Attachment #3335 for bug #3082

Lines 232-237 arc4random_addrandom(u_char *dat, int da Link Here

(-)openssh-8.0p1/openbsd-compat/arc4random.c (+9 lines)
232	_ARC4_UNLOCK();	232	_ARC4_UNLOCK();
233	}	233	}
234		234
		235	void
		236	arc4random_set(void *buf, size_t n)
		237	{
		238	_rs_init(buf, n);
		239	rs_have = 0;
		240	memset(rs_buf, 0, RSBUFSZ);
		241	rs_count = 1600000;
		242	}
		243
235	u_int32_t	244	u_int32_t
236	arc4random(void)	245	arc4random(void)
237	{	246	{




#include "digest.h"
#include "utf8.h"
#include "authfd.h"
#include "crypto_api.h"
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else

{
	char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;
	char *rr_hostname = NULL, *ep, *fp, *ra;
	char *derive_from = NULL;
	struct sshkey *private, *public;
	struct passwd *pw;
	struct stat st;

	if (gethostname(hostname, sizeof(hostname)) < 0)
		fatal("gethostname: %s", strerror(errno));

	/* Remaining characters: Yw */
	while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy"
	    "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
	    "a:b:d:f:g:j:m:n:r:s:t:z:")) != -1) {
		switch (opt) {
		case 'A':
			gen_all_hostkeys = 1;

				fatal("Bits has bad value %s (%s)",
					optarg, errstr);
			break;
		case 'd':
			derive_from = optarg;
			break;
		case 'E':
			fingerprint_hash = ssh_digest_alg_by_name(optarg);
			if (fingerprint_hash == -1)

			exit(0);
		}
	}
	if (derive_from) {
		unsigned char hbuf[64];
		crypto_hash_sha512(hbuf, derive_from, strlen(derive_from));
		arc4random_set(hbuf, sizeof(hbuf));
	}

#ifdef WITH_OPENSSL
	if (do_gen_candidates) {

Lines 218-223 void arc4random_buf(void *, size_t); Link Here

(-)openssh-8.0p1/openbsd-compat/openbsd-compat.h (+4 lines)
218	u_int32_t arc4random_uniform(u_int32_t);	218	u_int32_t arc4random_uniform(u_int32_t);
219	#endif	219	#endif
220		220
		221	#ifndef HAVE_ARC4RANDOM_SET
		222	void arc4random_set(void *buf, size_t n);
		223	#endif
		224
221	#ifndef HAVE_ASPRINTF	225	#ifndef HAVE_ASPRINTF
222	int asprintf(char *, const char , ...);	226	int asprintf(char *, const char , ...);
223	#endif	227	#endif

Lines 51-56 Link Here

(-)openssh-8.0p1/ssh-keygen.1 (+3 lines)
51	.Op Fl C Ar comment	51	.Op Fl C Ar comment
52	.Op Fl f Ar output_keyfile	52	.Op Fl f Ar output_keyfile
53	.Op Fl m Ar format	53	.Op Fl m Ar format
		54	.Op Fl d Ar data
54	.Nm ssh-keygen	55	.Nm ssh-keygen
55	.Fl p	56	.Fl p
56	.Op Fl P Ar old_passphrase	57	.Op Fl P Ar old_passphrase
Lines 274-279 Provides a new comment. Link Here
274	Requests changing the comment in the private and public key files.	275	Requests changing the comment in the private and public key files.
275	The program will prompt for the file containing the private keys, for	276	The program will prompt for the file containing the private keys, for
276	the passphrase if the key has one, and for the new comment.	277	the passphrase if the key has one, and for the new comment.
		278	.It Fl d Ar data
		279	Derive the generated key from the given data deterministically.
277	.It Fl D Ar pkcs11	280	.It Fl D Ar pkcs11
278	Download the public keys provided by the PKCS#11 shared library	281	Download the public keys provided by the PKCS#11 shared library
279	.Ar pkcs11 .	282	.Ar pkcs11 .

Return to bug 3082

Lines 60-66 Link Here

(-)openssh-8.0p1/ssh-keygen.c (-3 / +12 lines)
60	#include "digest.h"	60	#include "digest.h"
61	#include "utf8.h"	61	#include "utf8.h"
62	#include "authfd.h"	62	#include "authfd.h"
63		63	#include "crypto_api.h"
64	#ifdef WITH_OPENSSL	64	#ifdef WITH_OPENSSL
65	# define DEFAULT_KEY_TYPE_NAME "rsa"	65	# define DEFAULT_KEY_TYPE_NAME "rsa"
66	#else	66	#else
Lines 2419-2424 main(int argc, char **argv) Link Here
2419	{	2419	{
2420	char dotsshdir[PATH_MAX], comment[1024], passphrase1, passphrase2;	2420	char dotsshdir[PATH_MAX], comment[1024], passphrase1, passphrase2;
2421	char rr_hostname = NULL, ep, fp, ra;	2421	char rr_hostname = NULL, ep, fp, ra;
		2422	char *derive_from = NULL;
2422	struct sshkey private, public;	2423	struct sshkey private, public;
2423	struct passwd *pw;	2424	struct passwd *pw;
2424	struct stat st;	2425	struct stat st;
Lines 2465-2474 main(int argc, char **argv) Link Here
2465	if (gethostname(hostname, sizeof(hostname)) < 0)	2466	if (gethostname(hostname, sizeof(hostname)) < 0)
2466	fatal("gethostname: %s", strerror(errno));	2467	fatal("gethostname: %s", strerror(errno));
2467		2468
2468	/* Remaining characters: Ydw */	2469	/* Remaining characters: Yw */
2469	while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy"	2470	while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy"
2470	"C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"	2471	"C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
2471	"a:b:f:g:j:m:n:r:s:t:z:")) != -1) {	2472	"a:b:d:f:g:j:m:n:r:s:t:z:")) != -1) {
2472	switch (opt) {	2473	switch (opt) {
2473	case 'A':	2474	case 'A':
2474	gen_all_hostkeys = 1;	2475	gen_all_hostkeys = 1;
Lines 2479-2484 main(int argc, char **argv) Link Here
2479	fatal("Bits has bad value %s (%s)",	2480	fatal("Bits has bad value %s (%s)",
2480	optarg, errstr);	2481	optarg, errstr);
2481	break;	2482	break;
		2483	case 'd':
		2484	derive_from = optarg;
		2485	break;
2482	case 'E':	2486	case 'E':
2483	fingerprint_hash = ssh_digest_alg_by_name(optarg);	2487	fingerprint_hash = ssh_digest_alg_by_name(optarg);
2484	if (fingerprint_hash == -1)	2488	if (fingerprint_hash == -1)
Lines 2773-2778 main(int argc, char **argv) Link Here
2773	exit(0);	2777	exit(0);
2774	}	2778	}
2775	}	2779	}
		2780	if (derive_from) {
		2781	unsigned char hbuf[64];
		2782	crypto_hash_sha512(hbuf, derive_from, strlen(derive_from));
		2783	arc4random_set(hbuf, sizeof(hbuf));
		2784	}
2776		2785
2777	#ifdef WITH_OPENSSL	2786	#ifdef WITH_OPENSSL
2778	if (do_gen_candidates) {	2787	if (do_gen_candidates) {