add configuration option for default RSA size.

print key size with dropbearkey
2025-04-03 12:30:55 +00:00 · 2017-06-24 23:32:25 +08:00 · 2017-06-24 23:32:25 +08:00 · a94338dc67
commit a94338dc67
parent 364fb6019c
6 changed files with 32 additions and 13 deletions
--- a/default_options.h
+++ b/default_options.h
@ -10,7 +10,7 @@ Local customisation should be added to localoptions.h which is
 used if it exists. Options defined there will override any options in this
 file (#ifndef guards added by ifndef_wrapper.sh).

-Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
+Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS

 IMPORTANT: Many options will require "make clean" after changes */

@ -198,6 +198,13 @@ If you test it please contact the Dropbear author */
 #define DROPBEAR_ECDSA 1
 #endif

+/* RSA must be >=1024 */
+#ifndef DROPBEAR_DEFAULT_RSA_SIZE
+#define DROPBEAR_DEFAULT_RSA_SIZE 2048
+#endif
+/* DSS is always 1024 */
+/* ECDSA defaults to largest size configured, usually 521 */
+
 /* Add runtime flag "-R" to generate hostkeys as-needed when the first 
   connection using that key type occurs.
   This avoids the need to otherwise run "dropbearkey" and avoids some problems
--- a/default_options.h.in
+++ b/default_options.h.in
@ -10,7 +10,7 @@ Local customisation should be added to localoptions.h which is
 used if it exists. Options defined there will override any options in this
 file (#ifndef guards added by ifndef_wrapper.sh).

-Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
+Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS

 IMPORTANT: Many options will require "make clean" after changes */

@ -130,6 +130,11 @@ If you test it please contact the Dropbear author */
 * on x86-64 */
 #define DROPBEAR_ECDSA 1

+/* RSA must be >=1024 */
+#define DROPBEAR_DEFAULT_RSA_SIZE 2048
+/* DSS is always 1024 */
+/* ECDSA defaults to largest size configured, usually 521 */
+
 /* Add runtime flag "-R" to generate hostkeys as-needed when the first 
   connection using that key type occurs.
   This avoids the need to otherwise run "dropbearkey" and avoids some problems
--- a/dropbearkey.c
+++ b/dropbearkey.c
@ -139,7 +139,7 @@ int main(int argc, char ** argv) {
 	enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE;
 	char * typetext = NULL;
 	char * sizetext = NULL;
-	unsigned int bits = 0;
+	unsigned int bits = 0, genbits;
 	int printpub = 0;

 	crypto_init();
@ -240,7 +240,8 @@ int main(int argc, char ** argv) {
 		check_signkey_bits(keytype, bits);;
 	}

-	fprintf(stderr, "Generating key, this may take a while...\n");
+	genbits = signkey_generate_get_bits(keytype, bits);
+	fprintf(stderr, "Generating %d bit %s key, this may take a while...\n", genbits, typetext);
 	if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE)
 	{
 		dropbear_exit("Failed to generate key.\n");
--- a/gensignkey.c
+++ b/gensignkey.c
@ -7,9 +7,6 @@
 #include "signkey.h"
 #include "dbrandom.h"

-#define RSA_DEFAULT_SIZE 2048
-#define DSS_DEFAULT_SIZE 1024
-
 /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 static int buf_writefile(buffer * buf, const char * filename) {
 	int ret = DROPBEAR_FAILURE;
@ -55,11 +52,12 @@ static int get_default_bits(enum signkey_type keytype)
 	switch (keytype) {
 #if DROPBEAR_RSA
 		case DROPBEAR_SIGNKEY_RSA:
-			return RSA_DEFAULT_SIZE;
+			return DROPBEAR_DEFAULT_RSA_SIZE;
 #endif
 #if DROPBEAR_DSS
 		case DROPBEAR_SIGNKEY_DSS:
-			return DSS_DEFAULT_SIZE;
+			/* DSS for SSH only defines 1024 bits */
+			return 1024;
 #endif
 #if DROPBEAR_ECDSA
 		case DROPBEAR_SIGNKEY_ECDSA_KEYGEN:
@ -76,6 +74,14 @@ static int get_default_bits(enum signkey_type keytype)
 	}
 }

+int signkey_generate_get_bits(enum signkey_type keytype, int bits) {
+	if (bits == 0)
+	{
+		bits = get_default_bits(keytype);
+	}
+	return bits;
+}
+
 /* if skip_exist is set it will silently return if the key file exists */
 int signkey_generate(enum signkey_type keytype, int bits, const char* filename, int skip_exist)
 {
@ -83,10 +89,7 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename,
 	buffer *buf = NULL;
 	char *fn_temp = NULL;
 	int ret = DROPBEAR_FAILURE;
-	if (bits == 0)
-	{
-		bits = get_default_bits(keytype);
-	}
+	bits = signkey_generate_get_bits(keytype, bits);

 	/* now we can generate the key */
 	key = new_sign_key();
--- a/gensignkey.h
+++ b/gensignkey.h
@ -4,5 +4,6 @@
 #include "signkey.h"

 int signkey_generate(enum signkey_type type, int bits, const char* filename, int skip_exist);
+int signkey_generate_get_bits(enum signkey_type keytype, int bits);

 #endif
--- a/options.h
+++ b/options.h
@ -2,6 +2,8 @@
 #define DROPBEAR_OPTIONS_H

 /* 
+            > > > Don't edit this file any more! < < <
+            
 Local compile-time configuration should be defined in localoptions.h
 See default_options.h.in for a description of the available options.
 */