*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.123 2005/04/05 13:45:31 otto Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
#endif
#include "dns.h"
-/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
-int bits = 1024;
+/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
+#define DEFAULT_BITS 2048
+#define DEFAULT_BITS_DSA 1024
+u_int32_t bits = 0;
/*
* Flag indicating that we just want to change the passphrase. This can be
char hostname[MAXHOSTNAMELEN];
/* moduli.c */
-int gen_candidates(FILE *, int, int, BIGNUM *);
+int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
static void
fprintf(stderr, "WARNING: %s contains unhashed "
"entries\n", old);
fprintf(stderr, "Delete this file to ensure privacy "
- "of hostnames\n");
+ "of hostnames\n");
}
}
Key *private, *public;
struct passwd *pw;
struct stat st;
- int opt, type, fd, download = 0, memory = 0;
- int generator_wanted = 0, trials = 100;
+ int opt, type, fd, download = 0;
+ u_int32_t memory = 0, generator_wanted = 0, trials = 100;
int do_gen_candidates = 0, do_screen_candidates = 0;
int log_level = SYSLOG_LEVEL_INFO;
BIGNUM *start = NULL;
FILE *f;
+ const char *errstr;
extern int optind;
extern char *optarg;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
__progname = ssh_get_progname(av[0]);
SSLeay_add_all_algorithms();
"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
- bits = atoi(optarg);
- if (bits < 512 || bits > 32768) {
- printf("Bits has bad value.\n");
- exit(1);
- }
+ bits = strtonum(optarg, 768, 32768, &errstr);
+ if (errstr)
+ fatal("Bits has bad value %s (%s)",
+ optarg, errstr);
break;
case 'F':
find_host = 1;
change_comment = 1;
break;
case 'f':
- strlcpy(identity_file, optarg, sizeof(identity_file));
+ if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=
+ sizeof(identity_file))
+ fatal("Identity filename too long");
have_identity = 1;
break;
case 'g':
rr_hostname = optarg;
break;
case 'W':
- generator_wanted = atoi(optarg);
- if (generator_wanted < 1)
- fatal("Desired generator has bad value.");
+ generator_wanted = strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr)
+ fatal("Desired generator has bad value: %s (%s)",
+ optarg, errstr);
break;
case 'a':
- trials = atoi(optarg);
+ trials = strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr)
+ fatal("Invalid number of trials: %s (%s)",
+ optarg, errstr);
break;
case 'M':
- memory = atoi(optarg);
+ memory = strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr) {
+ fatal("Memory limit is %s: %s", errstr, optarg);
+ }
break;
case 'G':
do_gen_candidates = 1;
- strlcpy(out_file, optarg, sizeof(out_file));
+ if (strlcpy(out_file, optarg, sizeof(out_file)) >=
+ sizeof(out_file))
+ fatal("Output filename too long");
break;
case 'T':
do_screen_candidates = 1;
- strlcpy(out_file, optarg, sizeof(out_file));
+ if (strlcpy(out_file, optarg, sizeof(out_file)) >=
+ sizeof(out_file))
+ fatal("Output filename too long");
break;
case 'S':
/* XXX - also compare length against bits */
out_file, strerror(errno));
return (1);
}
+ if (bits == 0)
+ bits = DEFAULT_BITS;
if (gen_candidates(out, memory, bits, start) != 0)
- fatal("modulus candidate generation failed\n");
+ fatal("modulus candidate generation failed");
return (0);
}
out_file, strerror(errno));
}
if (prime_test(in, out, trials, generator_wanted) != 0)
- fatal("modulus screening failed\n");
+ fatal("modulus screening failed");
return (0);
}
arc4random_stir();
- if (key_type_name == NULL) {
- printf("You must specify a key type (-t).\n");
- usage();
- }
+ if (key_type_name == NULL)
+ key_type_name = "rsa";
+
type = key_type_from_name(key_type_name);
if (type == KEY_UNSPEC) {
fprintf(stderr, "unknown key type %s\n", key_type_name);
exit(1);
}
+ if (bits == 0)
+ bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
+ if (type == KEY_DSA && bits != 1024)
+ fatal("DSA keys must be 1024 bits");
if (!quiet)
printf("Generating public/private %s key pair.\n", key_type_name);
private = key_generate(type, bits);
if (!have_identity)
ask_filename(pw, "Enter file in which to save the key");
- /* Create ~/.ssh directory if it doesn\'t already exist. */
+ /* Create ~/.ssh directory if it doesn't already exist. */
snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
if (strstr(identity_file, dotsshdir) != NULL &&
stat(dotsshdir, &st) < 0) {