3 files changed, 15 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index fb7004a94..97be30611 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,13 @@
 20051128
  - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
    versions of GNU head.  Based on patch from zappaman at buraphalinux.org
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
+     [ssh-keygen.1 ssh-keygen.c]
+     Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
+     increase minumum RSA key size to 768 bits and update man page to reflect
+     these.  Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
+     ok djm@, grudging ok deraadt@.
 
 20051126
  - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
@@ -3362,4 +3369,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4009 2005/11/28 05:41:03 dtucker Exp $
+$Id: ChangeLog,v 1.4010 2005/11/28 05:41:46 dtucker Exp $
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 348a49ce2..ab16bcd77 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.71 2005/10/31 19:55:25 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -190,9 +190,9 @@ command.
 Show the bubblebabble digest of specified private or public key file.
 .It Fl b Ar bits
 Specifies the number of bits in the key to create.
-Minimum is 512 bits.
+For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
 Generally, 2048 bits is considered sufficient.
-The default is 2048 bits.
+DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
 .It Fl C Ar comment
 Provides a new comment.
 .It Fl c
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 7f9c7fd1a..b4c651d22 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -1046,7 +1046,7 @@ main(int ac, char **av)
             "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
                 switch (opt) {
                 case 'b':
-                        bits = strtonum(optarg, 512, 32768, &errstr);
+                        bits = strtonum(optarg, 768, 32768, &errstr);
                         if (errstr)
                                 fatal("Bits has bad value %s (%s)",
                                         optarg, errstr);
@@ -1259,6 +1259,8 @@ main(int ac, char **av)
                 fprintf(stderr, "unknown key type %s\n", key_type_name);
                 exit(1);
         }
+        if (type == KEY_DSA && bits != 1024)
+                fatal("DSA keys must be 1024 bits");
         if (!quiet)
                 printf("Generating public/private %s key pair.\n", key_type_name);
         if (bits == 0)