | ||
| 1052 | error("Saving key \"%s\" failed: %s", | 1053 | error("Saving key \"%s\" failed: %s", |
| 1053 | prv_tmp, ssh_err(r)); | 1054 | prv_tmp, ssh_err(r)); |
| 1054 | goto failnext; | 1055 | goto failnext; |
| @@ -1391,7 +1392,7 @@ do_change_passphrase(struct passwd *pw) | |||
| 1391 | 1392 | ||
| 1392 | /* Save the file using the new passphrase. */ | 1393 | /* Save the file using the new passphrase. */ |
| 1393 | if ((r = sshkey_save_private(private, identity_file, passphrase1, | 1394 | if ((r = sshkey_save_private(private, identity_file, passphrase1, |
| 1394 | comment, use_new_format, new_format_cipher, rounds)) != 0) { | 1395 | comment, private_key_format, openssh_format_cipher, rounds)) != 0) { |
| 1395 | error("Saving key \"%s\" failed: %s.", | 1396 | error("Saving key \"%s\" failed: %s.", |
| 1396 | identity_file, ssh_err(r)); | 1397 | identity_file, ssh_err(r)); |
| 1397 | explicit_bzero(passphrase1, strlen(passphrase1)); | 1398 | explicit_bzero(passphrase1, strlen(passphrase1)); |
| @@ -1480,7 +1481,7 @@ do_change_comment(struct passwd *pw, const char *identity_comment) | |||
| 1480 | } | 1481 | } |
| 1481 | 1482 | ||
| 1482 | if (private->type != KEY_ED25519 && private->type != KEY_XMSS && | 1483 | if (private->type != KEY_ED25519 && private->type != KEY_XMSS && |
| 1483 | !use_new_format) { | 1484 | private_key_format != SSHKEY_PRIVATE_OPENSSH) { |
| 1484 | error("Comments are only supported for keys stored in " | 1485 | error("Comments are only supported for keys stored in " |
| 1485 | "the new format (-o)."); | 1486 | "the new format (-o)."); |
| 1486 | explicit_bzero(passphrase, strlen(passphrase)); | 1487 | explicit_bzero(passphrase, strlen(passphrase)); |
| @@ -1514,7 +1515,8 @@ do_change_comment(struct passwd *pw, const char *identity_comment) | |||
| 1514 | 1515 | ||
| 1515 | /* Save the file using the new passphrase. */ | 1516 | /* Save the file using the new passphrase. */ |
| 1516 | if ((r = sshkey_save_private(private, identity_file, passphrase, | 1517 | if ((r = sshkey_save_private(private, identity_file, passphrase, |
| 1517 | new_comment, use_new_format, new_format_cipher, rounds)) != 0) { | 1518 | new_comment, private_key_format, openssh_format_cipher, |
| 1519 | rounds)) != 0) { | ||
| 1518 | error("Saving key \"%s\" failed: %s", | 1520 | error("Saving key \"%s\" failed: %s", |
| 1519 | identity_file, ssh_err(r)); | 1521 | identity_file, ssh_err(r)); |
| 1520 | explicit_bzero(passphrase, strlen(passphrase)); | 1522 | explicit_bzero(passphrase, strlen(passphrase)); |
| @@ -2525,11 +2527,12 @@ main(int argc, char **argv) | |||
| 2525 | } | 2527 | } |
| 2526 | if (strcasecmp(optarg, "PKCS8") == 0) { | 2528 | if (strcasecmp(optarg, "PKCS8") == 0) { |
| 2527 | convert_format = FMT_PKCS8; | 2529 | convert_format = FMT_PKCS8; |
| 2530 | private_key_format = SSHKEY_PRIVATE_PKCS8; | ||
| 2528 | break; | 2531 | break; |
| 2529 | } | 2532 | } |
| 2530 | if (strcasecmp(optarg, "PEM") == 0) { | 2533 | if (strcasecmp(optarg, "PEM") == 0) { |
| 2531 | convert_format = FMT_PEM; | 2534 | convert_format = FMT_PEM; |
| 2532 | use_new_format = 0; | 2535 | private_key_format = SSHKEY_PRIVATE_PEM; |
| 2533 | break; | 2536 | break; |
| 2534 | } | 2537 | } |
| 2535 | fatal("Unsupported conversion format \"%s\"", optarg); | 2538 | fatal("Unsupported conversion format \"%s\"", optarg); |
| @@ -2567,7 +2570,7 @@ main(int argc, char **argv) | |||
| 2567 | add_cert_option(optarg); | 2570 | add_cert_option(optarg); |
| 2568 | break; | 2571 | break; |
| 2569 | case 'Z': | 2572 | case 'Z': |
| 2570 | new_format_cipher = optarg; | 2573 | openssh_format_cipher = optarg; |
| 2571 | break; | 2574 | break; |
| 2572 | case 'C': | 2575 | case 'C': |
| 2573 | identity_comment = optarg; | 2576 | identity_comment = optarg; |
| @@ -2912,7 +2915,7 @@ passphrase_again: | |||
| 2912 | 2915 | ||
| 2913 | /* Save the key with the given passphrase and comment. */ | 2916 | /* Save the key with the given passphrase and comment. */ |
| 2914 | if ((r = sshkey_save_private(private, identity_file, passphrase1, | 2917 | if ((r = sshkey_save_private(private, identity_file, passphrase1, |
| 2915 | comment, use_new_format, new_format_cipher, rounds)) != 0) { | 2918 | comment, private_key_format, openssh_format_cipher, rounds)) != 0) { |
| 2916 | error("Saving key \"%s\" failed: %s", | 2919 | error("Saving key \"%s\" failed: %s", |
| 2917 | identity_file, ssh_err(r)); | 2920 | identity_file, ssh_err(r)); |
| 2918 | explicit_bzero(passphrase1, strlen(passphrase1)); | 2921 | explicit_bzero(passphrase1, strlen(passphrase1)); |