ssh-keygen: tweak error for -b

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh-keygen: tweak error for -b

Christian Weisgerber
Seen on misc@:

> $ ssh-keygen -t ed25519 -b 20000
> key bits exceeds maximum 16384

The check for > OPENSSL_RSA_MAX_MODULUS_BITS should only be applied
to RSA keys.  No point in checking for > OPENSSL_DSA_MAX_MODULUS_BITS,
since we only permit 1024-bit DSA keys anyway.

While there, only set DEFAULT_BITS for RSA keys.

ok?

Index: ssh-keygen.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.333
diff -u -p -r1.333 ssh-keygen.c
--- ssh-keygen.c 28 Jun 2019 13:35:04 -0000 1.333
+++ ssh-keygen.c 4 Jul 2019 19:38:45 -0000
@@ -168,30 +168,31 @@ static void
 type_bits_valid(int type, const char *name, u_int32_t *bitsp)
 {
 #ifdef WITH_OPENSSL
- u_int maxbits, nid;
+ u_int nid;
 #endif
 
  if (type == KEY_UNSPEC)
  fatal("unknown key type %s", key_type_name);
  if (*bitsp == 0) {
 #ifdef WITH_OPENSSL
- if (type == KEY_DSA)
+ switch(type) {
+ case KEY_DSA:
  *bitsp = DEFAULT_BITS_DSA;
- else if (type == KEY_ECDSA) {
+ break;
+ case KEY_ECDSA:
  if (name != NULL &&
     (nid = sshkey_ecdsa_nid_from_name(name)) > 0)
  *bitsp = sshkey_curve_nid_to_bits(nid);
  if (*bitsp == 0)
  *bitsp = DEFAULT_BITS_ECDSA;
- } else
-#endif
+ break;
+ case KEY_RSA:
  *bitsp = DEFAULT_BITS;
+ break;
+ }
+#endif
  }
 #ifdef WITH_OPENSSL
- maxbits = (type == KEY_DSA) ?
-    OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
- if (*bitsp > maxbits)
- fatal("key bits exceeds maximum %d", maxbits);
  switch (type) {
  case KEY_DSA:
  if (*bitsp != 1024)
@@ -201,6 +202,9 @@ type_bits_valid(int type, const char *na
  if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE)
  fatal("Invalid RSA key length: minimum is %d bits",
     SSH_RSA_MINIMUM_MODULUS_SIZE);
+ else if (*bitsp > OPENSSL_RSA_MAX_MODULUS_BITS)
+ fatal("Invalid RSA key length: maximum is %d bits",
+    OPENSSL_RSA_MAX_MODULUS_BITS);
  break;
  case KEY_ECDSA:
  if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh-keygen: tweak error for -b

Darren Tucker-3
ok dtucker with one suggestion.

On Fri, 5 Jul 2019 at 06:01, Christian Weisgerber <[hidden email]> wrote:
[...]
>  #ifdef WITH_OPENSSL
> -       u_int maxbits, nid;
> +       u_int nid;

nid is only used inside the #ifdef below, you can move this
declaration to the start of the block where it's used and delete this
ifdef.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.