# HG changeset patch # User Matt Johnston # Date 1498318345 -28800 # Node ID 4f8eb331174fa4ad199496356e28056e209bea28 # Parent 60fc6476e0443a05717ae16c5e181f1e41c6a343 add configuration option for default RSA size. print key size with dropbearkey diff -r 60fc6476e044 -r 4f8eb331174f default_options.h --- a/default_options.h Sat Jun 24 22:37:14 2017 +0800 +++ b/default_options.h Sat Jun 24 23:32:25 2017 +0800 @@ -10,7 +10,7 @@ used if it exists. Options defined there will override any options in this file (#ifndef guards added by ifndef_wrapper.sh). -Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS +Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS IMPORTANT: Many options will require "make clean" after changes */ @@ -198,6 +198,13 @@ #define DROPBEAR_ECDSA 1 #endif +/* RSA must be >=1024 */ +#ifndef DROPBEAR_DEFAULT_RSA_SIZE +#define DROPBEAR_DEFAULT_RSA_SIZE 2048 +#endif +/* DSS is always 1024 */ +/* ECDSA defaults to largest size configured, usually 521 */ + /* Add runtime flag "-R" to generate hostkeys as-needed when the first connection using that key type occurs. This avoids the need to otherwise run "dropbearkey" and avoids some problems diff -r 60fc6476e044 -r 4f8eb331174f default_options.h.in --- a/default_options.h.in Sat Jun 24 22:37:14 2017 +0800 +++ b/default_options.h.in Sat Jun 24 23:32:25 2017 +0800 @@ -10,7 +10,7 @@ used if it exists. Options defined there will override any options in this file (#ifndef guards added by ifndef_wrapper.sh). -Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS +Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS IMPORTANT: Many options will require "make clean" after changes */ @@ -130,6 +130,11 @@ * on x86-64 */ #define DROPBEAR_ECDSA 1 +/* RSA must be >=1024 */ +#define DROPBEAR_DEFAULT_RSA_SIZE 2048 +/* DSS is always 1024 */ +/* ECDSA defaults to largest size configured, usually 521 */ + /* Add runtime flag "-R" to generate hostkeys as-needed when the first connection using that key type occurs. This avoids the need to otherwise run "dropbearkey" and avoids some problems diff -r 60fc6476e044 -r 4f8eb331174f dropbearkey.c --- a/dropbearkey.c Sat Jun 24 22:37:14 2017 +0800 +++ b/dropbearkey.c Sat Jun 24 23:32:25 2017 +0800 @@ -139,7 +139,7 @@ enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE; char * typetext = NULL; char * sizetext = NULL; - unsigned int bits = 0; + unsigned int bits = 0, genbits; int printpub = 0; crypto_init(); @@ -240,7 +240,8 @@ check_signkey_bits(keytype, bits);; } - fprintf(stderr, "Generating key, this may take a while...\n"); + genbits = signkey_generate_get_bits(keytype, bits); + fprintf(stderr, "Generating %d bit %s key, this may take a while...\n", genbits, typetext); if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE) { dropbear_exit("Failed to generate key.\n"); diff -r 60fc6476e044 -r 4f8eb331174f gensignkey.c --- a/gensignkey.c Sat Jun 24 22:37:14 2017 +0800 +++ b/gensignkey.c Sat Jun 24 23:32:25 2017 +0800 @@ -7,9 +7,6 @@ #include "signkey.h" #include "dbrandom.h" -#define RSA_DEFAULT_SIZE 2048 -#define DSS_DEFAULT_SIZE 1024 - /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ static int buf_writefile(buffer * buf, const char * filename) { int ret = DROPBEAR_FAILURE; @@ -55,11 +52,12 @@ switch (keytype) { #if DROPBEAR_RSA case DROPBEAR_SIGNKEY_RSA: - return RSA_DEFAULT_SIZE; + return DROPBEAR_DEFAULT_RSA_SIZE; #endif #if DROPBEAR_DSS case DROPBEAR_SIGNKEY_DSS: - return DSS_DEFAULT_SIZE; + /* DSS for SSH only defines 1024 bits */ + return 1024; #endif #if DROPBEAR_ECDSA case DROPBEAR_SIGNKEY_ECDSA_KEYGEN: @@ -76,6 +74,14 @@ } } +int signkey_generate_get_bits(enum signkey_type keytype, int bits) { + if (bits == 0) + { + bits = get_default_bits(keytype); + } + return bits; +} + /* if skip_exist is set it will silently return if the key file exists */ int signkey_generate(enum signkey_type keytype, int bits, const char* filename, int skip_exist) { @@ -83,10 +89,7 @@ buffer *buf = NULL; char *fn_temp = NULL; int ret = DROPBEAR_FAILURE; - if (bits == 0) - { - bits = get_default_bits(keytype); - } + bits = signkey_generate_get_bits(keytype, bits); /* now we can generate the key */ key = new_sign_key(); diff -r 60fc6476e044 -r 4f8eb331174f gensignkey.h --- a/gensignkey.h Sat Jun 24 22:37:14 2017 +0800 +++ b/gensignkey.h Sat Jun 24 23:32:25 2017 +0800 @@ -4,5 +4,6 @@ #include "signkey.h" int signkey_generate(enum signkey_type type, int bits, const char* filename, int skip_exist); +int signkey_generate_get_bits(enum signkey_type keytype, int bits); #endif diff -r 60fc6476e044 -r 4f8eb331174f options.h --- a/options.h Sat Jun 24 22:37:14 2017 +0800 +++ b/options.h Sat Jun 24 23:32:25 2017 +0800 @@ -2,6 +2,8 @@ #define DROPBEAR_OPTIONS_H /* + > > > Don't edit this file any more! < < < + Local compile-time configuration should be defined in localoptions.h See default_options.h.in for a description of the available options. */