From 9f647335d21daf0bf23257e47be98b3e18219b63 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Mon, 28 Nov 2005 16:41:46 +1100
Subject:      [ssh-keygen.1 ssh-keygen.c]      Enforce DSA key length of
 exactly 1024 bits to comply with FIPS-186-2,      increase minumum RSA key
 size to 768 bits and update man page to reflect      these.  Patch originally
 bz#1119 (senthilkumar_sen at hotpop.com),      ok djm@, grudging ok deraadt@.

---
 ssh-keygen.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'ssh-keygen.c')

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 7f9c7fd1a..b4c651d22 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -1046,7 +1046,7 @@ main(int ac, char **av)
 	    "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
 		switch (opt) {
 		case 'b':
-			bits = strtonum(optarg, 512, 32768, &errstr);
+			bits = strtonum(optarg, 768, 32768, &errstr);
 			if (errstr)
 				fatal("Bits has bad value %s (%s)",
 					optarg, errstr);
@@ -1259,6 +1259,8 @@ main(int ac, char **av)
 		fprintf(stderr, "unknown key type %s\n", key_type_name);
 		exit(1);
 	}
+	if (type == KEY_DSA && bits != 1024)
+		fatal("DSA keys must be 1024 bits");
 	if (!quiet)
 		printf("Generating public/private %s key pair.\n", key_type_name);
 	if (bits == 0)
-- 
cgit v1.2.3