The branch master has been updated via 0336df2fa316a3e08b8f0d2d0e8d4bc175e46634 (commit) from 630fe1da888490b7dfef3fe0928b813ddff5d51a (commit)
- Log ----------------------------------------------------------------- commit 0336df2fa316a3e08b8f0d2d0e8d4bc175e46634 Author: Georg Schmidt <gs-deve...@gs-sys.de> Date: Thu May 31 01:42:39 2018 +0200 Issue warnings for large DSA and RSA keys Issue a warning when generating DSA or RSA keys of size greater than OPENSSL_DSA_MAX_MODULUS_BITS resp. OPENSSL_RSA_MAX_MODULUS_BITS. Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6380) ----------------------------------------------------------------------- Summary of changes: apps/dsaparam.c | 6 ++++++ apps/gendsa.c | 7 +++++++ apps/genrsa.c | 5 +++++ apps/req.c | 12 ++++++++++++ 4 files changed, 30 insertions(+) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 341480b..8e33ffd 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -128,6 +128,12 @@ int dsaparam_main(int argc, char **argv) goto end; if (numbits > 0) { + if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS) + BIO_printf(bio_err, + "Warning: It is not recommended to use more than %d bit for DSA keys.\n" + " Your key size is %d! Larger key size may behave not as expected.\n", + OPENSSL_DSA_MAX_MODULUS_BITS, numbits); + cb = BN_GENCB_new(); if (cb == NULL) { BIO_printf(bio_err, "Error allocating BN_GENCB object\n"); diff --git a/apps/gendsa.c b/apps/gendsa.c index 06e3792..4013754 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -117,6 +117,13 @@ int gendsa_main(int argc, char **argv) goto end2; DSA_get0_pqg(dsa, &p, NULL, NULL); + + if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS) + BIO_printf(bio_err, + "Warning: It is not recommended to use more than %d bit for DSA keys.\n" + " Your key size is %d! Larger key size may behave not as expected.\n", + OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p)); + BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p)); if (!DSA_generate_key(dsa)) goto end; diff --git a/apps/genrsa.c b/apps/genrsa.c index 2bc8fa0..c17cd14 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -123,6 +123,11 @@ opthelp: if (argc == 1) { if (!opt_int(argv[0], &num) || num <= 0) goto end; + if (num > OPENSSL_RSA_MAX_MODULUS_BITS) + BIO_printf(bio_err, + "Warning: It is not recommended to use more than %d bit for RSA keys.\n" + " Your key size is %d! Larger key size may behave not as expected.\n", + OPENSSL_RSA_MAX_MODULUS_BITS, num); } else if (argc > 0) { BIO_printf(bio_err, "Extra arguments given.\n"); goto opthelp; diff --git a/apps/req.c b/apps/req.c index ca4b7ec..59baa89 100644 --- a/apps/req.c +++ b/apps/req.c @@ -517,6 +517,18 @@ int req_main(int argc, char **argv) goto end; } + if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS) + BIO_printf(bio_err, + "Warning: It is not recommended to use more than %d bit for RSA keys.\n" + " Your key size is %ld! Larger key size may behave not as expected.\n", + OPENSSL_RSA_MAX_MODULUS_BITS, newkey); + + if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS) + BIO_printf(bio_err, + "Warning: It is not recommended to use more than %d bit for DSA keys.\n" + " Your key size is %ld! Larger key size may behave not as expected.\n", + OPENSSL_DSA_MAX_MODULUS_BITS, newkey); + if (genctx == NULL) { genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, &keyalgstr, gen_eng); _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits