From: Kurt Roeckx Date: Mon, 8 Sep 2014 21:14:36 +0000 (-0400) Subject: RT2626: Change default_bits from 1K to 2K X-Git-Tag: OpenSSL_1_0_2-beta3~41 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=57c932dafde94365751568174a3250a25ee17e07;p=oweals%2Fopenssl.git RT2626: Change default_bits from 1K to 2K This is a more comprehensive fix. It changes all keygen apps to use 2K keys. It also changes the default to use SHA256 not SHA1. This is from Kurt's upstream Debian changes. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (cherry picked from commit 44e0c2bae4bfd87d770480902618dbccde84fd81) --- diff --git a/apps/dhparam.c b/apps/dhparam.c index f5d7126af7..606365e180 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -130,7 +130,7 @@ #undef PROG #define PROG dhparam_main -#define DEFBITS 512 +#define DEFBITS 2048 /* -inform arg - input format - default PEM (DER or PEM) * -outform arg - output format - default PEM @@ -253,7 +253,7 @@ bad: BIO_printf(bio_err," -C Output C code\n"); BIO_printf(bio_err," -2 generate parameters using 2 as the generator value\n"); BIO_printf(bio_err," -5 generate parameters using 5 as the generator value\n"); - BIO_printf(bio_err," numbits number of bits in to generate (default 512)\n"); + BIO_printf(bio_err," numbits number of bits in to generate (default 2048)\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif diff --git a/apps/gendh.c b/apps/gendh.c index 4ec776ba93..8df8c62f8a 100644 --- a/apps/gendh.c +++ b/apps/gendh.c @@ -78,7 +78,7 @@ #include #include -#define DEFBITS 512 +#define DEFBITS 2048 #undef PROG #define PROG gendh_main diff --git a/apps/genrsa.c b/apps/genrsa.c index ece114c876..7a8c6c58ad 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -78,7 +78,7 @@ #include #include -#define DEFBITS 1024 +#define DEFBITS 2048 #undef PROG #define PROG genrsa_main diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 18760c6e67..1eb86c4012 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -103,7 +103,7 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index f89b3c711c..c46c264030 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -638,7 +638,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 2; default: diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index fd6d0218d4..898b03e40a 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -633,7 +633,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 2; default: diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c index e03f24aeda..9fe6505bd5 100644 --- a/crypto/hmac/hm_ameth.c +++ b/crypto/hmac/hm_ameth.c @@ -89,7 +89,7 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) switch (op) { case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 1; default: diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index c317e8a5de..41bacc8747 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -455,7 +455,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + *(int *)arg2 = NID_sha256; return 1; default: