RT2626: Change default_bits from 1K to 2K

This is a more comprehensive fix. It changes all keygen apps to use 2K keys. It also changes the default to use SHA256 not SHA1. This is from Kurt's upstream Debian changes. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-09-08 17:14:36 -04:00 · 2014-09-08 17:14:36 -04:00 · 44e0c2bae4
commit 44e0c2bae4
parent 5f855569c4
8 changed files with 9 additions and 9 deletions
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@ -130,7 +130,7 @@
 #undef PROG
 #define PROG	dhparam_main

-#define DEFBITS	512
+#define DEFBITS	2048

 /* -inform arg	- input format - default PEM (DER or PEM)
 * -outform arg - output format - default PEM
@ -253,7 +253,7 @@ bad:
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
-		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," numbits       number of bits in to generate (default 2048)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
--- a/apps/gendh.c
+++ b/apps/gendh.c
@ -78,7 +78,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>

-#define DEFBITS	512
+#define DEFBITS	2048
 #undef PROG
 #define PROG gendh_main

--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@ -78,7 +78,7 @@
 #include <openssl/pem.h>
 #include <openssl/rand.h>

-#define DEFBITS	1024
+#define DEFBITS	2048
 #undef PROG
 #define PROG genrsa_main

--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@ -103,7 +103,7 @@ emailAddress		= optional

 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@ -643,7 +643,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 #endif

 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 2;

 		default:
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@ -649,7 +649,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 #endif

 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 2;

 		default:
--- a/crypto/hmac/hm_ameth.c
+++ b/crypto/hmac/hm_ameth.c
@ -89,7 +89,7 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 	switch (op)
 		{
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 1;

 		default:
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@ -460,7 +460,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 #endif

 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 1;

 		default: