[ssh-keygen.1 ssh-keygen.c]
Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
increase minumum RSA key size to 768 bits and update man page to reflect
these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
ok djm@, grudging ok deraadt@.
diff --git a/ChangeLog b/ChangeLog
index fb7004a..97be306 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,13 @@
20051128
- (dtucker) [regress/yes-head.sh] Work around breakage caused by some
versions of GNU head. Based on patch from zappaman at buraphalinux.org
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
+ [ssh-keygen.1 ssh-keygen.c]
+ Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
+ increase minumum RSA key size to 768 bits and update man page to reflect
+ these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
+ ok djm@, grudging ok deraadt@.
20051126
- (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
@@ -3362,4 +3369,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4009 2005/11/28 05:41:03 dtucker Exp $
+$Id: ChangeLog,v 1.4010 2005/11/28 05:41:46 dtucker Exp $
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 348a49c..ab16bcd 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.71 2005/10/31 19:55:25 jmc Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
.\"
.\" -*- nroff -*-
.\"
@@ -190,9 +190,9 @@
Show the bubblebabble digest of specified private or public key file.
.It Fl b Ar bits
Specifies the number of bits in the key to create.
-Minimum is 512 bits.
+For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
Generally, 2048 bits is considered sufficient.
-The default is 2048 bits.
+DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
.It Fl C Ar comment
Provides a new comment.
.It Fl c
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 7f9c7fd..b4c651d 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -1046,7 +1046,7 @@
"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
- bits = strtonum(optarg, 512, 32768, &errstr);
+ bits = strtonum(optarg, 768, 32768, &errstr);
if (errstr)
fatal("Bits has bad value %s (%s)",
optarg, errstr);
@@ -1259,6 +1259,8 @@
fprintf(stderr, "unknown key type %s\n", key_type_name);
exit(1);
}
+ if (type == KEY_DSA && bits != 1024)
+ fatal("DSA keys must be 1024 bits");
if (!quiet)
printf("Generating public/private %s key pair.\n", key_type_name);
if (bits == 0)