summaryrefslogtreecommitdiffstats
path: root/ssh-keygen.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-27 08:42:39 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-27 08:42:39 +0000
commita747d063f7635fdb84741fdb1000a0bcf4ef1b17 (patch)
tree9222f8b5369cf31b9fa78f0fd519d005c92dcb74 /ssh-keygen.c
parentAdding debian version 1:9.8p1-3. (diff)
downloadopenssh-a747d063f7635fdb84741fdb1000a0bcf4ef1b17.tar.xz
openssh-a747d063f7635fdb84741fdb1000a0bcf4ef1b17.zip
Merging upstream version 1:9.9p1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r--ssh-keygen.c93
1 files changed, 63 insertions, 30 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 97c6d13..8396c40 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.472 2024/01/11 01:45:36 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.475 2024/09/15 00:47:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -261,7 +261,7 @@ ask_filename(struct passwd *pw, const char *prompt)
if (key_type_name == NULL)
name = _PATH_SSH_CLIENT_ID_ED25519;
else {
- switch (sshkey_type_from_name(key_type_name)) {
+ switch (sshkey_type_from_shortname(key_type_name)) {
#ifdef WITH_DSA
case KEY_DSA_CERT:
case KEY_DSA:
@@ -313,7 +313,7 @@ ask_filename(struct passwd *pw, const char *prompt)
static struct sshkey *
load_identity(const char *filename, char **commentp)
{
- char *pass;
+ char *prompt, *pass;
struct sshkey *prv;
int r;
@@ -325,8 +325,11 @@ load_identity(const char *filename, char **commentp)
fatal_r(r, "Load key \"%s\"", filename);
if (identity_passphrase)
pass = xstrdup(identity_passphrase);
- else
- pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN);
+ else {
+ xasprintf(&prompt, "Enter passphrase for \"%s\": ", filename);
+ pass = read_passphrase(prompt, RP_ALLOW_STDIN);
+ free(prompt);
+ }
r = sshkey_load_private(filename, pass, &prv, commentp);
freezero(pass, strlen(pass));
if (r != 0)
@@ -375,7 +378,8 @@ do_convert_to_pkcs8(struct sshkey *k)
{
switch (sshkey_type_plain(k->type)) {
case KEY_RSA:
- if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))
+ if (!PEM_write_RSA_PUBKEY(stdout,
+ EVP_PKEY_get0_RSA(k->pkey)))
fatal("PEM_write_RSA_PUBKEY failed");
break;
#ifdef WITH_DSA
@@ -386,7 +390,8 @@ do_convert_to_pkcs8(struct sshkey *k)
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
+ if (!PEM_write_EC_PUBKEY(stdout,
+ EVP_PKEY_get0_EC_KEY(k->pkey)))
fatal("PEM_write_EC_PUBKEY failed");
break;
#endif
@@ -401,7 +406,8 @@ do_convert_to_pem(struct sshkey *k)
{
switch (sshkey_type_plain(k->type)) {
case KEY_RSA:
- if (!PEM_write_RSAPublicKey(stdout, k->rsa))
+ if (!PEM_write_RSAPublicKey(stdout,
+ EVP_PKEY_get0_RSA(k->pkey)))
fatal("PEM_write_RSAPublicKey failed");
break;
#ifdef WITH_DSA
@@ -412,7 +418,8 @@ do_convert_to_pem(struct sshkey *k)
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
+ if (!PEM_write_EC_PUBKEY(stdout,
+ EVP_PKEY_get0_EC_KEY(k->pkey)))
fatal("PEM_write_EC_PUBKEY failed");
break;
#endif
@@ -490,6 +497,8 @@ do_convert_private_ssh2(struct sshbuf *b)
#endif
BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL;
+ BIGNUM *rsa_dmp1 = NULL, *rsa_dmq1 = NULL;
+ RSA *rsa = NULL;
if ((r = sshbuf_get_u32(b, &magic)) != 0)
fatal_fr(r, "parse magic");
@@ -584,15 +593,25 @@ do_convert_private_ssh2(struct sshbuf *b)
buffer_get_bignum_bits(b, rsa_iqmp);
buffer_get_bignum_bits(b, rsa_q);
buffer_get_bignum_bits(b, rsa_p);
- if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, rsa_d))
+ if ((r = ssh_rsa_complete_crt_parameters(rsa_d, rsa_p, rsa_q,
+ rsa_iqmp, &rsa_dmp1, &rsa_dmq1)) != 0)
+ fatal_fr(r, "generate RSA CRT parameters");
+ if ((key->pkey = EVP_PKEY_new()) == NULL)
+ fatal_f("EVP_PKEY_new failed");
+ if ((rsa = RSA_new()) == NULL)
+ fatal_f("RSA_new failed");
+ if (!RSA_set0_key(rsa, rsa_n, rsa_e, rsa_d))
fatal_f("RSA_set0_key failed");
rsa_n = rsa_e = rsa_d = NULL; /* transferred */
- if (!RSA_set0_factors(key->rsa, rsa_p, rsa_q))
+ if (!RSA_set0_factors(rsa, rsa_p, rsa_q))
fatal_f("RSA_set0_factors failed");
rsa_p = rsa_q = NULL; /* transferred */
- if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0)
- fatal_fr(r, "generate RSA parameters");
- BN_clear_free(rsa_iqmp);
+ if (RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp) != 1)
+ fatal_f("RSA_set0_crt_params failed");
+ rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL;
+ if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1)
+ fatal_f("EVP_PKEY_set1_RSA failed");
+ RSA_free(rsa);
alg = "rsa-sha2-256";
break;
}
@@ -712,7 +731,8 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
fatal("sshkey_new failed");
(*k)->type = KEY_RSA;
- (*k)->rsa = EVP_PKEY_get1_RSA(pubkey);
+ (*k)->pkey = pubkey;
+ pubkey = NULL;
break;
#ifdef WITH_DSA
case EVP_PKEY_DSA:
@@ -726,9 +746,11 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
case EVP_PKEY_EC:
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
fatal("sshkey_new failed");
+ if (((*k)->ecdsa_nid = sshkey_ecdsa_fixup_group(pubkey)) == -1)
+ fatal("sshkey_ecdsa_fixup_group failed");
(*k)->type = KEY_ECDSA;
- (*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey);
- (*k)->ecdsa_nid = sshkey_ecdsa_key_to_nid((*k)->ecdsa);
+ (*k)->pkey = pubkey;
+ pubkey = NULL;
break;
#endif
default:
@@ -750,8 +772,12 @@ do_convert_from_pem(struct sshkey **k, int *private)
if ((rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL)) != NULL) {
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
fatal("sshkey_new failed");
+ if (((*k)->pkey = EVP_PKEY_new()) == NULL)
+ fatal("EVP_PKEY_new failed");
(*k)->type = KEY_RSA;
- (*k)->rsa = rsa;
+ if (EVP_PKEY_set1_RSA((*k)->pkey, rsa) != 1)
+ fatal("EVP_PKEY_set1_RSA failed");
+ RSA_free(rsa);
fclose(fp);
return;
}
@@ -799,13 +825,15 @@ do_convert_from(struct passwd *pw)
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL,
- NULL, 0, NULL, NULL);
+ ok = PEM_write_ECPrivateKey(stdout,
+ EVP_PKEY_get0_EC_KEY(k->pkey), NULL, NULL, 0,
+ NULL, NULL);
break;
#endif
case KEY_RSA:
- ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL,
- NULL, 0, NULL, NULL);
+ ok = PEM_write_RSAPrivateKey(stdout,
+ EVP_PKEY_get0_RSA(k->pkey), NULL, NULL, 0,
+ NULL, NULL);
break;
default:
fatal_f("unsupported key type %s", sshkey_type(k));
@@ -1115,7 +1143,7 @@ do_gen_all_hostkeys(struct passwd *pw)
}
printf("%s ", key_types[i].key_type_display);
fflush(stdout);
- type = sshkey_type_from_name(key_types[i].key_type);
+ type = sshkey_type_from_shortname(key_types[i].key_type);
if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno));
@@ -1821,7 +1849,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
free(tmp);
if (key_type_name != NULL) {
- if (sshkey_type_from_name(key_type_name) != ca->type) {
+ if (sshkey_type_from_shortname(key_type_name) != ca->type) {
fatal("CA key type %s doesn't match specified %s",
sshkey_ssh_name(ca), key_type_name);
}
@@ -3108,17 +3136,22 @@ read_check_passphrase(const char *prompt1, const char *prompt2,
}
static char *
-private_key_passphrase(void)
+private_key_passphrase(const char *path)
{
+ char *prompt, *ret;
+
if (identity_passphrase)
return xstrdup(identity_passphrase);
if (identity_new_passphrase)
return xstrdup(identity_new_passphrase);
- return read_check_passphrase(
- "Enter passphrase (empty for no passphrase): ",
+ xasprintf(&prompt, "Enter passphrase for \"%s\" "
+ "(empty for no passphrase): ", path);
+ ret = read_check_passphrase(prompt,
"Enter same passphrase again: ",
"Passphrases do not match. Try again.");
+ free(prompt);
+ return ret;
}
static char *
@@ -3214,7 +3247,7 @@ do_download_sk(const char *skprovider, const char *device)
/* Save the key with the application string as the comment */
if (pass == NULL)
- pass = private_key_passphrase();
+ pass = private_key_passphrase(path);
if ((r = sshkey_save_private(key, path, pass,
key->sk_application, private_key_format,
openssh_format_cipher, rounds)) != 0) {
@@ -3811,7 +3844,7 @@ main(int argc, char **argv)
if (key_type_name == NULL)
key_type_name = DEFAULT_KEY_TYPE_NAME;
- type = sshkey_type_from_name(key_type_name);
+ type = sshkey_type_from_shortname(key_type_name);
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
@@ -3913,7 +3946,7 @@ main(int argc, char **argv)
exit(1);
/* Determine the passphrase for the private key */
- passphrase = private_key_passphrase();
+ passphrase = private_key_passphrase(identity_file);
if (identity_comment) {
strlcpy(comment, identity_comment, sizeof(comment));
} else {