The branch master has been updated via 70b0b977f73cd70e17538af3095d18e0cf59132e (commit) from 2c23689402f1894861519d0c1ad762a3e52f4677 (commit)
- Log ----------------------------------------------------------------- commit 70b0b977f73cd70e17538af3095d18e0cf59132e Author: Kurt Roeckx <k...@roeckx.be> Date: Sat Apr 13 12:32:48 2019 +0200 Change default RSA, DSA and DH size to 2048 bit Fixes: #8737 Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> Reviewed-by: Richard Levitte <levi...@openssl.org> GH: #8741 ----------------------------------------------------------------------- Summary of changes: CHANGES | 6 ++++++ crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_pmeth.c | 8 ++++---- crypto/rsa/rsa_pmeth.c | 2 +- doc/man1/genpkey.pod | 8 ++++---- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index a5d6950..86da7f1 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,12 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + *) Added command 'openssl kdf' that uses the EVP_KDF API. [Shane Lontis] diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 3497915..f630fd3 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -54,7 +54,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE); return 0; } - dctx->prime_len = 1024; + dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->kdf_type = EVP_PKEY_DH_KDF_NONE; diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index cfba91c..0916f97 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -20,8 +20,8 @@ typedef struct { /* Parameter gen parameters */ - int nbits; /* size of p in bits (default: 1024) */ - int qbits; /* size of q in bits (default: 160) */ + int nbits; /* size of p in bits (default: 2048) */ + int qbits; /* size of q in bits (default: 224) */ const EVP_MD *pmd; /* MD for parameter generation */ /* Keygen callback info */ int gentmp[2]; @@ -35,8 +35,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx) if (dctx == NULL) return 0; - dctx->nbits = 1024; - dctx->qbits = 160; + dctx->nbits = 2048; + dctx->qbits = 224; dctx->pmd = NULL; dctx->md = NULL; diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 3d3e971..bd0870b 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -56,7 +56,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) if (rctx == NULL) return 0; - rctx->nbits = 1024; + rctx->nbits = 2048; rctx->primes = RSA_DEFAULT_PRIME_NUM; if (pkey_ctx_is_pss(ctx)) rctx->pad_mode = RSA_PKCS1_PSS_PADDING; diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod index 1774974..e418c13 100644 --- a/doc/man1/genpkey.pod +++ b/doc/man1/genpkey.pod @@ -118,7 +118,7 @@ or ED448 algorithms. =item B<rsa_keygen_bits:numbits> -The number of bits in the generated key. If not specified 1024 is used. +The number of bits in the generated key. If not specified 2048 is used. =item B<rsa_keygen_primes:numprimes> @@ -185,12 +185,12 @@ below. =item B<dsa_paramgen_bits:numbits> -The number of bits in the generated prime. If not specified 1024 is used. +The number of bits in the generated prime. If not specified 2048 is used. =item B<dsa_paramgen_q_bits:numbits> The number of bits in the q parameter. Must be one of 160, 224 or 256. If not -specified 160 is used. +specified 224 is used. =item B<dsa_paramgen_md:digest> @@ -209,7 +209,7 @@ or B<sha256> if it is 256. =item B<dh_paramgen_prime_len:numbits> -The number of bits in the prime parameter B<p>. The default is 1024. +The number of bits in the prime parameter B<p>. The default is 2048. =item B<dh_paramgen_subprime_len:numbits>