[Bug 2040] Provide a command-line option for the identity key bits

bk: 50b720b67ykwE-2zexj-8LXKnX0QAg

diff --git a/ChangeLog b/ChangeLog
index 40c2739160687c8c1d8fb8dac7fa9aa68269236a..e657ac5995a62e45240858130accecac30459926 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 2040] Provide a command-line option for the identity key bits.
 * Create loc/darwin for Mac OSX
 (4.2.7p326) 2012/11/21 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 1214] 'proto: precision = ...' should be at INFO, not NOTICE.

diff --git a/html/keygen.html b/html/keygen.html
index e300ac2e214d153c7cf40703f66500617ed141e7..28b8411bf20d1f77088d2239d6ebd05d083ac0d9 100644 (file)
--- a/html/keygen.html
+++ b/html/keygen.html
@@ -28,7 +28,7 @@
 </ul>
 <hr>
 <h4 id="synop">Synopsis</h4>
-<p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA
+<p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -b <i>modulus</i> ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA
   | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ]
   [ -C <i>cipher</i> ] [-i <i>group</i> ] [ -l <em>days</em>]
   [ -m <i>modulus</i> ]  [ -p <i>passwd1</i> ] [ -q <i>passwd2</i> ] 
@@ -50,6 +50,8 @@
 <p>Additional information on trusted groups and identity schemes is on the <a href="autokey.html">Autokey Public-Key Authentication</a> page.</p>
 <h4 id="cmd">Command Line Options</h4>
 <dl>
+  <dt><tt>-b <i>modulus</i></tt></dt>
+  <dd>Set the modulus for generating identity keys to <i>modulus</i> bits. The modulus defaults to 256, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources and increases the size of authenticated packets.</dd>
   <dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ]</tt></dt>
   <dd>Select certificate digital signature and message digest scheme. Note that  RSA schemes must be used with an RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is <tt>RSA-MD5</tt>. If compatibility with FIPS 140-2 is required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme must be used.</dd>
   <dt><tt>-C <i>cipher</i></tt></dt>
@@ -69,7 +71,7 @@
   <dt><tt>-l <i>days</i></tt></dt>
   <dd>Set the lifetime for certificates to <tt><i>days</i></tt>. The default lifetime is one year (365 d).</dd>
   <dt><tt>-m <i>modulus</i></tt></dt>
-  <dd>Set the modulus for generating files to <i>modulus</i> bits. The modulus defaults to 512, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources.</dd>
+  <dd>Set the modulus for generating files to <i>modulus</i> bits. The modulus defaults to 512, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources and increases the size of authenticated packets.</dd>
   <dt><tt>-M</tt></dt>
   <dd>Generate a new  keys file containing 10 MD5  keys and 10 SHA  keys. An MD5 key is a string of 20 random printable ASCII characters, while a SHA key is a string of 40 random hex digits. The file can be edited using a text editor to change the key type or key content. This option is mutually exclusive with all other option.</dd>
   <dt><tt>-P</tt></dt>

diff --git a/util/ntp-keygen-opts.def b/util/ntp-keygen-opts.def
index dc072cb3b50b4a282d28d360b94bd4078a8dbce0..190432568a0f1acd7de86be17680926a905656bc 100644 (file)
--- a/util/ntp-keygen-opts.def
+++ b/util/ntp-keygen-opts.def
@@ -15,6 +15,19 @@ test-main;
 include        = '#include <stdlib.h>';
 #include       version.def
 
+flag = {
+    value     = b;
+    name      = imbits;
+    arg-type  = number;
+    arg-name  = imbits;
+    arg-range = '256->2048';
+    ifdef     = AUTOKEY;
+    descrip   = "identity modulus bits";
+    doc = <<-  _EndOfDoc_
+       The number of bits in the identity modulus.  The default is 256.
+       _EndOfDoc_;
+};
+
 flag = {
     value     = c;
     name      = certificate;