Upgrade to OpenSSH 5.9p1.

MFC after: 3 months
author: des <des@FreeBSD.org> 2011-10-05 22:08:17 +0000
committer: des <des@FreeBSD.org> 2011-10-05 22:08:17 +0000
commit: 038442ad80c21a07c19532a176030e2ca51fdd9d (patch)
tree: 654e40360db9b6bb67928b3a5c1b5dbd84925000 /crypto/openssh/ssh-keygen.c
parent: 2276ee273397e0ccd5c7911848e3de9bd91fb1c2 (diff)
parent: a9c7316f0b012b7e85d1a1c4d8b6ce36b9fd9604 (diff)
download: FreeBSD-src-038442ad80c21a07c19532a176030e2ca51fdd9d.zip
FreeBSD-src-038442ad80c21a07c19532a176030e2ca51fdd9d.tar.gz
1 files changed, 142 insertions, 39 deletions
diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c
index c95e4ab..4b6218b 100644
--- a/crypto/openssh/ssh-keygen.c
+++ b/crypto/openssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,10 +49,7 @@
 #include "hostfile.h"
 #include "dns.h"
 #include "ssh2.h"
-
-#ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
-#endif
 
 /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
 #define DEFAULT_BITS		2048
@@ -160,6 +157,38 @@ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
 int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
 
 static void
+type_bits_valid(int type, u_int32_t *bitsp)
+{
+	u_int maxbits;
+
+	if (type == KEY_UNSPEC) {
+		fprintf(stderr, "unknown key type %s\n", key_type_name);
+		exit(1);
+	}
+	if (*bitsp == 0) {
+		if (type == KEY_DSA)
+			*bitsp = DEFAULT_BITS_DSA;
+		else if (type == KEY_ECDSA)
+			*bitsp = DEFAULT_BITS_ECDSA;
+		else
+			*bitsp = DEFAULT_BITS;
+	}
+	maxbits = (type == KEY_DSA) ?
+	    OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
+	if (*bitsp > maxbits) {
+		fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
+		exit(1);
+	}
+	if (type == KEY_DSA && *bitsp != 1024)
+		fatal("DSA keys must be 1024 bits");
+	else if (type != KEY_ECDSA && *bitsp < 768)
+		fatal("Key must at least be 768 bits");
+	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
+		fatal("Invalid ECDSA key length - valid lengths are "
+		    "256, 384 or 521 bits");
+}
+
+static void
 ask_filename(struct passwd *pw, const char *prompt)
 {
 	char buf[1024];
@@ -818,6 +847,98 @@ do_fingerprint(struct passwd *pw)
 }
 
 static void
+do_gen_all_hostkeys(struct passwd *pw)
+{
+	struct {
+		char *key_type;
+		char *key_type_display;
+		char *path;
+	} key_types[] = {
+		{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
+		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
+		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
+		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
+		{ NULL, NULL, NULL }
+	};
+
+	int first = 0;
+	struct stat st;
+	Key *private, *public;
+	char comment[1024];
+	int i, type, fd;
+	FILE *f;
+
+	for (i = 0; key_types[i].key_type; i++) {
+		if (stat(key_types[i].path, &st) == 0)
+			continue;
+		if (errno != ENOENT) {
+			printf("Could not stat %s: %s", key_types[i].path,
+			    strerror(errno));
+			first = 0;
+			continue;
+		}
+
+		if (first == 0) {
+			first = 1;
+			printf("%s: generating new host keys: ", __progname);
+		}
+		printf("%s ", key_types[i].key_type_display);
+		fflush(stdout);
+		arc4random_stir();
+		type = key_type_from_name(key_types[i].key_type);
+		strlcpy(identity_file, key_types[i].path, sizeof(identity_file));
+		bits = 0;
+		type_bits_valid(type, &bits);
+		private = key_generate(type, bits);
+		if (private == NULL) {
+			fprintf(stderr, "key_generate failed\n");
+			first = 0;
+			continue;
+		}
+		public  = key_from_private(private);
+		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
+		    hostname);
+		if (!key_save_private(private, identity_file, "", comment)) {
+			printf("Saving the key failed: %s.\n", identity_file);
+			key_free(private);
+			key_free(public);
+			first = 0;
+			continue;
+		}
+		key_free(private);
+		arc4random_stir();
+		strlcat(identity_file, ".pub", sizeof(identity_file));
+		fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+		if (fd == -1) {
+			printf("Could not save your public key in %s\n",
+			    identity_file);
+			key_free(public);
+			first = 0;
+			continue;
+		}
+		f = fdopen(fd, "w");
+		if (f == NULL) {
+			printf("fdopen %s failed\n", identity_file);
+			key_free(public);
+			first = 0;
+			continue;
+		}
+		if (!key_write(public, f)) {
+			fprintf(stderr, "write key failed\n");
+			key_free(public);
+			first = 0;
+			continue;
+		}
+		fprintf(f, " %s\n", comment);
+		fclose(f);
+		key_free(public);
+
+	}
+	if (first != 0)
+		printf("\n");
+}
+
+static void
 printhost(FILE *f, const char *name, Key *public, int ca, int hash)
 {
 	if (print_fingerprint) {
@@ -1330,6 +1451,9 @@ prepare_options_buf(Buffer *c, int which)
 	    certflags_command != NULL)
 		add_string_option(c, "force-command", certflags_command);
 	if ((which & OPTIONS_EXTENSIONS) != 0 &&
+	    (certflags_flags & CERTOPT_X_FWD) != 0)
+		add_flag_option(c, "permit-X11-forwarding");
+	if ((which & OPTIONS_EXTENSIONS) != 0 &&
 	    (certflags_flags & CERTOPT_AGENT_FWD) != 0)
 		add_flag_option(c, "permit-agent-forwarding");
 	if ((which & OPTIONS_EXTENSIONS) != 0 &&
@@ -1341,9 +1465,6 @@ prepare_options_buf(Buffer *c, int which)
 	if ((which & OPTIONS_EXTENSIONS) != 0 &&
 	    (certflags_flags & CERTOPT_USER_RC) != 0)
 		add_flag_option(c, "permit-user-rc");
-	if ((which & OPTIONS_EXTENSIONS) != 0 &&
-	    (certflags_flags & CERTOPT_X_FWD) != 0)
-		add_flag_option(c, "permit-X11-forwarding");
 	if ((which & OPTIONS_CRITICAL) != 0 &&
 	    certflags_src_addr != NULL)
 		add_string_option(c, "source-address", certflags_src_addr);
@@ -1593,7 +1714,7 @@ add_cert_option(char *opt)
 {
 	char *val;
 
-	if (strcmp(opt, "clear") == 0)
+	if (strcasecmp(opt, "clear") == 0)
 		certflags_flags = 0;
 	else if (strcasecmp(opt, "no-x11-forwarding") == 0)
 		certflags_flags &= ~CERTOPT_X_FWD;
@@ -1745,6 +1866,7 @@ usage(void)
 {
 	fprintf(stderr, "usage: %s [options]\n", __progname);
 	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "  -A          Generate non-existent host keys for all key types.\n");
 	fprintf(stderr, "  -a trials   Number of trials for screening DH-GEX moduli.\n");
 	fprintf(stderr, "  -B          Show bubblebabble digest of key file.\n");
 	fprintf(stderr, "  -b bits     Number of bits in the key to create.\n");
@@ -1799,9 +1921,9 @@ main(int argc, char **argv)
 	struct passwd *pw;
 	struct stat st;
 	int opt, type, fd;
-	u_int maxbits;
 	u_int32_t memory = 0, generator_wanted = 0, trials = 100;
 	int do_gen_candidates = 0, do_screen_candidates = 0;
+	int gen_all_hostkeys = 0;
 	BIGNUM *start = NULL;
 	FILE *f;
 	const char *errstr;
@@ -1817,7 +1939,6 @@ main(int argc, char **argv)
 	OpenSSL_add_all_algorithms();
 	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
 
-	init_rng();
 	seed_rng();
 
 	/* we need this for the home * directory.  */
@@ -1831,9 +1952,12 @@ main(int argc, char **argv)
 		exit(1);
 	}
 
-	while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
+	while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
 	    "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
 		switch (opt) {
+		case 'A':
+			gen_all_hostkeys = 1;
+			break;
 		case 'b':
 			bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);
 			if (errstr)
@@ -1928,9 +2052,6 @@ main(int argc, char **argv)
 		case 'y':
 			print_public = 1;
 			break;
-		case 'd':
-			key_type_name = "dsa";
-			break;
 		case 's':
 			ca_key_path = optarg;
 			break;
@@ -2109,37 +2230,19 @@ main(int argc, char **argv)
 		return (0);
 	}
 
+	if (gen_all_hostkeys) {
+		do_gen_all_hostkeys(pw);
+		return (0);
+	}
+
 	arc4random_stir();
 
 	if (key_type_name == NULL)
 		key_type_name = "rsa";
 
 	type = key_type_from_name(key_type_name);
-	if (type == KEY_UNSPEC) {
-		fprintf(stderr, "unknown key type %s\n", key_type_name);
-		exit(1);
-	}
-	if (bits == 0) {
-		if (type == KEY_DSA)
-			bits = DEFAULT_BITS_DSA;
-		else if (type == KEY_ECDSA)
-			bits = DEFAULT_BITS_ECDSA;
-		else
-			bits = DEFAULT_BITS;
-	}
-	maxbits = (type == KEY_DSA) ?
-	    OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
-	if (bits > maxbits) {
-		fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
-		exit(1);
-	}
-	if (type == KEY_DSA && bits != 1024)
-		fatal("DSA keys must be 1024 bits");
-	else if (type != KEY_ECDSA && bits < 768)
-		fatal("Key must at least be 768 bits");
-	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1)
-		fatal("Invalid ECDSA key length - valid lengths are "
-		    "256, 384 or 521 bits");
+	type_bits_valid(type, &bits);
+
 	if (!quiet)
 		printf("Generating public/private %s key pair.\n", key_type_name);
 	private = key_generate(type, bits);
author	des <des@FreeBSD.org>	2011-10-05 22:08:17 +0000
committer	des <des@FreeBSD.org>	2011-10-05 22:08:17 +0000
commit	038442ad80c21a07c19532a176030e2ca51fdd9d (patch)
tree	654e40360db9b6bb67928b3a5c1b5dbd84925000 /crypto/openssh/ssh-keygen.c
parent	2276ee273397e0ccd5c7911848e3de9bd91fb1c2 (diff)
parent	a9c7316f0b012b7e85d1a1c4d8b6ce36b9fd9604 (diff)
download	FreeBSD-src-038442ad80c21a07c19532a176030e2ca51fdd9d.zip FreeBSD-src-038442ad80c21a07c19532a176030e2ca51fdd9d.tar.gz