Skip to content
Permalink
Browse files

Change default RSA, DSA and DH size to 2048 bit

Fixes: #8737

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8741
  • Loading branch information...
kroeckx committed Apr 13, 2019
1 parent 2c23689 commit 70b0b977f73cd70e17538af3095d18e0cf59132e
Showing with 16 additions and 10 deletions.
  1. +6 −0 CHANGES
  2. +1 −1 crypto/dh/dh_pmeth.c
  3. +4 −4 crypto/dsa/dsa_pmeth.c
  4. +1 −1 crypto/rsa/rsa_pmeth.c
  5. +4 −4 doc/man1/genpkey.pod
@@ -9,6 +9,12 @@

Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]

*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]

*) Added command 'openssl kdf' that uses the EVP_KDF API.
[Shane Lontis]

@@ -54,7 +54,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx)
DHerr(DH_F_PKEY_DH_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
dctx->prime_len = 1024;
dctx->prime_len = 2048;
dctx->subprime_len = -1;
dctx->generator = 2;
dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
@@ -20,8 +20,8 @@

typedef struct {
/* Parameter gen parameters */
int nbits; /* size of p in bits (default: 1024) */
int qbits; /* size of q in bits (default: 160) */
int nbits; /* size of p in bits (default: 2048) */
int qbits; /* size of q in bits (default: 224) */
const EVP_MD *pmd; /* MD for parameter generation */
/* Keygen callback info */
int gentmp[2];
@@ -35,8 +35,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx)

if (dctx == NULL)
return 0;
dctx->nbits = 1024;
dctx->qbits = 160;
dctx->nbits = 2048;
dctx->qbits = 224;
dctx->pmd = NULL;
dctx->md = NULL;

@@ -56,7 +56,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)

if (rctx == NULL)
return 0;
rctx->nbits = 1024;
rctx->nbits = 2048;
rctx->primes = RSA_DEFAULT_PRIME_NUM;
if (pkey_ctx_is_pss(ctx))
rctx->pad_mode = RSA_PKCS1_PSS_PADDING;
@@ -118,7 +118,7 @@ or ED448 algorithms.

=item B<rsa_keygen_bits:numbits>

The number of bits in the generated key. If not specified 1024 is used.
The number of bits in the generated key. If not specified 2048 is used.

=item B<rsa_keygen_primes:numprimes>

@@ -185,12 +185,12 @@ below.

=item B<dsa_paramgen_bits:numbits>

The number of bits in the generated prime. If not specified 1024 is used.
The number of bits in the generated prime. If not specified 2048 is used.

=item B<dsa_paramgen_q_bits:numbits>

The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 160 is used.
specified 224 is used.

=item B<dsa_paramgen_md:digest>

@@ -209,7 +209,7 @@ or B<sha256> if it is 256.

=item B<dh_paramgen_prime_len:numbits>

The number of bits in the prime parameter B<p>. The default is 1024.
The number of bits in the prime parameter B<p>. The default is 2048.

=item B<dh_paramgen_subprime_len:numbits>

0 comments on commit 70b0b97

Please sign in to comment.
You can’t perform that action at this time.