summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
d4ead70)
This commit changes the default PKCS key length from 2048 bits to 4096
bits. It adds warnings to both SILC client and SILC server in start up
in case the existing key is shorter than 4096 to encourage people to
generate new key longer key pair.
This commit also changes the default SKE DH group from 1024 to 1536 bits.
The old group is still supported.
18 files changed:
if (!ret)
SILC_LOG_ERROR(("Could not load key pair"));
if (!ret)
SILC_LOG_ERROR(("Could not load key pair"));
+ if (silc_pkcs_private_key_get_len(irssi_privkey) < 4096) {
+ fprintf(stdout,
+ "warning: Your private key %s length is under 4096 bits. It is "
+ "recommended to use at least 4096 bits. Consider generating a "
+ "new key pair.\n", prv);
+ printf("Press <Enter> to continue...\n");
+ getchar();
+ }
+
/* Default settings for creating key pair */
#define SILC_CLIENT_DEF_PKCS "rsa"
/* Default settings for creating key pair */
#define SILC_CLIENT_DEF_PKCS "rsa"
-#define SILC_CLIENT_DEF_PKCS_LEN 2048
+#define SILC_CLIENT_DEF_PKCS_LEN 4096
extern SilcClient silc_client;
extern SilcHash sha1hash;
extern SilcClient silc_client;
extern SilcHash sha1hash;
SilcAttributeObjPk pk;
SilcAttributeObjService service;
unsigned char *tmp;
SilcAttributeObjPk pk;
SilcAttributeObjService service;
unsigned char *tmp;
- unsigned char sign[2048 + 1];
+ unsigned char sign[65536 + 1];
SilcUInt32 sign_len;
SILC_LOG_DEBUG(("Constructing Requested Attributes"));
SilcUInt32 sign_len;
SILC_LOG_DEBUG(("Constructing Requested Attributes"));
- Author: Giovanni Giacobbi <giovanni@giacobbi.net>
+ Authors: Giovanni Giacobbi <giovanni@giacobbi.net>
+ Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 1997 - 2007 Pekka Riikonen
+ Copyright (C) 1997 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
SILC_SERVER_LOG_ERROR(("Error: Could not load private key file."));
return SILC_CONFIG_EPRINTLINE;
}
SILC_SERVER_LOG_ERROR(("Error: Could not load private key file."));
return SILC_CONFIG_EPRINTLINE;
}
+
+ /* Warn if key length is < 4096 (some versions created 4095 bit keys). */
+ if (silc_pkcs_private_key_get_len(server_info->private_key) < 4095) {
+ fprintf(stderr,
+ "warning: Your server private key %s length is under 4096 bits. "
+ "It is recommended to use at least 4096 bits. Consider "
+ "generating a new server key pair.\n", file_tmp);
+ }
}
else
return SILC_CONFIG_EINTERNAL;
}
else
return SILC_CONFIG_EINTERNAL;
Author: Pekka Riikonen <priikone@silcnet.org>
Author: Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 1997 - 2007 Pekka Riikonen
+ Copyright (C) 1997 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
static char *opt_keypath = NULL;
static char *opt_pkcs = "rsa";
static char *opt_identifier = NULL;
static char *opt_keypath = NULL;
static char *opt_pkcs = "rsa";
static char *opt_identifier = NULL;
-static int opt_bits = 2048;
+static int opt_bits = 4096;
/* Prints out the usage of silc client */
/* Prints out the usage of silc client */
silc_pkcs_register_default();
silc_hash_register_default();
silc_hmac_register_default();
silc_pkcs_register_default();
silc_hash_register_default();
silc_hmac_register_default();
+
+ if (opt_bits < 4096)
+ fprintf(stderr,
+ "warning: You have specified key length under 4096 bits. It is "
+ "recommended to use at least 4096 bits.\n");
+
if (!silc_create_key_pair(opt_pkcs, opt_bits, pubfile, prvfile,
opt_identifier, "", NULL, NULL, FALSE))
exit(1);
if (!silc_create_key_pair(opt_pkcs, opt_bits, pubfile, prvfile,
opt_identifier, "", NULL, NULL, FALSE))
exit(1);
if (!key_len_bits) {
if (interactive) {
char *length = NULL;
if (!key_len_bits) {
if (interactive) {
char *length = NULL;
- length = silc_get_input("Key length in key_len_bits [2048]: ", FALSE);
+ length = silc_get_input("Key length in key_len_bits [4096]: ", FALSE);
if (length)
key_len_bits = atoi(length);
silc_free(length);
}
if (!key_len_bits)
if (length)
key_len_bits = atoi(length);
silc_free(length);
}
if (!key_len_bits)
* This routine can be used to generate new public key and private key
* pair. The `pkcs_name' is the name of public key algorithm, or if
* NULL it defaults to "rsa". The `key_len_bits' is the key length
* This routine can be used to generate new public key and private key
* pair. The `pkcs_name' is the name of public key algorithm, or if
* NULL it defaults to "rsa". The `key_len_bits' is the key length
- * in bits and if zero (0) it defaults to 2048 bits. The `pub_filename'
+ * in bits and if zero (0) it defaults to 4096 bits. The `pub_filename'
* and `prv_filename' is the public key and private key filenames.
* The `pub_identifier' is the public key identifier (for example:
* "UN=foobar, HN=hostname"), or if NULL the routine generates it
* and `prv_filename' is the public key and private key filenames.
* The `pub_identifier' is the public key identifier (for example:
* "UN=foobar, HN=hostname"), or if NULL the routine generates it
SilcAttribute attribute;
SilcAttributePayload attr;
SilcAttributeObjPk pk;
SilcAttribute attribute;
SilcAttributePayload attr;
SilcAttributeObjPk pk;
- unsigned char sign[2048 + 1];
+ unsigned char sign[65536 + 1];
SilcUInt32 sign_len;
SILC_LOG_DEBUG(("Process Requested Attributes"));
SilcUInt32 sign_len;
SILC_LOG_DEBUG(("Process Requested Attributes"));
&mybot->public_key,
&mybot->private_key)) {
/* The keys don't exist. Let's generate us a key pair then! There's
&mybot->public_key,
&mybot->private_key)) {
/* The keys don't exist. Let's generate us a key pair then! There's
- nice ready routine for that too. Let's do 2048 bit RSA key pair. */
+ nice ready routine for that too. Let's do 4096 bit RSA key pair. */
fprintf(stdout, "MyBot: Key pair does not exist, generating it.\n");
fprintf(stdout, "MyBot: Key pair does not exist, generating it.\n");
- if (!silc_create_key_pair("rsa", 2048, "mybot.pub", "mybot.prv", NULL, "",
+ if (!silc_create_key_pair("rsa", 4096, "mybot.pub", "mybot.prv", NULL, "",
&mybot->public_key,
&mybot->private_key, FALSE)) {
perror("Could not generated key pair");
&mybot->public_key,
&mybot->private_key, FALSE)) {
perror("Could not generated key pair");
SilcHash hash,
const void *id, SilcIdType type)
{
SilcHash hash,
const void *id, SilcIdType type)
{
- unsigned char auth_data[2048 + 1];
+ unsigned char auth_data[65536 + 1];
SilcUInt32 auth_len;
unsigned char *tmp;
SilcUInt32 tmp_len;
SilcUInt32 auth_len;
unsigned char *tmp;
SilcUInt32 tmp_len;
Author: Pekka Riikonen <priikone@silcnet.org>
Author: Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 1997 - 2007 Pekka Riikonen
+ Copyright (C) 1997 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
SilcHash hash)
{
SilcBuffer buffer, sign;
SilcHash hash)
{
SilcBuffer buffer, sign;
- unsigned char auth_data[2048 + 1];
+ unsigned char auth_data[65536 + 1];
SilcUInt32 auth_len;
unsigned char *pk = NULL;
SilcUInt32 pk_len = 0;
SilcUInt32 auth_len;
unsigned char *pk = NULL;
SilcUInt32 pk_len = 0;
SilcMessagePayload message;
SilcBuffer buf;
const char *msg = "FOOBAR MESSAGE";
SilcMessagePayload message;
SilcBuffer buf;
const char *msg = "FOOBAR MESSAGE";
- unsigned char *data, tmp[1023], *tmp2;
+ unsigned char *data, tmp[8192], *tmp2;
SilcUInt32 data_len;
SilcUInt16 flags;
int i, n;
SilcUInt32 data_len;
SilcUInt16 flags;
int i, n;
if (!silc_load_key_pair("pubkey.pub", "privkey.prv", "",
&public_key, &private_key)) {
SILC_LOG_DEBUG(("Create keypair"));
if (!silc_load_key_pair("pubkey.pub", "privkey.prv", "",
&public_key, &private_key)) {
SILC_LOG_DEBUG(("Create keypair"));
- if (!silc_create_key_pair("rsa", 2048, "pubkey.pub", "privkey.prv",
+ if (!silc_create_key_pair("rsa", 4096, "pubkey.pub", "privkey.prv",
NULL, "", &public_key, &private_key, FALSE))
goto err;
}
NULL, "", &public_key, &private_key, FALSE))
goto err;
}
- * // Generate RSA key pair with 2048 bit key length
- * silc_pkcs_silc_generate_key("rsa", 2048, ident_string, rng,
+ * // Generate RSA key pair with 4096 bit key length
+ * silc_pkcs_silc_generate_key("rsa", 4096, ident_string, rng,
* &public_key, &private_key);
*
***/
* &public_key, &private_key);
*
***/
Author: Pekka Riikonen <priikone@silcnet.org>
Author: Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 2003 - 2007 Pekka Riikonen
+ Copyright (C) 2003 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
RsaPublicKey *key = public_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
RsaPublicKey *key = public_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
- unsigned char padded[2048 + 1];
+ unsigned char padded[65536 + 1];
SilcUInt32 len = (key->bits + 7) / 8;
if (sizeof(padded) < len)
SilcUInt32 len = (key->bits + 7) / 8;
if (sizeof(padded) < len)
RsaPrivateKey *key = private_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
RsaPrivateKey *key = private_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
- unsigned char *padded, unpadded[2048 + 1];
+ unsigned char *padded, unpadded[65536 + 1];
SilcUInt32 padded_len;
if (dst_size < (key->bits + 7) / 8)
SilcUInt32 padded_len;
if (dst_size < (key->bits + 7) / 8)
SilcHash hash)
{
RsaPrivateKey *key = private_key;
SilcHash hash)
{
RsaPrivateKey *key = private_key;
- unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
+ unsigned char padded[65536 + 1], hashr[SILC_HASH_MAXLEN];
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
SilcBufferStruct di;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
SilcBufferStruct di;
RsaPrivateKey *key = private_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
RsaPrivateKey *key = private_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
- unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
+ unsigned char padded[65536 + 1], hashr[SILC_HASH_MAXLEN];
SilcUInt32 len = (key->bits + 7) / 8;
SILC_LOG_DEBUG(("Sign"));
SilcUInt32 len = (key->bits + 7) / 8;
SILC_LOG_DEBUG(("Sign"));
SilcBool ret = FALSE;
SilcMPInt mp_tmp2;
SilcMPInt mp_dst;
SilcBool ret = FALSE;
SilcMPInt mp_tmp2;
SilcMPInt mp_dst;
- unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
+ unsigned char *verify, unpadded[65536 + 1], hashr[SILC_HASH_MAXLEN];
SilcUInt32 verify_len, len = (key->bits + 7) / 8;
SILC_LOG_DEBUG(("Verify signature"));
SilcUInt32 verify_len, len = (key->bits + 7) / 8;
SILC_LOG_DEBUG(("Verify signature"));
/* Tests API in silcpkcs.h */
#include "silc.h"
/* Tests API in silcpkcs.h */
#include "silc.h"
const unsigned char p[] = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
int p_len = 32;
const unsigned char p[] = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
int p_len = 32;
SilcPublicKeyIdentifier ident;
SilcPrivateKey privkey;
SilcBuffer buf;
SilcPublicKeyIdentifier ident;
SilcPrivateKey privkey;
SilcBuffer buf;
- unsigned char d[4096], d2[4096];
+ unsigned char d[8192], d2[8192];
SilcUInt32 dlen, d2len;
SilcHash sha1;
SilcUInt32 dlen, d2len;
SilcHash sha1;
if (!silc_load_key_pair("test.pub", "test.prv", "",
&info->public_key,
&info->private_key)) {
if (!silc_load_key_pair("test.pub", "test.prv", "",
&info->public_key,
&info->private_key)) {
- if (!silc_create_key_pair("rsa", 2048, "test.pub", "test.prv", NULL, "",
+ if (!silc_create_key_pair("rsa", 4096, "test.pub", "test.prv", NULL, "",
&info->public_key,
&info->private_key, FALSE)) {
goto err;
&info->public_key,
&info->private_key, FALSE)) {
goto err;
/* Fixed and public Diffie Hellman Groups defined by the SKE
protocol. These are equivalent to the OAKLEY Key Determination
/* Fixed and public Diffie Hellman Groups defined by the SKE
protocol. These are equivalent to the OAKLEY Key Determination
- protocol groups (taken from RFC 2412). */
const struct SilcSKEDiffieHellmanGroupDefStruct silc_ske_groups[] =
{
const struct SilcSKEDiffieHellmanGroupDefStruct silc_ske_groups[] =
{
- /* 1024 bits modulus (Mandatory group) */
- { 1, "diffie-hellman-group1",
+ /* 1536 bits modulus (Optional group) (RFC 3526). */
+ { 2, "diffie-hellman-group2",
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
- "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
- "FFFFFFFFFFFFFFFF",
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF",
"7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
"948127044533E63A0105DF531D89CD9128A5043CC71A026E"
"F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
"F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
"7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
"948127044533E63A0105DF531D89CD9128A5043CC71A026E"
"F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
"F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
- "F71C35FDAD44CFD2D74F9208BE258FF324943328F67329C0"
- "FFFFFFFFFFFFFFFF",
+ "F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9E"
+ "E1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AF"
+ "C1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36"
+ "B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF",
- /* 1536 bits modulus (Optional group) */
- { 2, "diffie-hellman-group2",
+ /* 1024 bits modulus (Mandatory group) (RFC 2412). */
+ { 1, "diffie-hellman-group1",
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
- "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
- "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
- "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
- "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF",
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
+ "FFFFFFFFFFFFFFFF",
"7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
"948127044533E63A0105DF531D89CD9128A5043CC71A026E"
"F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
"F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
"7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
"948127044533E63A0105DF531D89CD9128A5043CC71A026E"
"F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
"F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
- "F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9E"
- "E1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AF"
- "C1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36"
- "B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF",
+ "F71C35FDAD44CFD2D74F9208BE258FF324943328F67329C0"
+ "FFFFFFFFFFFFFFFF",
"2" },
{ 0, NULL, NULL, NULL }
"2" },
{ 0, NULL, NULL, NULL }
/* Compute signature data if we are doing mutual authentication */
if (ske->private_key && ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL) {
/* Compute signature data if we are doing mutual authentication */
if (ske->private_key && ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL) {
- unsigned char hash[SILC_HASH_MAXLEN], sign[2048 + 1];
+ unsigned char hash[SILC_HASH_MAXLEN], sign[65536 + 1];
SilcUInt32 hash_len, sign_len;
SILC_LOG_DEBUG(("We are doing mutual authentication"));
SilcUInt32 hash_len, sign_len;
SILC_LOG_DEBUG(("We are doing mutual authentication"));
SilcSKE ske = fsm_context;
SilcSKEStatus status;
SilcBuffer payload_buf;
SilcSKE ske = fsm_context;
SilcSKEStatus status;
SilcBuffer payload_buf;
- unsigned char hash[SILC_HASH_MAXLEN], sign[2048 + 1], *pk;
+ unsigned char hash[SILC_HASH_MAXLEN], sign[65536 + 1], *pk;
SilcUInt32 hash_len, sign_len, pk_len;
SILC_LOG_DEBUG(("Start"));
SilcUInt32 hash_len, sign_len, pk_len;
SILC_LOG_DEBUG(("Start"));