blob: 54d1e689ea800e00708d9150519e48f3066c3450 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#!/usr/bin/perl -w
#
# Module: gen_local_rsa_key.pl
#
# **** License ****
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# This code was originally developed by Vyatta, Inc.
# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
# All Rights Reserved.
#
# Author: Stig Thormodsrud
# Date: 2007
# Description: Utility to generate a local RSA key.
#
# **** End License ****
#
use strict;
use warnings;
use lib "/opt/vyatta/share/perl5/";
use Vyatta::VPN::Util;
# Defaults
my $bits = 2192;
my $device = "/dev/random";
if ($#ARGV > 1) {
die "Usage: gen_local_rsa_key.pl <bits> <device>\n";
}
$bits = $ARGV[0] if $#ARGV >= 0;
#
# The ipsec newhostkey command seems to support up to
# 20000 bits for key generation, but xorp currently
# can't handle a line that long when entered in the
# config. Xorp seems to be able to handle keys generated
# with up to 5840 bits.
#
my ($bits_min, $bits_max) = (16, 4096);
if ($bits > $bits_max) {
die "bits must be <= $bits_max\n";
}
if ($bits < $bits_min) {
die "bits must be >= $bits_min\n";
}
if ($bits % 16 != 0) {
die "bits=$bits is not a multiple of 16\n";
}
$device = $ARGV[1] if $#ARGV >= 1;
unless (-r $device) {
die "invalid random number device $device\n";
}
my $local_key_file = rsa_get_local_key_file();
my ($cmd, $rc);
if (-r $local_key_file) {
$| =1; # force a flush
print "A local RSA key file already exists and will be overwritten\n";
print "<CTRL>C to exit: ";
my $loop = 9;
while ($loop) {
print "\b$loop";
sleep 1;
$loop--;
}
print "\n";
} else {
my ($dirpath) = ($local_key_file =~ m#^(.*/)?.*#s);
$cmd = "mkdir -p $dirpath";
$rc = system($cmd);
if ($rc != 0 ) {
die "Cannot mkdir $dirpath $!\n";
}
}
$cmd = "/usr/sbin/ipsec newhostkey --output $local_key_file --bits $bits";
#
# The default random number generator is /dev/random, but it will block
# if there isn't enough system activity to provide enough "good" random
# bits. Try /dev/urandom if it's taking too long.
#
$cmd .= " --random $device";
print "Generating rsa-key to $local_key_file\n";
vpn_debug $cmd;
$rc = system($cmd);
if ($rc != 0) {
die "Can not generate RSA key: $!\n";
}
my $file_pubkey = rsa_get_local_pubkey($local_key_file);
if ($file_pubkey ne 0) {
print "\nYour new local RSA key has been generated\n";
print "The public portion of the key is:\n\n$file_pubkey\n\n";
$cmd = "ipsec auto --rereadall 2> /dev/null";
vpn_debug $cmd;
system $cmd;
exit 0;
}
die "Can not find pubkey\n";
|