diff options
| -rw-r--r-- | default_options.h | 9 | ||||
| -rw-r--r-- | default_options.h.in | 7 | ||||
| -rw-r--r-- | dropbearkey.c | 5 | ||||
| -rw-r--r-- | gensignkey.c | 21 | ||||
| -rw-r--r-- | gensignkey.h | 1 | ||||
| -rw-r--r-- | options.h | 2 |
6 files changed, 32 insertions, 13 deletions
diff --git a/default_options.h b/default_options.h index e59c338..e7fad80 100644 --- a/default_options.h +++ b/default_options.h @@ -10,7 +10,7 @@ Local customisation should be added to localoptions.h which is used if it exists. Options defined there will override any options in this file (#ifndef guards added by ifndef_wrapper.sh). -Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS +Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS IMPORTANT: Many options will require "make clean" after changes */ @@ -198,6 +198,13 @@ If you test it please contact the Dropbear author */ #define DROPBEAR_ECDSA 1 #endif +/* RSA must be >=1024 */ +#ifndef DROPBEAR_DEFAULT_RSA_SIZE +#define DROPBEAR_DEFAULT_RSA_SIZE 2048 +#endif +/* DSS is always 1024 */ +/* ECDSA defaults to largest size configured, usually 521 */ + /* Add runtime flag "-R" to generate hostkeys as-needed when the first connection using that key type occurs. This avoids the need to otherwise run "dropbearkey" and avoids some problems diff --git a/default_options.h.in b/default_options.h.in index e81eaae..3a55731 100644 --- a/default_options.h.in +++ b/default_options.h.in @@ -10,7 +10,7 @@ Local customisation should be added to localoptions.h which is used if it exists. Options defined there will override any options in this file (#ifndef guards added by ifndef_wrapper.sh). -Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS +Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS IMPORTANT: Many options will require "make clean" after changes */ @@ -130,6 +130,11 @@ If you test it please contact the Dropbear author */ * on x86-64 */ #define DROPBEAR_ECDSA 1 +/* RSA must be >=1024 */ +#define DROPBEAR_DEFAULT_RSA_SIZE 2048 +/* DSS is always 1024 */ +/* ECDSA defaults to largest size configured, usually 521 */ + /* Add runtime flag "-R" to generate hostkeys as-needed when the first connection using that key type occurs. This avoids the need to otherwise run "dropbearkey" and avoids some problems diff --git a/dropbearkey.c b/dropbearkey.c index 5cb12ef..316d27e 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -139,7 +139,7 @@ int main(int argc, char ** argv) { enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE; char * typetext = NULL; char * sizetext = NULL; - unsigned int bits = 0; + unsigned int bits = 0, genbits; int printpub = 0; crypto_init(); @@ -240,7 +240,8 @@ int main(int argc, char ** argv) { check_signkey_bits(keytype, bits);; } - fprintf(stderr, "Generating key, this may take a while...\n"); + genbits = signkey_generate_get_bits(keytype, bits); + fprintf(stderr, "Generating %d bit %s key, this may take a while...\n", genbits, typetext); if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE) { dropbear_exit("Failed to generate key.\n"); diff --git a/gensignkey.c b/gensignkey.c index 4691de0..8317fea 100644 --- a/gensignkey.c +++ b/gensignkey.c @@ -7,9 +7,6 @@ #include "signkey.h" #include "dbrandom.h" -#define RSA_DEFAULT_SIZE 2048 -#define DSS_DEFAULT_SIZE 1024 - /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ static int buf_writefile(buffer * buf, const char * filename) { int ret = DROPBEAR_FAILURE; @@ -55,11 +52,12 @@ static int get_default_bits(enum signkey_type keytype) switch (keytype) { #if DROPBEAR_RSA case DROPBEAR_SIGNKEY_RSA: - return RSA_DEFAULT_SIZE; + return DROPBEAR_DEFAULT_RSA_SIZE; #endif #if DROPBEAR_DSS case DROPBEAR_SIGNKEY_DSS: - return DSS_DEFAULT_SIZE; + /* DSS for SSH only defines 1024 bits */ + return 1024; #endif #if DROPBEAR_ECDSA case DROPBEAR_SIGNKEY_ECDSA_KEYGEN: @@ -76,6 +74,14 @@ static int get_default_bits(enum signkey_type keytype) } } +int signkey_generate_get_bits(enum signkey_type keytype, int bits) { + if (bits == 0) + { + bits = get_default_bits(keytype); + } + return bits; +} + /* if skip_exist is set it will silently return if the key file exists */ int signkey_generate(enum signkey_type keytype, int bits, const char* filename, int skip_exist) { @@ -83,10 +89,7 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename, buffer *buf = NULL; char *fn_temp = NULL; int ret = DROPBEAR_FAILURE; - if (bits == 0) - { - bits = get_default_bits(keytype); - } + bits = signkey_generate_get_bits(keytype, bits); /* now we can generate the key */ key = new_sign_key(); diff --git a/gensignkey.h b/gensignkey.h index 1cba8d3..73b9c3c 100644 --- a/gensignkey.h +++ b/gensignkey.h @@ -4,5 +4,6 @@ #include "signkey.h" int signkey_generate(enum signkey_type type, int bits, const char* filename, int skip_exist); +int signkey_generate_get_bits(enum signkey_type keytype, int bits); #endif @@ -2,6 +2,8 @@ #define DROPBEAR_OPTIONS_H /* + > > > Don't edit this file any more! < < < + Local compile-time configuration should be defined in localoptions.h See default_options.h.in for a description of the available options. */ |