*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.102 2002/11/26 00:45:03 wcobb Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.117 2004/07/11 17:48:47 deraadt Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
#include "bufaux.h"
#include "pathnames.h"
#include "log.h"
-#include "readpass.h"
+#include "misc.h"
#ifdef SMARTCARD
#include "scard.h"
#endif
+#include "dns.h"
/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
int bits = 1024;
int convert_to_ssh2 = 0;
int convert_from_ssh2 = 0;
int print_public = 0;
+int print_generic = 0;
char *key_type_name = NULL;
/* argv0 */
-#ifdef HAVE___PROGNAME
extern char *__progname;
-#else
-char *__progname;
-#endif
char hostname[MAXHOSTNAMELEN];
+/* moduli.c */
+int gen_candidates(FILE *, int, int, BIGNUM *);
+int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
+
static void
ask_filename(struct passwd *pw, const char *prompt)
{
exit(1);
}
}
+ if (k->type == KEY_RSA1) {
+ fprintf(stderr, "version 1 keys are not supported\n");
+ exit(1);
+ }
if (key_to_blob(k, &blob, &len) <= 0) {
fprintf(stderr, "key_to_blob failed\n");
exit(1);
static void
buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
{
- int bits = buffer_get_int(b);
- int bytes = (bits + 7) / 8;
+ u_int bignum_bits = buffer_get_int(b);
+ u_int bytes = (bignum_bits + 7) / 8;
if (buffer_len(b) < bytes)
fatal("buffer_get_bignum_bits: input buffer too small: "
key_free(prv);
if (ret < 0)
exit(1);
- log("loading key done");
+ logit("loading key done");
exit(0);
}
exit(0);
}
+/*
+ * Print the SSHFP RR.
+ */
+static void
+do_print_resource_record(struct passwd *pw, char *hname)
+{
+ Key *public;
+ char *comment = NULL;
+ struct stat st;
+
+ if (!have_identity)
+ ask_filename(pw, "Enter file in which the key is");
+ if (stat(identity_file, &st) < 0) {
+ perror(identity_file);
+ exit(1);
+ }
+ public = key_load_public(identity_file, &comment);
+ if (public != NULL) {
+ export_dns_rr(hname, public, stdout, print_generic);
+ key_free(public);
+ xfree(comment);
+ exit(0);
+ }
+ if (comment)
+ xfree(comment);
+
+ printf("failed to read v2 public key from %s.\n", identity_file);
+ exit(1);
+}
+
/*
* Change the comment of a private key file.
*/
fprintf(stderr, " -c Change comment in private and public key files.\n");
fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
fprintf(stderr, " -f filename Filename of the key file.\n");
+ fprintf(stderr, " -g Use generic DNS resource record format.\n");
fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
fprintf(stderr, " -l Show fingerprint of key file.\n");
fprintf(stderr, " -p Change passphrase of private key file.\n");
fprintf(stderr, " -C comment Provide new comment.\n");
fprintf(stderr, " -N phrase Provide new passphrase.\n");
fprintf(stderr, " -P phrase Provide old passphrase.\n");
+ fprintf(stderr, " -r hostname Print DNS resource record.\n");
#ifdef SMARTCARD
fprintf(stderr, " -D reader Download public key from smartcard.\n");
fprintf(stderr, " -U reader Upload private key to smartcard.\n");
#endif /* SMARTCARD */
+ fprintf(stderr, " -G file Generate candidates for DH-GEX moduli\n");
+ fprintf(stderr, " -T file Screen candidates for DH-GEX moduli\n");
+
exit(1);
}
main(int ac, char **av)
{
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
- char *reader_id = NULL;
+ char out_file[MAXPATHLEN], *reader_id = NULL;
+ char *resource_record_hostname = NULL;
Key *private, *public;
struct passwd *pw;
struct stat st;
- int opt, type, fd, download = 0;
+ int opt, type, fd, download = 0, memory = 0;
+ int generator_wanted = 0, trials = 100;
+ int do_gen_candidates = 0, do_screen_candidates = 0;
+ int log_level = SYSLOG_LEVEL_INFO;
+ BIGNUM *start = NULL;
FILE *f;
extern int optind;
extern char *optarg;
- __progname = get_progname(av[0]);
+ __progname = ssh_get_progname(av[0]);
SSLeay_add_all_algorithms();
+ log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
+
init_rng();
seed_rng();
exit(1);
}
- while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:U:D:P:N:C:")) != -1) {
+ while ((opt = getopt(ac, av,
+ "degiqpclBRvxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
bits = atoi(optarg);
strlcpy(identity_file, optarg, sizeof(identity_file));
have_identity = 1;
break;
+ case 'g':
+ print_generic = 1;
+ break;
case 'P':
identity_passphrase = optarg;
break;
case 'U':
reader_id = optarg;
break;
+ case 'v':
+ if (log_level == SYSLOG_LEVEL_INFO)
+ log_level = SYSLOG_LEVEL_DEBUG1;
+ else {
+ if (log_level >= SYSLOG_LEVEL_DEBUG1 &&
+ log_level < SYSLOG_LEVEL_DEBUG3)
+ log_level++;
+ }
+ break;
+ case 'r':
+ resource_record_hostname = optarg;
+ break;
+ case 'W':
+ generator_wanted = atoi(optarg);
+ if (generator_wanted < 1)
+ fatal("Desired generator has bad value.");
+ break;
+ case 'a':
+ trials = atoi(optarg);
+ break;
+ case 'M':
+ memory = atoi(optarg);
+ break;
+ case 'G':
+ do_gen_candidates = 1;
+ strlcpy(out_file, optarg, sizeof(out_file));
+ break;
+ case 'T':
+ do_screen_candidates = 1;
+ strlcpy(out_file, optarg, sizeof(out_file));
+ break;
+ case 'S':
+ /* XXX - also compare length against bits */
+ if (BN_hex2bn(&start, optarg) == 0)
+ fatal("Invalid start point.");
+ break;
case '?':
default:
usage();
}
}
+
+ /* reinit */
+ log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
+
if (optind < ac) {
printf("Too many arguments.\n");
usage();
do_convert_from_ssh2(pw);
if (print_public)
do_print_public(pw);
+ if (resource_record_hostname != NULL) {
+ do_print_resource_record(pw, resource_record_hostname);
+ }
if (reader_id != NULL) {
#ifdef SMARTCARD
if (download)
#endif /* SMARTCARD */
}
+ if (do_gen_candidates) {
+ FILE *out = fopen(out_file, "w");
+
+ if (out == NULL) {
+ error("Couldn't open modulus candidate file \"%s\": %s",
+ out_file, strerror(errno));
+ return (1);
+ }
+ if (gen_candidates(out, memory, bits, start) != 0)
+ fatal("modulus candidate generation failed\n");
+
+ return (0);
+ }
+
+ if (do_screen_candidates) {
+ FILE *in;
+ FILE *out = fopen(out_file, "w");
+
+ if (have_identity && strcmp(identity_file, "-") != 0) {
+ if ((in = fopen(identity_file, "r")) == NULL) {
+ fatal("Couldn't open modulus candidate "
+ "file \"%s\": %s", identity_file,
+ strerror(errno));
+ }
+ } else
+ in = stdin;
+
+ if (out == NULL) {
+ fatal("Couldn't open moduli file \"%s\": %s",
+ out_file, strerror(errno));
+ }
+ if (prime_test(in, out, trials, generator_wanted) != 0)
+ fatal("modulus screening failed\n");
+ return (0);
+ }
+
arc4random_stir();
if (key_type_name == NULL) {