[openssl-commits] [openssl] master update
matthias.st.pierre at ncp-e.com
matthias.st.pierre at ncp-e.com
Tue Jun 5 16:09:07 UTC 2018
The branch master has been updated
via 0336df2fa316a3e08b8f0d2d0e8d4bc175e46634 (commit)
from 630fe1da888490b7dfef3fe0928b813ddff5d51a (commit)
- Log -----------------------------------------------------------------
commit 0336df2fa316a3e08b8f0d2d0e8d4bc175e46634
Author: Georg Schmidt <gs-develop at gs-sys.de>
Date: Thu May 31 01:42:39 2018 +0200
Issue warnings for large DSA and RSA keys
Issue a warning when generating DSA or RSA keys of size greater than
OPENSSL_DSA_MAX_MODULUS_BITS resp. OPENSSL_RSA_MAX_MODULUS_BITS.
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6380)
-----------------------------------------------------------------------
Summary of changes:
apps/dsaparam.c | 6 ++++++
apps/gendsa.c | 7 +++++++
apps/genrsa.c | 5 +++++
apps/req.c | 12 ++++++++++++
4 files changed, 30 insertions(+)
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 341480b..8e33ffd 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -128,6 +128,12 @@ int dsaparam_main(int argc, char **argv)
goto end;
if (numbits > 0) {
+ if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
+ BIO_printf(bio_err,
+ "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
+ " Your key size is %d! Larger key size may behave not as expected.\n",
+ OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
+
cb = BN_GENCB_new();
if (cb == NULL) {
BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 06e3792..4013754 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -117,6 +117,13 @@ int gendsa_main(int argc, char **argv)
goto end2;
DSA_get0_pqg(dsa, &p, NULL, NULL);
+
+ if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
+ BIO_printf(bio_err,
+ "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
+ " Your key size is %d! Larger key size may behave not as expected.\n",
+ OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
+
BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
if (!DSA_generate_key(dsa))
goto end;
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 2bc8fa0..c17cd14 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -123,6 +123,11 @@ opthelp:
if (argc == 1) {
if (!opt_int(argv[0], &num) || num <= 0)
goto end;
+ if (num > OPENSSL_RSA_MAX_MODULUS_BITS)
+ BIO_printf(bio_err,
+ "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
+ " Your key size is %d! Larger key size may behave not as expected.\n",
+ OPENSSL_RSA_MAX_MODULUS_BITS, num);
} else if (argc > 0) {
BIO_printf(bio_err, "Extra arguments given.\n");
goto opthelp;
diff --git a/apps/req.c b/apps/req.c
index ca4b7ec..59baa89 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -517,6 +517,18 @@ int req_main(int argc, char **argv)
goto end;
}
+ if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS)
+ BIO_printf(bio_err,
+ "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
+ " Your key size is %ld! Larger key size may behave not as expected.\n",
+ OPENSSL_RSA_MAX_MODULUS_BITS, newkey);
+
+ if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS)
+ BIO_printf(bio_err,
+ "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
+ " Your key size is %ld! Larger key size may behave not as expected.\n",
+ OPENSSL_DSA_MAX_MODULUS_BITS, newkey);
+
if (genctx == NULL) {
genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
&keyalgstr, gen_eng);
More information about the openssl-commits
mailing list