- (djm) OpenBSD CVS Sync

- markus@cvs.openbsd.org 2005/10/07 11:13:57 [ssh-keygen.c] change DSA default back to 1024, as it's defined for 1024 bits only and this causes interop problems with other clients. moreover, in order to improve the security of DSA you need to change more components of DSA key generation (e.g. the internal SHA1 hash); ok deraadt
author: Damien Miller <djm@mindrot.org> 2005-11-05 14:52:18 +1100
committer: Damien Miller <djm@mindrot.org> 2005-11-05 14:52:18 +1100
commit: 3f54a9f5b7978e8e7085f86722bc2704f7fab2e2 (patch)
tree: a760ff59ed78f80e4d05661a2fb307f6e890b980
parent: d32e293c045025b80892e8b05285ca9617d83ef6 (diff)
2 files changed, 20 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index cf8031250..10c031042 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+20051105
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2005/10/07 11:13:57
+     [ssh-keygen.c]
+     change DSA default back to 1024, as it's defined for 1024 bits only
+     and this causes interop problems with other clients.  moreover,
+     in order to improve the security of DSA you need to change more
+     components of DSA key generation (e.g. the internal SHA1 hash);
+     ok deraadt
 20051102
 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
   Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
@@ -3130,4 +3140,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3926 2005/11/01 22:07:31 dtucker Exp $
+$Id: ChangeLog,v 1.3927 2005/11/05 03:52:18 djm Exp $
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 92803da45..89686f5ac 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.130 2005/10/07 11:13:57 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $");
 #endif
 #include "dns.h"
-/* Number of bits in the RSA/DSA key.  This value can be changed on the command line. */
+/* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
-u_int32_t bits = 2048;
+#define DEFAULT_BITS            2048
+#define DEFAULT_BITS_DSA        1024
+u_int32_t bits = 0;
 /*
 * Flag indicating that we just want to change the passphrase.  This can be
@@ -1217,6 +1219,8 @@ main(int ac, char **av)
                            out_file, strerror(errno));
                        return (1);
                }
+                if (bits == 0)
+                        bits = DEFAULT_BITS;
                if (gen_candidates(out, memory, bits, start) != 0)
                        fatal("modulus candidate generation failed\n");
@@ -1258,6 +1262,8 @@ main(int ac, char **av)
        }
        if (!quiet)
                printf("Generating public/private %s key pair.\n", key_type_name);
+        if (bits == 0)
+                bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
        private = key_generate(type, bits);
        if (private == NULL) {
                fprintf(stderr, "key_generate failed");
author	Damien Miller <djm@mindrot.org>	2005-11-05 14:52:18 +1100
committer	Damien Miller <djm@mindrot.org>	2005-11-05 14:52:18 +1100
commit	3f54a9f5b7978e8e7085f86722bc2704f7fab2e2 (patch)
tree	a760ff59ed78f80e4d05661a2fb307f6e890b980
parent	d32e293c045025b80892e8b05285ca9617d83ef6 (diff)