diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-27 08:42:39 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-27 08:42:39 +0000 |
commit | a747d063f7635fdb84741fdb1000a0bcf4ef1b17 (patch) | |
tree | 9222f8b5369cf31b9fa78f0fd519d005c92dcb74 /ssh-keygen.c | |
parent | Adding debian version 1:9.8p1-3. (diff) | |
download | openssh-a747d063f7635fdb84741fdb1000a0bcf4ef1b17.tar.xz openssh-a747d063f7635fdb84741fdb1000a0bcf4ef1b17.zip |
Merging upstream version 1:9.9p1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 93 |
1 files changed, 63 insertions, 30 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 97c6d13..8396c40 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.472 2024/01/11 01:45:36 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.475 2024/09/15 00:47:01 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -261,7 +261,7 @@ ask_filename(struct passwd *pw, const char *prompt) if (key_type_name == NULL) name = _PATH_SSH_CLIENT_ID_ED25519; else { - switch (sshkey_type_from_name(key_type_name)) { + switch (sshkey_type_from_shortname(key_type_name)) { #ifdef WITH_DSA case KEY_DSA_CERT: case KEY_DSA: @@ -313,7 +313,7 @@ ask_filename(struct passwd *pw, const char *prompt) static struct sshkey * load_identity(const char *filename, char **commentp) { - char *pass; + char *prompt, *pass; struct sshkey *prv; int r; @@ -325,8 +325,11 @@ load_identity(const char *filename, char **commentp) fatal_r(r, "Load key \"%s\"", filename); if (identity_passphrase) pass = xstrdup(identity_passphrase); - else - pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); + else { + xasprintf(&prompt, "Enter passphrase for \"%s\": ", filename); + pass = read_passphrase(prompt, RP_ALLOW_STDIN); + free(prompt); + } r = sshkey_load_private(filename, pass, &prv, commentp); freezero(pass, strlen(pass)); if (r != 0) @@ -375,7 +378,8 @@ do_convert_to_pkcs8(struct sshkey *k) { switch (sshkey_type_plain(k->type)) { case KEY_RSA: - if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) + if (!PEM_write_RSA_PUBKEY(stdout, + EVP_PKEY_get0_RSA(k->pkey))) fatal("PEM_write_RSA_PUBKEY failed"); break; #ifdef WITH_DSA @@ -386,7 +390,8 @@ do_convert_to_pkcs8(struct sshkey *k) #endif #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: - if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) + if (!PEM_write_EC_PUBKEY(stdout, + EVP_PKEY_get0_EC_KEY(k->pkey))) fatal("PEM_write_EC_PUBKEY failed"); break; #endif @@ -401,7 +406,8 @@ do_convert_to_pem(struct sshkey *k) { switch (sshkey_type_plain(k->type)) { case KEY_RSA: - if (!PEM_write_RSAPublicKey(stdout, k->rsa)) + if (!PEM_write_RSAPublicKey(stdout, + EVP_PKEY_get0_RSA(k->pkey))) fatal("PEM_write_RSAPublicKey failed"); break; #ifdef WITH_DSA @@ -412,7 +418,8 @@ do_convert_to_pem(struct sshkey *k) #endif #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: - if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) + if (!PEM_write_EC_PUBKEY(stdout, + EVP_PKEY_get0_EC_KEY(k->pkey))) fatal("PEM_write_EC_PUBKEY failed"); break; #endif @@ -490,6 +497,8 @@ do_convert_private_ssh2(struct sshbuf *b) #endif BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL; + BIGNUM *rsa_dmp1 = NULL, *rsa_dmq1 = NULL; + RSA *rsa = NULL; if ((r = sshbuf_get_u32(b, &magic)) != 0) fatal_fr(r, "parse magic"); @@ -584,15 +593,25 @@ do_convert_private_ssh2(struct sshbuf *b) buffer_get_bignum_bits(b, rsa_iqmp); buffer_get_bignum_bits(b, rsa_q); buffer_get_bignum_bits(b, rsa_p); - if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, rsa_d)) + if ((r = ssh_rsa_complete_crt_parameters(rsa_d, rsa_p, rsa_q, + rsa_iqmp, &rsa_dmp1, &rsa_dmq1)) != 0) + fatal_fr(r, "generate RSA CRT parameters"); + if ((key->pkey = EVP_PKEY_new()) == NULL) + fatal_f("EVP_PKEY_new failed"); + if ((rsa = RSA_new()) == NULL) + fatal_f("RSA_new failed"); + if (!RSA_set0_key(rsa, rsa_n, rsa_e, rsa_d)) fatal_f("RSA_set0_key failed"); rsa_n = rsa_e = rsa_d = NULL; /* transferred */ - if (!RSA_set0_factors(key->rsa, rsa_p, rsa_q)) + if (!RSA_set0_factors(rsa, rsa_p, rsa_q)) fatal_f("RSA_set0_factors failed"); rsa_p = rsa_q = NULL; /* transferred */ - if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0) - fatal_fr(r, "generate RSA parameters"); - BN_clear_free(rsa_iqmp); + if (RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp) != 1) + fatal_f("RSA_set0_crt_params failed"); + rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL; + if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) + fatal_f("EVP_PKEY_set1_RSA failed"); + RSA_free(rsa); alg = "rsa-sha2-256"; break; } @@ -712,7 +731,8 @@ do_convert_from_pkcs8(struct sshkey **k, int *private) if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); (*k)->type = KEY_RSA; - (*k)->rsa = EVP_PKEY_get1_RSA(pubkey); + (*k)->pkey = pubkey; + pubkey = NULL; break; #ifdef WITH_DSA case EVP_PKEY_DSA: @@ -726,9 +746,11 @@ do_convert_from_pkcs8(struct sshkey **k, int *private) case EVP_PKEY_EC: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); + if (((*k)->ecdsa_nid = sshkey_ecdsa_fixup_group(pubkey)) == -1) + fatal("sshkey_ecdsa_fixup_group failed"); (*k)->type = KEY_ECDSA; - (*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey); - (*k)->ecdsa_nid = sshkey_ecdsa_key_to_nid((*k)->ecdsa); + (*k)->pkey = pubkey; + pubkey = NULL; break; #endif default: @@ -750,8 +772,12 @@ do_convert_from_pem(struct sshkey **k, int *private) if ((rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL)) != NULL) { if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); + if (((*k)->pkey = EVP_PKEY_new()) == NULL) + fatal("EVP_PKEY_new failed"); (*k)->type = KEY_RSA; - (*k)->rsa = rsa; + if (EVP_PKEY_set1_RSA((*k)->pkey, rsa) != 1) + fatal("EVP_PKEY_set1_RSA failed"); + RSA_free(rsa); fclose(fp); return; } @@ -799,13 +825,15 @@ do_convert_from(struct passwd *pw) #endif #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: - ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, - NULL, 0, NULL, NULL); + ok = PEM_write_ECPrivateKey(stdout, + EVP_PKEY_get0_EC_KEY(k->pkey), NULL, NULL, 0, + NULL, NULL); break; #endif case KEY_RSA: - ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, - NULL, 0, NULL, NULL); + ok = PEM_write_RSAPrivateKey(stdout, + EVP_PKEY_get0_RSA(k->pkey), NULL, NULL, 0, + NULL, NULL); break; default: fatal_f("unsupported key type %s", sshkey_type(k)); @@ -1115,7 +1143,7 @@ do_gen_all_hostkeys(struct passwd *pw) } printf("%s ", key_types[i].key_type_display); fflush(stdout); - type = sshkey_type_from_name(key_types[i].key_type); + type = sshkey_type_from_shortname(key_types[i].key_type); if ((fd = mkstemp(prv_tmp)) == -1) { error("Could not save your private key in %s: %s", prv_tmp, strerror(errno)); @@ -1821,7 +1849,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, free(tmp); if (key_type_name != NULL) { - if (sshkey_type_from_name(key_type_name) != ca->type) { + if (sshkey_type_from_shortname(key_type_name) != ca->type) { fatal("CA key type %s doesn't match specified %s", sshkey_ssh_name(ca), key_type_name); } @@ -3108,17 +3136,22 @@ read_check_passphrase(const char *prompt1, const char *prompt2, } static char * -private_key_passphrase(void) +private_key_passphrase(const char *path) { + char *prompt, *ret; + if (identity_passphrase) return xstrdup(identity_passphrase); if (identity_new_passphrase) return xstrdup(identity_new_passphrase); - return read_check_passphrase( - "Enter passphrase (empty for no passphrase): ", + xasprintf(&prompt, "Enter passphrase for \"%s\" " + "(empty for no passphrase): ", path); + ret = read_check_passphrase(prompt, "Enter same passphrase again: ", "Passphrases do not match. Try again."); + free(prompt); + return ret; } static char * @@ -3214,7 +3247,7 @@ do_download_sk(const char *skprovider, const char *device) /* Save the key with the application string as the comment */ if (pass == NULL) - pass = private_key_passphrase(); + pass = private_key_passphrase(path); if ((r = sshkey_save_private(key, path, pass, key->sk_application, private_key_format, openssh_format_cipher, rounds)) != 0) { @@ -3811,7 +3844,7 @@ main(int argc, char **argv) if (key_type_name == NULL) key_type_name = DEFAULT_KEY_TYPE_NAME; - type = sshkey_type_from_name(key_type_name); + type = sshkey_type_from_shortname(key_type_name); type_bits_valid(type, key_type_name, &bits); if (!quiet) @@ -3913,7 +3946,7 @@ main(int argc, char **argv) exit(1); /* Determine the passphrase for the private key */ - passphrase = private_key_passphrase(); + passphrase = private_key_passphrase(identity_file); if (identity_comment) { strlcpy(comment, identity_comment, sizeof(comment)); } else { |