diff options
| author | Damien Miller <djm@mindrot.org> | 2005-11-05 14:52:18 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2005-11-05 14:52:18 +1100 |
| commit | 3f54a9f5b7978e8e7085f86722bc2704f7fab2e2 (patch) | |
| tree | a760ff59ed78f80e4d05661a2fb307f6e890b980 /ssh-keygen.c | |
| parent | d32e293c045025b80892e8b05285ca9617d83ef6 (diff) | |
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2005/10/07 11:13:57
[ssh-keygen.c]
change DSA default back to 1024, as it's defined for 1024 bits only
and this causes interop problems with other clients. moreover,
in order to improve the security of DSA you need to change more
components of DSA key generation (e.g. the internal SHA1 hash);
ok deraadt
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 92803da45..89686f5ac 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -12,7 +12,7 @@ | |||
| 12 | */ | 12 | */ |
| 13 | 13 | ||
| 14 | #include "includes.h" | 14 | #include "includes.h" |
| 15 | RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $"); | 15 | RCSID("$OpenBSD: ssh-keygen.c,v 1.130 2005/10/07 11:13:57 markus Exp $"); |
| 16 | 16 | ||
| 17 | #include <openssl/evp.h> | 17 | #include <openssl/evp.h> |
| 18 | #include <openssl/pem.h> | 18 | #include <openssl/pem.h> |
| @@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $"); | |||
| 35 | #endif | 35 | #endif |
| 36 | #include "dns.h" | 36 | #include "dns.h" |
| 37 | 37 | ||
| 38 | /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ | 38 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
| 39 | u_int32_t bits = 2048; | 39 | #define DEFAULT_BITS 2048 |
| 40 | #define DEFAULT_BITS_DSA 1024 | ||
| 41 | u_int32_t bits = 0; | ||
| 40 | 42 | ||
| 41 | /* | 43 | /* |
| 42 | * Flag indicating that we just want to change the passphrase. This can be | 44 | * Flag indicating that we just want to change the passphrase. This can be |
| @@ -1217,6 +1219,8 @@ main(int ac, char **av) | |||
| 1217 | out_file, strerror(errno)); | 1219 | out_file, strerror(errno)); |
| 1218 | return (1); | 1220 | return (1); |
| 1219 | } | 1221 | } |
| 1222 | if (bits == 0) | ||
| 1223 | bits = DEFAULT_BITS; | ||
| 1220 | if (gen_candidates(out, memory, bits, start) != 0) | 1224 | if (gen_candidates(out, memory, bits, start) != 0) |
| 1221 | fatal("modulus candidate generation failed\n"); | 1225 | fatal("modulus candidate generation failed\n"); |
| 1222 | 1226 | ||
| @@ -1258,6 +1262,8 @@ main(int ac, char **av) | |||
| 1258 | } | 1262 | } |
| 1259 | if (!quiet) | 1263 | if (!quiet) |
| 1260 | printf("Generating public/private %s key pair.\n", key_type_name); | 1264 | printf("Generating public/private %s key pair.\n", key_type_name); |
| 1265 | if (bits == 0) | ||
| 1266 | bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; | ||
| 1261 | private = key_generate(type, bits); | 1267 | private = key_generate(type, bits); |
| 1262 | if (private == NULL) { | 1268 | if (private == NULL) { |
| 1263 | fprintf(stderr, "key_generate failed"); | 1269 | fprintf(stderr, "key_generate failed"); |