[openssl] OpenSSL_1_1_1-stable update
Kurt Roeckx
kurt at openssl.org
Tue May 21 14:47:52 UTC 2019
The branch OpenSSL_1_1_1-stable has been updated
via 408cb4c88875e70dcb6acfceb8e1a74714e26be4 (commit)
from 3ae3c38825d16fc1fb68abed1fa65975c0e73377 (commit)
- Log -----------------------------------------------------------------
commit 408cb4c88875e70dcb6acfceb8e1a74714e26be4
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sat Apr 13 12:32:48 2019 +0200
Change default RSA, DSA and DH size to 2048 bit
Fixes: #8737
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Richard Levitte <levitte at openssl.org>
GH: #8741
(cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 6 +++++-
crypto/dh/dh_pmeth.c | 2 +-
crypto/dsa/dsa_pmeth.c | 8 ++++----
crypto/rsa/rsa_pmeth.c | 2 +-
doc/man1/genpkey.pod | 8 ++++----
5 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/CHANGES b/CHANGES
index f58022b..53f8563 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,11 @@
Changes between 1.1.1b and 1.1.1c [xx XXX xxxx]
- *)
+ *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
+ [Kurt Roeckx]
Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index cce2d9e..0373778 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -54,7 +54,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx)
DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
- dctx->prime_len = 1024;
+ dctx->prime_len = 2048;
dctx->subprime_len = -1;
dctx->generator = 2;
dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index b4ee5a7..dedbe5e 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -20,8 +20,8 @@
typedef struct {
/* Parameter gen parameters */
- int nbits; /* size of p in bits (default: 1024) */
- int qbits; /* size of q in bits (default: 160) */
+ int nbits; /* size of p in bits (default: 2048) */
+ int qbits; /* size of q in bits (default: 224) */
const EVP_MD *pmd; /* MD for parameter generation */
/* Keygen callback info */
int gentmp[2];
@@ -35,8 +35,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx)
if (dctx == NULL)
return 0;
- dctx->nbits = 1024;
- dctx->qbits = 160;
+ dctx->nbits = 2048;
+ dctx->qbits = 224;
dctx->pmd = NULL;
dctx->md = NULL;
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 5c0efc8..082ab8f 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -56,7 +56,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
if (rctx == NULL)
return 0;
- rctx->nbits = 1024;
+ rctx->nbits = 2048;
rctx->primes = RSA_DEFAULT_PRIME_NUM;
if (pkey_ctx_is_pss(ctx))
rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod
index 202e531..e7eee5e 100644
--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -118,7 +118,7 @@ or ED448 algorithms.
=item B<rsa_keygen_bits:numbits>
-The number of bits in the generated key. If not specified 1024 is used.
+The number of bits in the generated key. If not specified 2048 is used.
=item B<rsa_keygen_primes:numprimes>
@@ -185,12 +185,12 @@ below.
=item B<dsa_paramgen_bits:numbits>
-The number of bits in the generated prime. If not specified 1024 is used.
+The number of bits in the generated prime. If not specified 2048 is used.
=item B<dsa_paramgen_q_bits:numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
-specified 160 is used.
+specified 224 is used.
=item B<dsa_paramgen_md:digest>
@@ -209,7 +209,7 @@ or B<sha256> if it is 256.
=item B<dh_paramgen_prime_len:numbits>
-The number of bits in the prime parameter B<p>. The default is 1024.
+The number of bits in the prime parameter B<p>. The default is 2048.
=item B<dh_paramgen_subprime_len:numbits>
More information about the openssl-commits
mailing list