Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Browse Source

Issue warnings for large DSA and RSA keys

Issue a warning when generating DSA or RSA keys of size greater than
OPENSSL_DSA_MAX_MODULUS_BITS resp. OPENSSL_RSA_MAX_MODULUS_BITS.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6380)
Georg Schmidt 6 years ago
parent
630fe1da88
commit
0336df2fa3
4 changed files with 30 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      apps/dsaparam.c
  2. 7 0
      apps/gendsa.c
  3. 5 0
      apps/genrsa.c
  4. 12 0
      apps/req.c

+ 6 - 0
apps/dsaparam.c
View File 

@@ -128,6 +128,12 @@ int dsaparam_main(int argc, char **argv)
 
         goto end;
 
 
     if (numbits > 0) {
 
+        if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
 
+            BIO_printf(bio_err,
 
+                       "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
 
+                       "         Your key size is %d! Larger key size may behave not as expected.\n",
 
+                       OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
 
+
 
         cb = BN_GENCB_new();
 
         if (cb == NULL) {
 
             BIO_printf(bio_err, "Error allocating BN_GENCB object\n");

+ 7 - 0
apps/gendsa.c
View File 

@@ -117,6 +117,13 @@ int gendsa_main(int argc, char **argv)
 
         goto end2;
 
 
     DSA_get0_pqg(dsa, &p, NULL, NULL);
 
+
 
+    if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
 
+        BIO_printf(bio_err,
 
+                   "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
 
+                   "         Your key size is %d! Larger key size may behave not as expected.\n",
 
+                   OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
 
+
 
     BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
 
     if (!DSA_generate_key(dsa))
 
         goto end;

+ 5 - 0
apps/genrsa.c
View File 

@@ -123,6 +123,11 @@ opthelp:
 
     if (argc == 1) {
 
         if (!opt_int(argv[0], &num) || num <= 0)
 
             goto end;
 
+        if (num > OPENSSL_RSA_MAX_MODULUS_BITS)
 
+            BIO_printf(bio_err,
 
+                       "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
 
+                       "         Your key size is %d! Larger key size may behave not as expected.\n",
 
+                       OPENSSL_RSA_MAX_MODULUS_BITS, num);
 
     } else if (argc > 0) {
 
         BIO_printf(bio_err, "Extra arguments given.\n");
 
         goto opthelp;

+ 12 - 0
apps/req.c
View File 

@@ -517,6 +517,18 @@ int req_main(int argc, char **argv)
 
             goto end;
 
         }
 
 
+        if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS)
 
+            BIO_printf(bio_err,
 
+                       "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
 
+                       "         Your key size is %ld! Larger key size may behave not as expected.\n",
 
+                       OPENSSL_RSA_MAX_MODULUS_BITS, newkey);
 
+
 
+        if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS)
 
+            BIO_printf(bio_err,
 
+                       "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
 
+                       "         Your key size is %ld! Larger key size may behave not as expected.\n",
 
+                       OPENSSL_DSA_MAX_MODULUS_BITS, newkey);
 
+
 
         if (genctx == NULL) {
 
             genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
 
                                     &keyalgstr, gen_eng);