diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2019-04-13 12:32:48 +0200 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2019-05-21 16:58:42 +0200 |
| commit | 0f283c9a665c5dc5cd2b89a3373da34f144ebd64 (patch) | |
| tree | b8996b37e5d62bf9a1fcbcc1637585ac5616bb2c | |
| parent | cea83f9f7825309379db3fea77f19edf0c5b1e13 (diff) | |
Change default RSA, DSA and DH size to 2048 bit
Fixes: #8737
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8741
(cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e)
| -rw-r--r-- | CHANGES | 6 | ||||
| -rw-r--r-- | crypto/dh/dh_pmeth.c | 2 | ||||
| -rw-r--r-- | crypto/dsa/dsa_pmeth.c | 8 | ||||
| -rw-r--r-- | crypto/rsa/rsa_pmeth.c | 2 | ||||
| -rw-r--r-- | doc/apps/genpkey.pod | 8 |
5 files changed, 16 insertions, 10 deletions
@@ -9,6 +9,12 @@ Changes between 1.0.2r and 1.0.2s [xx XXX xxxx] + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + *) Add FIPS support for Android Arm 64-bit Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 162753af07..30777c8a5f 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -101,7 +101,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX)); if (!dctx) return 0; - dctx->prime_len = 1024; + dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->use_dsa = 0; diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 7f00e97036..51e382d552 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -69,8 +69,8 @@ typedef struct { /* Parameter gen parameters */ - int nbits; /* size of p in bits (default: 1024) */ - int qbits; /* size of q in bits (default: 160) */ + int nbits; /* size of p in bits (default: 2048) */ + int qbits; /* size of q in bits (default: 224) */ const EVP_MD *pmd; /* MD for parameter generation */ /* Keygen callback info */ int gentmp[2]; @@ -84,8 +84,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DSA_PKEY_CTX)); if (!dctx) return 0; - dctx->nbits = 1024; - dctx->qbits = 160; + dctx->nbits = 2048; + dctx->qbits = 224; dctx->pmd = NULL; dctx->md = NULL; diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 00e730ffa9..b0a51ee532 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -103,7 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); if (!rctx) return 0; - rctx->nbits = 1024; + rctx->nbits = 2048; rctx->pub_exp = NULL; rctx->pad_mode = RSA_PKCS1_PADDING; rctx->md = NULL; diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index 2e2440056f..2a86c680c5 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod @@ -111,7 +111,7 @@ below. =item B<rsa_keygen_bits:numbits> -The number of bits in the generated key. If not specified 1024 is used. +The number of bits in the generated key. If not specified 2048 is used. =item B<rsa_keygen_pubexp:value> @@ -149,12 +149,12 @@ below. =item B<dsa_paramgen_bits:numbits> -The number of bits in the generated prime. If not specified 1024 is used. +The number of bits in the generated prime. If not specified 2048 is used. =item B<dsa_paramgen_q_bits:numbits> The number of bits in the q parameter. Must be one of 160, 224 or 256. If not -specified 160 is used. +specified 224 is used. =item B<dsa_paramgen_md:digest> @@ -173,7 +173,7 @@ or B<sha256> if it is 256. =item B<dh_paramgen_prime_len:numbits> -The number of bits in the prime parameter B<p>. The default is 1024. +The number of bits in the prime parameter B<p>. The default is 2048. =item B<dh_paramgen_subprime_len:numbits> |