1 files changed, 142 insertions, 39 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index c95e4ab29..4b6218b10 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,10 +49,7 @@
 #include "hostfile.h"
 #include "dns.h"
 #include "ssh2.h"
-#ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
-#endif
 /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
 #define DEFAULT_BITS            2048
@@ -160,6 +157,38 @@ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
 int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
 static void
+type_bits_valid(int type, u_int32_t *bitsp)
+{
+        u_int maxbits;
+        if (type == KEY_UNSPEC) {
+                fprintf(stderr, "unknown key type %s\n", key_type_name);
+                exit(1);
+        }
+        if (*bitsp == 0) {
+                if (type == KEY_DSA)
+                        *bitsp = DEFAULT_BITS_DSA;
+                else if (type == KEY_ECDSA)
+                        *bitsp = DEFAULT_BITS_ECDSA;
+                else
+                        *bitsp = DEFAULT_BITS;
+        }
+        maxbits = (type == KEY_DSA) ?
+            OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
+        if (*bitsp > maxbits) {
+                fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
+                exit(1);
+        }
+        if (type == KEY_DSA && *bitsp != 1024)
+                fatal("DSA keys must be 1024 bits");
+        else if (type != KEY_ECDSA && *bitsp < 768)
+                fatal("Key must at least be 768 bits");
+        else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
+                fatal("Invalid ECDSA key length - valid lengths are "
+                    "256, 384 or 521 bits");
+}
+static void
 ask_filename(struct passwd *pw, const char *prompt)
 {
        char buf[1024];
@@ -818,6 +847,98 @@ do_fingerprint(struct passwd *pw)
 }
 static void
+do_gen_all_hostkeys(struct passwd *pw)
+{
+        struct {
+                char *key_type;
+                char *key_type_display;
+                char *path;
+        } key_types[] = {
+                { "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
+                { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
+                { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
+                { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
+                { NULL, NULL, NULL }
+        };
+        int first = 0;
+        struct stat st;
+        Key *private, *public;
+        char comment[1024];
+        int i, type, fd;
+        FILE *f;
+        for (i = 0; key_types[i].key_type; i++) {
+                if (stat(key_types[i].path, &st) == 0)
+                        continue;
+                if (errno != ENOENT) {
+                        printf("Could not stat %s: %s", key_types[i].path,
+                            strerror(errno));
+                        first = 0;
+                        continue;
+                }
+                if (first == 0) {
+                        first = 1;
+                        printf("%s: generating new host keys: ", __progname);
+                }
+                printf("%s ", key_types[i].key_type_display);
+                fflush(stdout);
+                arc4random_stir();
+                type = key_type_from_name(key_types[i].key_type);
+                strlcpy(identity_file, key_types[i].path, sizeof(identity_file));
+                bits = 0;
+                type_bits_valid(type, &bits);
+                private = key_generate(type, bits);
+                if (private == NULL) {
+                        fprintf(stderr, "key_generate failed\n");
+                        first = 0;
+                        continue;
+                }
+                public  = key_from_private(private);
+                snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
+                    hostname);
+                if (!key_save_private(private, identity_file, "", comment)) {
+                        printf("Saving the key failed: %s.\n", identity_file);
+                        key_free(private);
+                        key_free(public);
+                        first = 0;
+                        continue;
+                }
+                key_free(private);
+                arc4random_stir();
+                strlcat(identity_file, ".pub", sizeof(identity_file));
+                fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+                if (fd == -1) {
+                        printf("Could not save your public key in %s\n",
+                            identity_file);
+                        key_free(public);
+                        first = 0;
+                        continue;
+                }
+                f = fdopen(fd, "w");
+                if (f == NULL) {
+                        printf("fdopen %s failed\n", identity_file);
+                        key_free(public);
+                        first = 0;
+                        continue;
+                }
+                if (!key_write(public, f)) {
+                        fprintf(stderr, "write key failed\n");
+                        key_free(public);
+                        first = 0;
+                        continue;
+                }
+                fprintf(f, " %s\n", comment);
+                fclose(f);
+                key_free(public);
+        }
+        if (first != 0)
+                printf("\n");
+}
+static void
 printhost(FILE *f, const char *name, Key *public, int ca, int hash)
 {
        if (print_fingerprint) {
@@ -1330,6 +1451,9 @@ prepare_options_buf(Buffer *c, int which)
            certflags_command != NULL)
                add_string_option(c, "force-command", certflags_command);
        if ((which & OPTIONS_EXTENSIONS) != 0 &&
+            (certflags_flags & CERTOPT_X_FWD) != 0)
+                add_flag_option(c, "permit-X11-forwarding");
+        if ((which & OPTIONS_EXTENSIONS) != 0 &&
            (certflags_flags & CERTOPT_AGENT_FWD) != 0)
                add_flag_option(c, "permit-agent-forwarding");
        if ((which & OPTIONS_EXTENSIONS) != 0 &&
@@ -1341,9 +1465,6 @@ prepare_options_buf(Buffer *c, int which)
        if ((which & OPTIONS_EXTENSIONS) != 0 &&
            (certflags_flags & CERTOPT_USER_RC) != 0)
                add_flag_option(c, "permit-user-rc");
-        if ((which & OPTIONS_EXTENSIONS) != 0 &&
-            (certflags_flags & CERTOPT_X_FWD) != 0)
-                add_flag_option(c, "permit-X11-forwarding");
        if ((which & OPTIONS_CRITICAL) != 0 &&
            certflags_src_addr != NULL)
                add_string_option(c, "source-address", certflags_src_addr);
@@ -1593,7 +1714,7 @@ add_cert_option(char *opt)
 {
        char *val;
-        if (strcmp(opt, "clear") == 0)
+        if (strcasecmp(opt, "clear") == 0)
                certflags_flags = 0;
        else if (strcasecmp(opt, "no-x11-forwarding") == 0)
                certflags_flags &= ~CERTOPT_X_FWD;
@@ -1745,6 +1866,7 @@ usage(void)
 {
        fprintf(stderr, "usage: %s [options]\n", __progname);
        fprintf(stderr, "Options:\n");
+        fprintf(stderr, "  -A          Generate non-existent host keys for all key types.\n");
        fprintf(stderr, "  -a trials   Number of trials for screening DH-GEX moduli.\n");
        fprintf(stderr, "  -B          Show bubblebabble digest of key file.\n");
        fprintf(stderr, "  -b bits     Number of bits in the key to create.\n");
@@ -1799,9 +1921,9 @@ main(int argc, char **argv)
        struct passwd *pw;
        struct stat st;
        int opt, type, fd;
-        u_int maxbits;
        u_int32_t memory = 0, generator_wanted = 0, trials = 100;
        int do_gen_candidates = 0, do_screen_candidates = 0;
+        int gen_all_hostkeys = 0;
        BIGNUM *start = NULL;
        FILE *f;
        const char *errstr;
@@ -1817,7 +1939,6 @@ main(int argc, char **argv)
        OpenSSL_add_all_algorithms();
        log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-        init_rng();
        seed_rng();
        /* we need this for the home * directory.  */
@@ -1831,9 +1952,12 @@ main(int argc, char **argv)
                exit(1);
        }
-        while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
+        while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
            "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
                switch (opt) {
+                case 'A':
+                        gen_all_hostkeys = 1;
+                        break;
                case 'b':
                        bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);
                        if (errstr)
@@ -1928,9 +2052,6 @@ main(int argc, char **argv)
                case 'y':
                        print_public = 1;
                        break;
-                case 'd':
-                        key_type_name = "dsa";
-                        break;
                case 's':
                        ca_key_path = optarg;
                        break;
@@ -2109,37 +2230,19 @@ main(int argc, char **argv)
                return (0);
        }
+        if (gen_all_hostkeys) {
+                do_gen_all_hostkeys(pw);
+                return (0);
+        }
        arc4random_stir();
        if (key_type_name == NULL)
                key_type_name = "rsa";
        type = key_type_from_name(key_type_name);
-        if (type == KEY_UNSPEC) {
+        type_bits_valid(type, &bits);
-                fprintf(stderr, "unknown key type %s\n", key_type_name);
-                exit(1);
-        }
-        if (bits == 0) {
-                if (type == KEY_DSA)
-                        bits = DEFAULT_BITS_DSA;
-                else if (type == KEY_ECDSA)
-                        bits = DEFAULT_BITS_ECDSA;
-                else
-                        bits = DEFAULT_BITS;
-        }
-        maxbits = (type == KEY_DSA) ?
-            OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
-        if (bits > maxbits) {
-                fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
-                exit(1);
-        }
-        if (type == KEY_DSA && bits != 1024)
-                fatal("DSA keys must be 1024 bits");
-        else if (type != KEY_ECDSA && bits < 768)
-                fatal("Key must at least be 768 bits");
-        else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1)
-                fatal("Invalid ECDSA key length - valid lengths are "
-                    "256, 384 or 521 bits");
        if (!quiet)
                printf("Generating public/private %s key pair.\n", key_type_name);
        private = key_generate(type, bits);

diff --git a/ssh-keygen.c b/ssh-keygen.c index c95e4ab29..4b6218b10 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */	1	/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,10 +49,7 @@
49	#include "hostfile.h"	49	#include "hostfile.h"
50	#include "dns.h"	50	#include "dns.h"
51	#include "ssh2.h"	51	#include "ssh2.h"
52
53	#ifdef ENABLE_PKCS11
54	#include "ssh-pkcs11.h"	52	#include "ssh-pkcs11.h"
55	#endif
56		53
57	/* Number of bits in the RSA/DSA key. This value can be set on the command line. */	54	/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
58	#define DEFAULT_BITS 2048	55	#define DEFAULT_BITS 2048
@@ -160,6 +157,38 @@ int gen_candidates(FILE , u_int32_t, u_int32_t, BIGNUM );
160	int prime_test(FILE , FILE , u_int32_t, u_int32_t);	157	int prime_test(FILE , FILE , u_int32_t, u_int32_t);
161		158
162	static void	159	static void
		160	type_bits_valid(int type, u_int32_t *bitsp)
		161	{
		162	u_int maxbits;
		163
		164	if (type == KEY_UNSPEC) {
		165	fprintf(stderr, "unknown key type %s\n", key_type_name);
		166	exit(1);
		167	}
		168	if (*bitsp == 0) {
		169	if (type == KEY_DSA)
		170	*bitsp = DEFAULT_BITS_DSA;
		171	else if (type == KEY_ECDSA)
		172	*bitsp = DEFAULT_BITS_ECDSA;
		173	else
		174	*bitsp = DEFAULT_BITS;
		175	}
		176	maxbits = (type == KEY_DSA) ?
		177	OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
		178	if (*bitsp > maxbits) {
		179	fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
		180	exit(1);
		181	}
		182	if (type == KEY_DSA && *bitsp != 1024)
		183	fatal("DSA keys must be 1024 bits");
		184	else if (type != KEY_ECDSA && *bitsp < 768)
		185	fatal("Key must at least be 768 bits");
		186	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
		187	fatal("Invalid ECDSA key length - valid lengths are "
		188	"256, 384 or 521 bits");
		189	}
		190
		191	static void
163	ask_filename(struct passwd pw, const char prompt)	192	ask_filename(struct passwd pw, const char prompt)
164	{	193	{
165	char buf[1024];	194	char buf[1024];
@@ -818,6 +847,98 @@ do_fingerprint(struct passwd *pw)
818	}	847	}
819		848
820	static void	849	static void
		850	do_gen_all_hostkeys(struct passwd *pw)
		851	{
		852	struct {
		853	char *key_type;
		854	char *key_type_display;
		855	char *path;
		856	} key_types[] = {
		857	{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
		858	{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
		859	{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
		860	{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
		861	{ NULL, NULL, NULL }
		862	};
		863
		864	int first = 0;
		865	struct stat st;
		866	Key private, public;
		867	char comment[1024];
		868	int i, type, fd;
		869	FILE *f;
		870
		871	for (i = 0; key_types[i].key_type; i++) {
		872	if (stat(key_types[i].path, &st) == 0)
		873	continue;
		874	if (errno != ENOENT) {
		875	printf("Could not stat %s: %s", key_types[i].path,
		876	strerror(errno));
		877	first = 0;
		878	continue;
		879	}
		880
		881	if (first == 0) {
		882	first = 1;
		883	printf("%s: generating new host keys: ", __progname);
		884	}
		885	printf("%s ", key_types[i].key_type_display);
		886	fflush(stdout);
		887	arc4random_stir();
		888	type = key_type_from_name(key_types[i].key_type);
		889	strlcpy(identity_file, key_types[i].path, sizeof(identity_file));
		890	bits = 0;
		891	type_bits_valid(type, &bits);
		892	private = key_generate(type, bits);
		893	if (private == NULL) {
		894	fprintf(stderr, "key_generate failed\n");
		895	first = 0;
		896	continue;
		897	}
		898	public = key_from_private(private);
		899	snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
		900	hostname);
		901	if (!key_save_private(private, identity_file, "", comment)) {
		902	printf("Saving the key failed: %s.\n", identity_file);
		903	key_free(private);
		904	key_free(public);
		905	first = 0;
		906	continue;
		907	}
		908	key_free(private);
		909	arc4random_stir();
		910	strlcat(identity_file, ".pub", sizeof(identity_file));
		911	fd = open(identity_file, O_WRONLY \| O_CREAT \| O_TRUNC, 0644);
		912	if (fd == -1) {
		913	printf("Could not save your public key in %s\n",
		914	identity_file);
		915	key_free(public);
		916	first = 0;
		917	continue;
		918	}
		919	f = fdopen(fd, "w");
		920	if (f == NULL) {
		921	printf("fdopen %s failed\n", identity_file);
		922	key_free(public);
		923	first = 0;
		924	continue;
		925	}
		926	if (!key_write(public, f)) {
		927	fprintf(stderr, "write key failed\n");
		928	key_free(public);
		929	first = 0;
		930	continue;
		931	}
		932	fprintf(f, " %s\n", comment);
		933	fclose(f);
		934	key_free(public);
		935
		936	}
		937	if (first != 0)
		938	printf("\n");
		939	}
		940
		941	static void
821	printhost(FILE f, const char name, Key *public, int ca, int hash)	942	printhost(FILE f, const char name, Key *public, int ca, int hash)
822	{	943	{
823	if (print_fingerprint) {	944	if (print_fingerprint) {
@@ -1330,6 +1451,9 @@ prepare_options_buf(Buffer *c, int which)
1330	certflags_command != NULL)	1451	certflags_command != NULL)
1331	add_string_option(c, "force-command", certflags_command);	1452	add_string_option(c, "force-command", certflags_command);
1332	if ((which & OPTIONS_EXTENSIONS) != 0 &&	1453	if ((which & OPTIONS_EXTENSIONS) != 0 &&
		1454	(certflags_flags & CERTOPT_X_FWD) != 0)
		1455	add_flag_option(c, "permit-X11-forwarding");
		1456	if ((which & OPTIONS_EXTENSIONS) != 0 &&
1333	(certflags_flags & CERTOPT_AGENT_FWD) != 0)	1457	(certflags_flags & CERTOPT_AGENT_FWD) != 0)
1334	add_flag_option(c, "permit-agent-forwarding");	1458	add_flag_option(c, "permit-agent-forwarding");
1335	if ((which & OPTIONS_EXTENSIONS) != 0 &&	1459	if ((which & OPTIONS_EXTENSIONS) != 0 &&
@@ -1341,9 +1465,6 @@ prepare_options_buf(Buffer *c, int which)
1341	if ((which & OPTIONS_EXTENSIONS) != 0 &&	1465	if ((which & OPTIONS_EXTENSIONS) != 0 &&
1342	(certflags_flags & CERTOPT_USER_RC) != 0)	1466	(certflags_flags & CERTOPT_USER_RC) != 0)
1343	add_flag_option(c, "permit-user-rc");	1467	add_flag_option(c, "permit-user-rc");
1344	if ((which & OPTIONS_EXTENSIONS) != 0 &&
1345	(certflags_flags & CERTOPT_X_FWD) != 0)
1346	add_flag_option(c, "permit-X11-forwarding");
1347	if ((which & OPTIONS_CRITICAL) != 0 &&	1468	if ((which & OPTIONS_CRITICAL) != 0 &&
1348	certflags_src_addr != NULL)	1469	certflags_src_addr != NULL)
1349	add_string_option(c, "source-address", certflags_src_addr);	1470	add_string_option(c, "source-address", certflags_src_addr);
@@ -1593,7 +1714,7 @@ add_cert_option(char *opt)
1593	{	1714	{
1594	char *val;	1715	char *val;
1595		1716
1596	if (strcmp(opt, "clear") == 0)	1717	if (strcasecmp(opt, "clear") == 0)
1597	certflags_flags = 0;	1718	certflags_flags = 0;
1598	else if (strcasecmp(opt, "no-x11-forwarding") == 0)	1719	else if (strcasecmp(opt, "no-x11-forwarding") == 0)
1599	certflags_flags &= ~CERTOPT_X_FWD;	1720	certflags_flags &= ~CERTOPT_X_FWD;
@@ -1745,6 +1866,7 @@ usage(void)
1745	{	1866	{
1746	fprintf(stderr, "usage: %s [options]\n", __progname);	1867	fprintf(stderr, "usage: %s [options]\n", __progname);
1747	fprintf(stderr, "Options:\n");	1868	fprintf(stderr, "Options:\n");
		1869	fprintf(stderr, " -A Generate non-existent host keys for all key types.\n");
1748	fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n");	1870	fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n");
1749	fprintf(stderr, " -B Show bubblebabble digest of key file.\n");	1871	fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
1750	fprintf(stderr, " -b bits Number of bits in the key to create.\n");	1872	fprintf(stderr, " -b bits Number of bits in the key to create.\n");
@@ -1799,9 +1921,9 @@ main(int argc, char **argv)
1799	struct passwd *pw;	1921	struct passwd *pw;
1800	struct stat st;	1922	struct stat st;
1801	int opt, type, fd;	1923	int opt, type, fd;
1802	u_int maxbits;
1803	u_int32_t memory = 0, generator_wanted = 0, trials = 100;	1924	u_int32_t memory = 0, generator_wanted = 0, trials = 100;
1804	int do_gen_candidates = 0, do_screen_candidates = 0;	1925	int do_gen_candidates = 0, do_screen_candidates = 0;
		1926	int gen_all_hostkeys = 0;
1805	BIGNUM *start = NULL;	1927	BIGNUM *start = NULL;
1806	FILE *f;	1928	FILE *f;
1807	const char *errstr;	1929	const char *errstr;
@@ -1817,7 +1939,6 @@ main(int argc, char **argv)
1817	OpenSSL_add_all_algorithms();	1939	OpenSSL_add_all_algorithms();
1818	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);	1940	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1819		1941
1820	init_rng();
1821	seed_rng();	1942	seed_rng();
1822		1943
1823	/* we need this for the home * directory. */	1944	/* we need this for the home * directory. */
@@ -1831,9 +1952,12 @@ main(int argc, char **argv)
1831	exit(1);	1952	exit(1);
1832	}	1953	}
1833		1954
1834	while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"	1955	while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
1835	"O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {	1956	"O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
1836	switch (opt) {	1957	switch (opt) {
		1958	case 'A':
		1959	gen_all_hostkeys = 1;
		1960	break;
1837	case 'b':	1961	case 'b':
1838	bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);	1962	bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);
1839	if (errstr)	1963	if (errstr)
@@ -1928,9 +2052,6 @@ main(int argc, char **argv)
1928	case 'y':	2052	case 'y':
1929	print_public = 1;	2053	print_public = 1;
1930	break;	2054	break;
1931	case 'd':
1932	key_type_name = "dsa";
1933	break;
1934	case 's':	2055	case 's':
1935	ca_key_path = optarg;	2056	ca_key_path = optarg;
1936	break;	2057	break;
@@ -2109,37 +2230,19 @@ main(int argc, char **argv)
2109	return (0);	2230	return (0);
2110	}	2231	}
2111		2232
		2233	if (gen_all_hostkeys) {
		2234	do_gen_all_hostkeys(pw);
		2235	return (0);
		2236	}
		2237
2112	arc4random_stir();	2238	arc4random_stir();
2113		2239
2114	if (key_type_name == NULL)	2240	if (key_type_name == NULL)
2115	key_type_name = "rsa";	2241	key_type_name = "rsa";
2116		2242
2117	type = key_type_from_name(key_type_name);	2243	type = key_type_from_name(key_type_name);
2118	if (type == KEY_UNSPEC) {	2244	type_bits_valid(type, &bits);
2119	fprintf(stderr, "unknown key type %s\n", key_type_name);	2245
2120	exit(1);
2121	}
2122	if (bits == 0) {
2123	if (type == KEY_DSA)
2124	bits = DEFAULT_BITS_DSA;
2125	else if (type == KEY_ECDSA)
2126	bits = DEFAULT_BITS_ECDSA;
2127	else
2128	bits = DEFAULT_BITS;
2129	}
2130	maxbits = (type == KEY_DSA) ?
2131	OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
2132	if (bits > maxbits) {
2133	fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
2134	exit(1);
2135	}
2136	if (type == KEY_DSA && bits != 1024)
2137	fatal("DSA keys must be 1024 bits");
2138	else if (type != KEY_ECDSA && bits < 768)
2139	fatal("Key must at least be 768 bits");
2140	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1)
2141	fatal("Invalid ECDSA key length - valid lengths are "
2142	"256, 384 or 521 bits");
2143	if (!quiet)	2246	if (!quiet)
2144	printf("Generating public/private %s key pair.\n", key_type_name);	2247	printf("Generating public/private %s key pair.\n", key_type_name);
2145	private = key_generate(type, bits);	2248	private = key_generate(type, bits);