RT2626: Change default_bits from 1K to 2K

This is a more comprehensive fix. It changes all keygen apps to use 2K keys. It also changes the default to use SHA256 not SHA1. This is from Kurt's upstream Debian changes. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
openssl · Sep 8, 2014 · 44e0c2b · 44e0c2b
1 parent 5f85556
commit 44e0c2b
Show file tree

Hide file tree

Showing 8 changed files with 9 additions and 9 deletions.
diff --git a/apps/dhparam.c b/apps/dhparam.c
@@ -130,7 +130,7 @@
 #undef PROG
 #define PROG	dhparam_main
 
-#define DEFBITS	512
+#define DEFBITS	2048
 
 /* -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
@@ -253,7 +253,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
-		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," numbits       number of bits in to generate (default 2048)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif

diff --git a/apps/gendh.c b/apps/gendh.c
@@ -78,7 +78,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-#define DEFBITS	512
+#define DEFBITS	2048
 #undef PROG
 #define PROG gendh_main
 

diff --git a/apps/genrsa.c b/apps/genrsa.c
@@ -78,7 +78,7 @@
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 
-#define DEFBITS	1024
+#define DEFBITS	2048
 #undef PROG
 #define PROG genrsa_main
 

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
@@ -103,7 +103,7 @@ emailAddress		= optional
 
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes

diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
@@ -643,7 +643,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 #endif
 
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 2;
 
 		default:

diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
@@ -649,7 +649,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 #endif
 
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 2;
 
 		default:

diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
@@ -89,7 +89,7 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 	switch (op)
 		{
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 1;
 
 		default:

diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
@@ -460,7 +460,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 #endif
 
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 1;
 
 		default: