RT2626: Change default_bits from 1K to 2K This is a more comprehensive fix. It changes all keygen apps to use 2K keys. It also changes the default to use SHA256 not SHA1. This is from Kurt's upstream Debian changes. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>

commit: 44e0c2bae4bfd87d770480902618dbccde84fd81 [log] [tgz]
author: Kurt Roeckx <kurt@roeckx.be> Mon Sep 08 17:14:36 2014 -0400
committer: Rich Salz <rsalz@openssl.org> Mon Sep 08 17:21:04 2014 -0400
tree: fec922dd02ccada0d46acea1710604171a5633d8
parent: 5f855569c452262a8770ed822c7f98f5fac3e3d6 [diff]
diff --git a/apps/dhparam.c b/apps/dhparam.c
index f5d7126..606365e 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c

@@ -130,7 +130,7 @@
 #undef PROG
 #define PROG	dhparam_main
 
-#define DEFBITS	512
+#define DEFBITS	2048
 
 /* -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
@@ -253,7 +253,7 @@
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
-		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," numbits       number of bits in to generate (default 2048)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif

diff --git a/apps/gendh.c b/apps/gendh.c
index 4ec776b..8df8c62 100644
--- a/apps/gendh.c
+++ b/apps/gendh.c

@@ -78,7 +78,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-#define DEFBITS	512
+#define DEFBITS	2048
 #undef PROG
 #define PROG gendh_main
 

diff --git a/apps/genrsa.c b/apps/genrsa.c
index 94cb613..6b835c0 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c

@@ -78,7 +78,7 @@
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 
-#define DEFBITS	1024
+#define DEFBITS	2048
 #undef PROG
 #define PROG genrsa_main
 

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 514e640..41c2a37 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf

@@ -103,7 +103,7 @@
 
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes

diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 50273b0..61a1b01 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c

@@ -643,7 +643,7 @@
 #endif
 
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 2;
 
 		default:

diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index a149bf6..62ea5a9 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c

@@ -649,7 +649,7 @@
 #endif
 
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 2;
 
 		default:

diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
index 3d998e9..ff937ca 100644
--- a/crypto/hmac/hm_ameth.c
+++ b/crypto/hmac/hm_ameth.c

@@ -89,7 +89,7 @@
 	switch (op)
 		{
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 1;
 
 		default:

diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index c6e083f..419a5d4 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c

@@ -460,7 +460,7 @@
 #endif
 
 		case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-		*(int *)arg2 = NID_sha1;
+		*(int *)arg2 = NID_sha256;
 		return 1;
 
 		default:
commit	44e0c2bae4bfd87d770480902618dbccde84fd81	[log] [tgz]
author	Kurt Roeckx <kurt@roeckx.be>	Mon Sep 08 17:14:36 2014 -0400
committer	Rich Salz <rsalz@openssl.org>	Mon Sep 08 17:21:04 2014 -0400
tree	fec922dd02ccada0d46acea1710604171a5633d8
parent	5f855569c452262a8770ed822c7f98f5fac3e3d6 [diff]