Issue warnings for large DSA and RSA keys

Issue a warning when generating DSA or RSA keys of size greater than OPENSSL_DSA_MAX_MODULUS_BITS resp. OPENSSL_RSA_MAX_MODULUS_BITS. Reviewed-by: N Paul Dale <paul.dale@oracle.com> Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6380)

Issue warnings for large DSA and RSA keys
Issue a warning when generating DSA or RSA keys of size greater than OPENSSL_DSA_MAX_MODULUS_BITS resp. OPENSSL_RSA_MAX_MODULUS_BITS. Reviewed-by: N Paul Dale <paul.dale@oracle.com> Reviewed-by: N Rich Salz <rsalz@openssl.org> Reviewed-by: N Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6380)
0336df2f · Georg Schmidt · Dr. Matthias St. Pierre · 630fe1da · 0336df2f · 0336df2f
显示空白变更内容
内联并排

Showing with 30 addition and 0 deletion

apps/dsaparam.c apps/dsaparam.c +6 -0

apps/gendsa.c apps/gendsa.c +7 -0

apps/genrsa.c apps/genrsa.c +5 -0

apps/req.c apps/req.c +12 -0

未找到文件。
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -128,6 +128,12 @@ int dsaparam_main(int argc, char **argv)
        goto end;

    if (numbits > 0) {
+        if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
+            BIO_printf(bio_err,
+                       "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
+                       "         Your key size is %d! Larger key size may behave not as expected.\n",
+                       OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
+
        cb = BN_GENCB_new();
        if (cb == NULL) {
            BIO_printf(bio_err, "Error allocating BN_GENCB object\n");

--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -117,6 +117,13 @@ int gendsa_main(int argc, char **argv)
        goto end2;

    DSA_get0_pqg(dsa, &p, NULL, NULL);
+
+    if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
+        BIO_printf(bio_err,
+                   "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
+                   "         Your key size is %d! Larger key size may behave not as expected.\n",
+                   OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
+
    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
    if (!DSA_generate_key(dsa))
        goto end;

--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -123,6 +123,11 @@ opthelp:
    if (argc == 1) {
        if (!opt_int(argv[0], &num) || num <= 0)
            goto end;
+        if (num > OPENSSL_RSA_MAX_MODULUS_BITS)
+            BIO_printf(bio_err,
+                       "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
+                       "         Your key size is %d! Larger key size may behave not as expected.\n",
+                       OPENSSL_RSA_MAX_MODULUS_BITS, num);
    } else if (argc > 0) {
        BIO_printf(bio_err, "Extra arguments given.\n");
        goto opthelp;

--- a/apps/req.c
+++ b/apps/req.c
@@ -517,6 +517,18 @@ int req_main(int argc, char **argv)
            goto end;
        }

+        if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS)
+            BIO_printf(bio_err,
+                       "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
+                       "         Your key size is %ld! Larger key size may behave not as expected.\n",
+                       OPENSSL_RSA_MAX_MODULUS_BITS, newkey);
+
+        if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS)
+            BIO_printf(bio_err,
+                       "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
+                       "         Your key size is %ld! Larger key size may behave not as expected.\n",
+                       OPENSSL_DSA_MAX_MODULUS_BITS, newkey);
+
        if (genctx == NULL) {
            genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
                                    &keyalgstr, gen_eng);