ssh-keygen.c (215116) | ssh-keygen.c (221420) |
---|---|
1/* $OpenBSD: ssh-keygen.c,v 1.197 2010/08/04 06:07:11 djm Exp $ */ | 1/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */ |
2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Identity and host key generation and maintenance. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this --- 42 unchanged lines hidden (view full) --- 52 53#ifdef ENABLE_PKCS11 54#include "ssh-pkcs11.h" 55#endif 56 57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ 58#define DEFAULT_BITS 2048 59#define DEFAULT_BITS_DSA 1024 | 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Identity and host key generation and maintenance. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this --- 42 unchanged lines hidden (view full) --- 52 53#ifdef ENABLE_PKCS11 54#include "ssh-pkcs11.h" 55#endif 56 57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ 58#define DEFAULT_BITS 2048 59#define DEFAULT_BITS_DSA 1024 |
60#define DEFAULT_BITS_ECDSA 256 |
|
60u_int32_t bits = 0; 61 62/* 63 * Flag indicating that we just want to change the passphrase. This can be 64 * set on the command line. 65 */ 66int change_passphrase = 0; 67 --- 103 unchanged lines hidden (view full) --- 171 case KEY_RSA1: 172 name = _PATH_SSH_CLIENT_IDENTITY; 173 break; 174 case KEY_DSA_CERT: 175 case KEY_DSA_CERT_V00: 176 case KEY_DSA: 177 name = _PATH_SSH_CLIENT_ID_DSA; 178 break; | 61u_int32_t bits = 0; 62 63/* 64 * Flag indicating that we just want to change the passphrase. This can be 65 * set on the command line. 66 */ 67int change_passphrase = 0; 68 --- 103 unchanged lines hidden (view full) --- 172 case KEY_RSA1: 173 name = _PATH_SSH_CLIENT_IDENTITY; 174 break; 175 case KEY_DSA_CERT: 176 case KEY_DSA_CERT_V00: 177 case KEY_DSA: 178 name = _PATH_SSH_CLIENT_ID_DSA; 179 break; |
180#ifdef OPENSSL_HAS_ECC 181 case KEY_ECDSA_CERT: 182 case KEY_ECDSA: 183 name = _PATH_SSH_CLIENT_ID_ECDSA; 184 break; 185#endif |
|
179 case KEY_RSA_CERT: 180 case KEY_RSA_CERT_V00: 181 case KEY_RSA: 182 name = _PATH_SSH_CLIENT_ID_RSA; 183 break; 184 default: 185 fprintf(stderr, "bad key type\n"); 186 exit(1); --- 68 unchanged lines hidden (view full) --- 255 case KEY_RSA: 256 if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) 257 fatal("PEM_write_RSA_PUBKEY failed"); 258 break; 259 case KEY_DSA: 260 if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) 261 fatal("PEM_write_DSA_PUBKEY failed"); 262 break; | 186 case KEY_RSA_CERT: 187 case KEY_RSA_CERT_V00: 188 case KEY_RSA: 189 name = _PATH_SSH_CLIENT_ID_RSA; 190 break; 191 default: 192 fprintf(stderr, "bad key type\n"); 193 exit(1); --- 68 unchanged lines hidden (view full) --- 262 case KEY_RSA: 263 if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) 264 fatal("PEM_write_RSA_PUBKEY failed"); 265 break; 266 case KEY_DSA: 267 if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) 268 fatal("PEM_write_DSA_PUBKEY failed"); 269 break; |
270#ifdef OPENSSL_HAS_ECC 271 case KEY_ECDSA: 272 if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) 273 fatal("PEM_write_EC_PUBKEY failed"); 274 break; 275#endif |
|
263 default: 264 fatal("%s: unsupported key type %s", __func__, key_type(k)); 265 } 266 exit(0); 267} 268 269static void 270do_convert_to_pem(Key *k) --- 4 unchanged lines hidden (view full) --- 275 fatal("PEM_write_RSAPublicKey failed"); 276 break; 277#if notyet /* OpenSSH 0.9.8 lacks this function */ 278 case KEY_DSA: 279 if (!PEM_write_DSAPublicKey(stdout, k->dsa)) 280 fatal("PEM_write_DSAPublicKey failed"); 281 break; 282#endif | 276 default: 277 fatal("%s: unsupported key type %s", __func__, key_type(k)); 278 } 279 exit(0); 280} 281 282static void 283do_convert_to_pem(Key *k) --- 4 unchanged lines hidden (view full) --- 288 fatal("PEM_write_RSAPublicKey failed"); 289 break; 290#if notyet /* OpenSSH 0.9.8 lacks this function */ 291 case KEY_DSA: 292 if (!PEM_write_DSAPublicKey(stdout, k->dsa)) 293 fatal("PEM_write_DSAPublicKey failed"); 294 break; 295#endif |
296 /* XXX ECDSA? */ |
|
283 default: 284 fatal("%s: unsupported key type %s", __func__, key_type(k)); 285 } 286 exit(0); 287} 288 289static void 290do_convert_to(struct passwd *pw) --- 243 unchanged lines hidden (view full) --- 534 (*k)->type = KEY_RSA; 535 (*k)->rsa = EVP_PKEY_get1_RSA(pubkey); 536 break; 537 case EVP_PKEY_DSA: 538 *k = key_new(KEY_UNSPEC); 539 (*k)->type = KEY_DSA; 540 (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); 541 break; | 297 default: 298 fatal("%s: unsupported key type %s", __func__, key_type(k)); 299 } 300 exit(0); 301} 302 303static void 304do_convert_to(struct passwd *pw) --- 243 unchanged lines hidden (view full) --- 548 (*k)->type = KEY_RSA; 549 (*k)->rsa = EVP_PKEY_get1_RSA(pubkey); 550 break; 551 case EVP_PKEY_DSA: 552 *k = key_new(KEY_UNSPEC); 553 (*k)->type = KEY_DSA; 554 (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); 555 break; |
556#ifdef OPENSSL_HAS_ECC 557 case EVP_PKEY_EC: 558 *k = key_new(KEY_UNSPEC); 559 (*k)->type = KEY_ECDSA; 560 (*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey); 561 (*k)->ecdsa_nid = key_ecdsa_key_to_nid((*k)->ecdsa); 562 break; 563#endif |
|
542 default: 543 fatal("%s: unsupported pubkey type %d", __func__, 544 EVP_PKEY_type(pubkey->type)); 545 } 546 EVP_PKEY_free(pubkey); 547 return; 548} 549 --- 19 unchanged lines hidden (view full) --- 569 rewind(fp); 570 if ((dsa = PEM_read_DSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { 571 *k = key_new(KEY_UNSPEC); 572 (*k)->type = KEY_DSA; 573 (*k)->dsa = dsa; 574 fclose(fp); 575 return; 576 } | 564 default: 565 fatal("%s: unsupported pubkey type %d", __func__, 566 EVP_PKEY_type(pubkey->type)); 567 } 568 EVP_PKEY_free(pubkey); 569 return; 570} 571 --- 19 unchanged lines hidden (view full) --- 591 rewind(fp); 592 if ((dsa = PEM_read_DSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { 593 *k = key_new(KEY_UNSPEC); 594 (*k)->type = KEY_DSA; 595 (*k)->dsa = dsa; 596 fclose(fp); 597 return; 598 } |
599 /* XXX ECDSA */ |
|
577#endif 578 fatal("%s: unrecognised raw private key format", __func__); 579} 580 581static void 582do_convert_from(struct passwd *pw) 583{ 584 Key *k = NULL; --- 24 unchanged lines hidden (view full) --- 609 if (ok) 610 fprintf(stdout, "\n"); 611 else { 612 switch (k->type) { 613 case KEY_DSA: 614 ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, 615 NULL, 0, NULL, NULL); 616 break; | 600#endif 601 fatal("%s: unrecognised raw private key format", __func__); 602} 603 604static void 605do_convert_from(struct passwd *pw) 606{ 607 Key *k = NULL; --- 24 unchanged lines hidden (view full) --- 632 if (ok) 633 fprintf(stdout, "\n"); 634 else { 635 switch (k->type) { 636 case KEY_DSA: 637 ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, 638 NULL, 0, NULL, NULL); 639 break; |
640#ifdef OPENSSL_HAS_ECC 641 case KEY_ECDSA: 642 ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, 643 NULL, 0, NULL, NULL); 644 break; 645#endif |
|
617 case KEY_RSA: 618 ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, 619 NULL, 0, NULL, NULL); 620 break; 621 default: 622 fatal("%s: unsupported key type %s", __func__, 623 key_type(k)); 624 } --- 774 unchanged lines hidden (view full) --- 1399 fatal("Empty principal name"); 1400 } 1401 xfree(otmp); 1402 } 1403 1404 tmp = tilde_expand_filename(argv[i], pw->pw_uid); 1405 if ((public = key_load_public(tmp, &comment)) == NULL) 1406 fatal("%s: unable to open \"%s\"", __func__, tmp); | 646 case KEY_RSA: 647 ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, 648 NULL, 0, NULL, NULL); 649 break; 650 default: 651 fatal("%s: unsupported key type %s", __func__, 652 key_type(k)); 653 } --- 774 unchanged lines hidden (view full) --- 1428 fatal("Empty principal name"); 1429 } 1430 xfree(otmp); 1431 } 1432 1433 tmp = tilde_expand_filename(argv[i], pw->pw_uid); 1434 if ((public = key_load_public(tmp, &comment)) == NULL) 1435 fatal("%s: unable to open \"%s\"", __func__, tmp); |
1407 if (public->type != KEY_RSA && public->type != KEY_DSA) | 1436 if (public->type != KEY_RSA && public->type != KEY_DSA && 1437 public->type != KEY_ECDSA) |
1408 fatal("%s: key \"%s\" type %s cannot be certified", 1409 __func__, tmp, key_type(public)); 1410 1411 /* Prepare certificate to sign */ 1412 if (key_to_certified(public, v00) != 0) 1413 fatal("Could not upgrade key %s to certificate", tmp); 1414 public->cert->type = cert_key_type; 1415 public->cert->serial = (u_int64_t)cert_serial; --- 29 unchanged lines hidden (view full) --- 1445 if (!key_write(public, f)) 1446 fatal("Could not write certified key to %s", out); 1447 fprintf(f, " %s\n", comment); 1448 fclose(f); 1449 1450 if (!quiet) { 1451 logit("Signed %s key %s: id \"%s\" serial %llu%s%s " 1452 "valid %s", key_cert_type(public), | 1438 fatal("%s: key \"%s\" type %s cannot be certified", 1439 __func__, tmp, key_type(public)); 1440 1441 /* Prepare certificate to sign */ 1442 if (key_to_certified(public, v00) != 0) 1443 fatal("Could not upgrade key %s to certificate", tmp); 1444 public->cert->type = cert_key_type; 1445 public->cert->serial = (u_int64_t)cert_serial; --- 29 unchanged lines hidden (view full) --- 1475 if (!key_write(public, f)) 1476 fatal("Could not write certified key to %s", out); 1477 fprintf(f, " %s\n", comment); 1478 fclose(f); 1479 1480 if (!quiet) { 1481 logit("Signed %s key %s: id \"%s\" serial %llu%s%s " 1482 "valid %s", key_cert_type(public), |
1453 out, public->cert->key_id, public->cert->serial, | 1483 out, public->cert->key_id, 1484 (unsigned long long)public->cert->serial, |
1454 cert_principals != NULL ? " for " : "", 1455 cert_principals != NULL ? cert_principals : "", 1456 fmt_validity(cert_valid_from, cert_valid_to)); 1457 } 1458 1459 key_free(public); 1460 xfree(out); 1461 } --- 208 unchanged lines hidden (view full) --- 1670 1671 printf("%s:\n", identity_file); 1672 printf(" Type: %s %s certificate\n", key_ssh_name(key), 1673 key_cert_type(key)); 1674 printf(" Public key: %s %s\n", key_type(key), key_fp); 1675 printf(" Signing CA: %s %s\n", 1676 key_type(key->cert->signature_key), ca_fp); 1677 printf(" Key ID: \"%s\"\n", key->cert->key_id); | 1485 cert_principals != NULL ? " for " : "", 1486 cert_principals != NULL ? cert_principals : "", 1487 fmt_validity(cert_valid_from, cert_valid_to)); 1488 } 1489 1490 key_free(public); 1491 xfree(out); 1492 } --- 208 unchanged lines hidden (view full) --- 1701 1702 printf("%s:\n", identity_file); 1703 printf(" Type: %s %s certificate\n", key_ssh_name(key), 1704 key_cert_type(key)); 1705 printf(" Public key: %s %s\n", key_type(key), key_fp); 1706 printf(" Signing CA: %s %s\n", 1707 key_type(key->cert->signature_key), ca_fp); 1708 printf(" Key ID: \"%s\"\n", key->cert->key_id); |
1678 if (!v00) 1679 printf(" Serial: %llu\n", key->cert->serial); | 1709 if (!v00) { 1710 printf(" Serial: %llu\n", 1711 (unsigned long long)key->cert->serial); 1712 } |
1680 printf(" Valid: %s\n", 1681 fmt_validity(key->cert->valid_after, key->cert->valid_before)); 1682 printf(" Principals: "); 1683 if (key->cert->nprincipals == 0) 1684 printf("(none)\n"); 1685 else { 1686 for (i = 0; i < key->cert->nprincipals; i++) 1687 printf("\n %s", --- 88 unchanged lines hidden (view full) --- 1776 extern int optind; 1777 extern char *optarg; 1778 1779 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ 1780 sanitise_stdfd(); 1781 1782 __progname = ssh_get_progname(argv[0]); 1783 | 1713 printf(" Valid: %s\n", 1714 fmt_validity(key->cert->valid_after, key->cert->valid_before)); 1715 printf(" Principals: "); 1716 if (key->cert->nprincipals == 0) 1717 printf("(none)\n"); 1718 else { 1719 for (i = 0; i < key->cert->nprincipals; i++) 1720 printf("\n %s", --- 88 unchanged lines hidden (view full) --- 1809 extern int optind; 1810 extern char *optarg; 1811 1812 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ 1813 sanitise_stdfd(); 1814 1815 __progname = ssh_get_progname(argv[0]); 1816 |
1784 SSLeay_add_all_algorithms(); | 1817 OpenSSL_add_all_algorithms(); |
1785 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); 1786 1787 init_rng(); 1788 seed_rng(); 1789 1790 /* we need this for the home * directory. */ 1791 pw = getpwuid(getuid()); 1792 if (!pw) { --- 4 unchanged lines hidden (view full) --- 1797 perror("gethostname"); 1798 exit(1); 1799 } 1800 1801 while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" 1802 "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { 1803 switch (opt) { 1804 case 'b': | 1818 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); 1819 1820 init_rng(); 1821 seed_rng(); 1822 1823 /* we need this for the home * directory. */ 1824 pw = getpwuid(getuid()); 1825 if (!pw) { --- 4 unchanged lines hidden (view full) --- 1830 perror("gethostname"); 1831 exit(1); 1832 } 1833 1834 while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" 1835 "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { 1836 switch (opt) { 1837 case 'b': |
1805 bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr); | 1838 bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); |
1806 if (errstr) 1807 fatal("Bits has bad value %s (%s)", 1808 optarg, errstr); 1809 break; 1810 case 'F': 1811 find_host = 1; 1812 rr_hostname = optarg; 1813 break; --- 267 unchanged lines hidden (view full) --- 2081 if (key_type_name == NULL) 2082 key_type_name = "rsa"; 2083 2084 type = key_type_from_name(key_type_name); 2085 if (type == KEY_UNSPEC) { 2086 fprintf(stderr, "unknown key type %s\n", key_type_name); 2087 exit(1); 2088 } | 1839 if (errstr) 1840 fatal("Bits has bad value %s (%s)", 1841 optarg, errstr); 1842 break; 1843 case 'F': 1844 find_host = 1; 1845 rr_hostname = optarg; 1846 break; --- 267 unchanged lines hidden (view full) --- 2114 if (key_type_name == NULL) 2115 key_type_name = "rsa"; 2116 2117 type = key_type_from_name(key_type_name); 2118 if (type == KEY_UNSPEC) { 2119 fprintf(stderr, "unknown key type %s\n", key_type_name); 2120 exit(1); 2121 } |
2089 if (bits == 0) 2090 bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; | 2122 if (bits == 0) { 2123 if (type == KEY_DSA) 2124 bits = DEFAULT_BITS_DSA; 2125 else if (type == KEY_ECDSA) 2126 bits = DEFAULT_BITS_ECDSA; 2127 else 2128 bits = DEFAULT_BITS; 2129 } |
2091 maxbits = (type == KEY_DSA) ? 2092 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; 2093 if (bits > maxbits) { 2094 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); 2095 exit(1); 2096 } 2097 if (type == KEY_DSA && bits != 1024) 2098 fatal("DSA keys must be 1024 bits"); | 2130 maxbits = (type == KEY_DSA) ? 2131 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; 2132 if (bits > maxbits) { 2133 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); 2134 exit(1); 2135 } 2136 if (type == KEY_DSA && bits != 1024) 2137 fatal("DSA keys must be 1024 bits"); |
2138 else if (type != KEY_ECDSA && bits < 768) 2139 fatal("Key must at least be 768 bits"); 2140 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1) 2141 fatal("Invalid ECDSA key length - valid lengths are " 2142 "256, 384 or 521 bits"); |
|
2099 if (!quiet) 2100 printf("Generating public/private %s key pair.\n", key_type_name); 2101 private = key_generate(type, bits); 2102 if (private == NULL) { 2103 fprintf(stderr, "key_generate failed\n"); 2104 exit(1); 2105 } 2106 public = key_from_private(private); --- 117 unchanged lines hidden --- | 2143 if (!quiet) 2144 printf("Generating public/private %s key pair.\n", key_type_name); 2145 private = key_generate(type, bits); 2146 if (private == NULL) { 2147 fprintf(stderr, "key_generate failed\n"); 2148 exit(1); 2149 } 2150 public = key_from_private(private); --- 117 unchanged lines hidden --- |