=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.197 retrieving revision 1.201 diff -u -r1.197 -r1.201 --- src/usr.bin/ssh/ssh-keygen.c 2010/08/04 06:07:11 1.197 +++ src/usr.bin/ssh/ssh-keygen.c 2010/08/31 12:33:38 1.201 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.197 2010/08/04 06:07:11 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.201 2010/08/31 12:33:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -49,6 +49,7 @@ /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ #define DEFAULT_BITS 2048 #define DEFAULT_BITS_DSA 1024 +#define DEFAULT_BITS_ECDSA 521 u_int32_t bits = 0; /* @@ -168,6 +169,10 @@ case KEY_DSA: name = _PATH_SSH_CLIENT_ID_DSA; break; + case KEY_ECDSA_CERT: + case KEY_ECDSA: + name = _PATH_SSH_CLIENT_ID_ECDSA; + break; case KEY_RSA_CERT: case KEY_RSA_CERT_V00: case KEY_RSA: @@ -252,6 +257,10 @@ if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) fatal("PEM_write_DSA_PUBKEY failed"); break; + case KEY_ECDSA: + if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) + fatal("PEM_write_EC_PUBKEY failed"); + break; default: fatal("%s: unsupported key type %s", __func__, key_type(k)); } @@ -272,6 +281,7 @@ fatal("PEM_write_DSAPublicKey failed"); break; #endif + /* XXX ECDSA? */ default: fatal("%s: unsupported key type %s", __func__, key_type(k)); } @@ -531,6 +541,13 @@ (*k)->type = KEY_DSA; (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); break; + case EVP_PKEY_EC: + *k = key_new(KEY_UNSPEC); + (*k)->type = KEY_ECDSA; + (*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey); + (*k)->ecdsa_nid = key_ecdsa_group_to_nid( + EC_KEY_get0_group((*k)->ecdsa)); + break; default: fatal("%s: unsupported pubkey type %d", __func__, EVP_PKEY_type(pubkey->type)); @@ -566,6 +583,7 @@ fclose(fp); return; } + /* XXX ECDSA */ #endif fatal("%s: unrecognised raw private key format", __func__); } @@ -606,6 +624,10 @@ ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL); break; + case KEY_ECDSA: + ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, + NULL, 0, NULL, NULL); + break; case KEY_RSA: ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL); @@ -1396,7 +1418,8 @@ tmp = tilde_expand_filename(argv[i], pw->pw_uid); if ((public = key_load_public(tmp, &comment)) == NULL) fatal("%s: unable to open \"%s\"", __func__, tmp); - if (public->type != KEY_RSA && public->type != KEY_DSA) + if (public->type != KEY_RSA && public->type != KEY_DSA && + public->type != KEY_ECDSA) fatal("%s: key \"%s\" type %s cannot be certified", __func__, tmp, key_type(public)); @@ -1771,7 +1794,7 @@ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); /* we need this for the home * directory. */ @@ -2073,8 +2096,14 @@ fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } - if (bits == 0) - bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; + if (bits == 0) { + if (type == KEY_DSA) + bits = DEFAULT_BITS_DSA; + else if (type == KEY_ECDSA) + bits = DEFAULT_BITS_ECDSA; + else + bits = DEFAULT_BITS; + } maxbits = (type == KEY_DSA) ? OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; if (bits > maxbits) { @@ -2083,6 +2112,9 @@ } if (type == KEY_DSA && bits != 1024) fatal("DSA keys must be 1024 bits"); + else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1) + fatal("Invalid ECDSA key length - valid lengths are " + "256, 384 or 521 bits"); if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits);