diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-05-07 23:15:59 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-05-08 09:21:22 +1000 |
| commit | bd636f40911094a39c2920bf87d2ec340533c152 (patch) | |
| tree | 53c4c9655827d6433a26a510f46081dfc4b72b6d /ssh-keygen.c | |
| parent | 70c1218fc45757a030285051eb4d209403f54785 (diff) | |
upstream commit
Refuse RSA keys <1024 bits in length. Improve reporting
for keys that do not meet this requirement. ok markus@
Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 51c24bc55..7886582d7 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.302 2017/04/30 23:18:44 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.303 2017/05/07 23:15:59 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -226,13 +226,21 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) | |||
| 226 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; | 226 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
| 227 | if (*bitsp > maxbits) | 227 | if (*bitsp > maxbits) |
| 228 | fatal("key bits exceeds maximum %d", maxbits); | 228 | fatal("key bits exceeds maximum %d", maxbits); |
| 229 | if (type == KEY_DSA && *bitsp != 1024) | 229 | switch (type) { |
| 230 | fatal("DSA keys must be 1024 bits"); | 230 | case KEY_DSA: |
| 231 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024) | 231 | if (*bitsp != 1024) |
| 232 | fatal("Key must at least be 1024 bits"); | 232 | fatal("Invalid DSA key length: must be 1024 bits"); |
| 233 | else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1) | 233 | break; |
| 234 | fatal("Invalid ECDSA key length - valid lengths are " | 234 | case KEY_RSA: |
| 235 | "256, 384 or 521 bits"); | 235 | if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE) |
| 236 | fatal("Invalid RSA key length: minimum is %d bits", | ||
| 237 | SSH_RSA_MINIMUM_MODULUS_SIZE); | ||
| 238 | break; | ||
| 239 | case KEY_ECDSA: | ||
| 240 | if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1) | ||
| 241 | fatal("Invalid ECDSA key length: valid lengths are " | ||
| 242 | "256, 384 or 521 bits"); | ||
| 243 | } | ||
| 236 | #endif | 244 | #endif |
| 237 | } | 245 | } |
| 238 | 246 | ||