Have tincctl generate ECDSA keys.

The generate-keys command now generates both an RSA and an ECDSA keypair,
but one can generate-rsa-keys or generate-ecdsa-keys to just generate one type.
This commit is contained in:
Guus Sliepen 2011-07-03 22:25:29 +02:00
parent 8ace7f3e57
commit 80b81c00b1
3 changed files with 77 additions and 8 deletions

View file

@ -11,14 +11,14 @@ tincd_SOURCES = \
protocol_key.c protocol_subnet.c route.c subnet.c tincd.c protocol_key.c protocol_subnet.c route.c subnet.c tincd.c
nodist_tincd_SOURCES = \ nodist_tincd_SOURCES = \
device.c cipher.c crypto.c ecdh.c ecdsagen.c digest.c prf.c rsa.c device.c cipher.c crypto.c ecdh.c digest.c prf.c rsa.c
tincctl_SOURCES = \ tincctl_SOURCES = \
utils.c getopt.c getopt1.c dropin.c \ utils.c getopt.c getopt1.c dropin.c \
list.c tincctl.c top.c list.c tincctl.c top.c
nodist_tincctl_SOURCES = \ nodist_tincctl_SOURCES = \
rsagen.c ecdsagen.c rsagen.c
if TUNEMU if TUNEMU
tincd_SOURCES += bsd/tunemu.c tincd_SOURCES += bsd/tunemu.c

View file

@ -23,7 +23,6 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/obj_mac.h> #include <openssl/obj_mac.h>
#include "logger.h"
#include "ecdsagen.h" #include "ecdsagen.h"
#include "utils.h" #include "utils.h"
@ -33,8 +32,8 @@ bool ecdsa_generate(ecdsa_t *ecdsa) {
*ecdsa = EC_KEY_new_by_curve_name(NID_secp521r1); *ecdsa = EC_KEY_new_by_curve_name(NID_secp521r1);
if(!EC_KEY_generate_key(*ecdsa)) { if(!EC_KEY_generate_key(*ecdsa)) {
logger(LOG_ERR, "Generating EC key failed: %s", ERR_error_string(ERR_get_error(), NULL)); fprintf(stderr, "Generating EC key failed: %s", ERR_error_string(ERR_get_error(), NULL));
abort(); return false;
} }
EC_KEY_set_asn1_flag(*ecdsa, OPENSSL_EC_NAMED_CURVE); EC_KEY_set_asn1_flag(*ecdsa, OPENSSL_EC_NAMED_CURVE);

View file

@ -24,6 +24,7 @@
#include "xalloc.h" #include "xalloc.h"
#include "protocol.h" #include "protocol.h"
#include "control_common.h" #include "control_common.h"
#include "ecdsagen.h"
#include "rsagen.h" #include "rsagen.h"
#include "utils.h" #include "utils.h"
#include "tincctl.h" #include "tincctl.h"
@ -77,7 +78,9 @@ static void usage(bool status) {
" restart Restart tincd.\n" " restart Restart tincd.\n"
" reload Reload configuration of running tincd.\n" " reload Reload configuration of running tincd.\n"
" pid Show PID of currently running tincd.\n" " pid Show PID of currently running tincd.\n"
" generate-keys [bits] Generate a new public/private keypair.\n" " generate-keys [bits] Generate new RSA and ECDSA public/private keypairs.\n"
" generate-rsa-keys [bits] Generate a new RSA public/private keypair.\n"
" generate-ecdsa-keys Generate a new ECDSA public/private keypair.\n"
" dump Dump a list of one of the following things:\n" " dump Dump a list of one of the following things:\n"
" nodes - all known nodes in the VPN\n" " nodes - all known nodes in the VPN\n"
" edges - all known connections in the VPN\n" " edges - all known connections in the VPN\n"
@ -191,11 +194,70 @@ FILE *ask_and_open(const char *filename, const char *what, const char *mode) {
return r; return r;
} }
/*
Generate a public/private ECDSA keypair, and ask for a file to store
them in.
*/
static bool ecdsa_keygen() {
ecdsa_t key;
FILE *f;
char *filename;
fprintf(stderr, "Generating ECDSA keypair:\n");
if(!ecdsa_generate(&key)) {
fprintf(stderr, "Error during key generation!\n");
return false;
} else
fprintf(stderr, "Done.\n");
xasprintf(&filename, "%s/ecdsa_key.priv", confbase);
f = ask_and_open(filename, "private ECDSA key", "a");
if(!f)
return false;
#ifdef HAVE_FCHMOD
/* Make it unreadable for others. */
fchmod(fileno(f), 0600);
#endif
if(ftell(f))
fprintf(stderr, "Appending key to existing contents.\nMake sure only one key is stored in the file.\n");
ecdsa_write_pem_private_key(&key, f);
fclose(f);
free(filename);
if(name)
xasprintf(&filename, "%s/hosts/%s", confbase, name);
else
xasprintf(&filename, "%s/ecdsa_key.pub", confbase);
f = ask_and_open(filename, "public ECDSA key", "a");
if(!f)
return false;
if(ftell(f))
fprintf(stderr, "Appending key to existing contents.\nMake sure only one key is stored in the file.\n");
char *pubkey = ecdsa_get_base64_public_key(&key);
fprintf(f, "ECDSAPublicKey = %s\n", pubkey);
free(pubkey);
fclose(f);
free(filename);
return true;
}
/* /*
Generate a public/private RSA keypair, and ask for a file to store Generate a public/private RSA keypair, and ask for a file to store
them in. them in.
*/ */
static bool keygen(int bits) { static bool rsa_keygen(int bits) {
rsa_t key; rsa_t key;
FILE *f; FILE *f;
char *filename; char *filename;
@ -459,8 +521,16 @@ int main(int argc, char *argv[], char *envp[]) {
// First handle commands that don't involve connecting to a running tinc daemon. // First handle commands that don't involve connecting to a running tinc daemon.
if(!strcasecmp(argv[optind], "generate-rsa-keys")) {
return !rsa_keygen(optind > argc ? atoi(argv[optind + 1]) : 2048);
}
if(!strcasecmp(argv[optind], "generate-ecdsa-keys")) {
return !ecdsa_keygen();
}
if(!strcasecmp(argv[optind], "generate-keys")) { if(!strcasecmp(argv[optind], "generate-keys")) {
return !keygen(optind > argc ? atoi(argv[optind + 1]) : 2048); return !(rsa_keygen(optind > argc ? atoi(argv[optind + 1]) : 2048) && ecdsa_keygen());
} }
if(!strcasecmp(argv[optind], "start")) { if(!strcasecmp(argv[optind], "start")) {