if (!ret)
SILC_LOG_ERROR(("Could not load key pair"));
+ if (silc_pkcs_private_key_get_len(irssi_privkey) < 4096) {
+ fprintf(stdout,
+ "warning: Your private key %s length is under 4096 bits. It is "
+ "recommended to use at least 4096 bits. Consider generating a "
+ "new key pair.\n", prv);
+ printf("Press <Enter> to continue...\n");
+ getchar();
+ }
+
return ret;
}
/* Default settings for creating key pair */
#define SILC_CLIENT_DEF_PKCS "rsa"
-#define SILC_CLIENT_DEF_PKCS_LEN 2048
+#define SILC_CLIENT_DEF_PKCS_LEN 4096
extern SilcClient silc_client;
extern SilcHash sha1hash;
SilcAttributeObjPk pk;
SilcAttributeObjService service;
unsigned char *tmp;
- unsigned char sign[2048 + 1];
+ unsigned char sign[65536 + 1];
SilcUInt32 sign_len;
SILC_LOG_DEBUG(("Constructing Requested Attributes"));
serverconfig.c
- Author: Giovanni Giacobbi <giovanni@giacobbi.net>
+ Authors: Giovanni Giacobbi <giovanni@giacobbi.net>
+ Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 1997 - 2007 Pekka Riikonen
+ Copyright (C) 1997 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
SILC_SERVER_LOG_ERROR(("Error: Could not load private key file."));
return SILC_CONFIG_EPRINTLINE;
}
+
+ /* Warn if key length is < 4096 (some versions created 4095 bit keys). */
+ if (silc_pkcs_private_key_get_len(server_info->private_key) < 4095) {
+ fprintf(stderr,
+ "warning: Your server private key %s length is under 4096 bits. "
+ "It is recommended to use at least 4096 bits. Consider "
+ "generating a new server key pair.\n", file_tmp);
+ }
}
else
return SILC_CONFIG_EINTERNAL;
Author: Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 1997 - 2007 Pekka Riikonen
+ Copyright (C) 1997 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
static char *opt_keypath = NULL;
static char *opt_pkcs = "rsa";
static char *opt_identifier = NULL;
-static int opt_bits = 2048;
+static int opt_bits = 4096;
/* Prints out the usage of silc client */
silc_pkcs_register_default();
silc_hash_register_default();
silc_hmac_register_default();
+
+ if (opt_bits < 4096)
+ fprintf(stderr,
+ "warning: You have specified key length under 4096 bits. It is "
+ "recommended to use at least 4096 bits.\n");
+
if (!silc_create_key_pair(opt_pkcs, opt_bits, pubfile, prvfile,
opt_identifier, "", NULL, NULL, FALSE))
exit(1);
if (!key_len_bits) {
if (interactive) {
char *length = NULL;
- length = silc_get_input("Key length in key_len_bits [2048]: ", FALSE);
+ length = silc_get_input("Key length in key_len_bits [4096]: ", FALSE);
if (length)
key_len_bits = atoi(length);
silc_free(length);
}
if (!key_len_bits)
- key_len_bits = 2048;
+ key_len_bits = 4096;
}
if (!identifier) {
* This routine can be used to generate new public key and private key
* pair. The `pkcs_name' is the name of public key algorithm, or if
* NULL it defaults to "rsa". The `key_len_bits' is the key length
- * in bits and if zero (0) it defaults to 2048 bits. The `pub_filename'
+ * in bits and if zero (0) it defaults to 4096 bits. The `pub_filename'
* and `prv_filename' is the public key and private key filenames.
* The `pub_identifier' is the public key identifier (for example:
* "UN=foobar, HN=hostname"), or if NULL the routine generates it
SilcAttribute attribute;
SilcAttributePayload attr;
SilcAttributeObjPk pk;
- unsigned char sign[2048 + 1];
+ unsigned char sign[65536 + 1];
SilcUInt32 sign_len;
SILC_LOG_DEBUG(("Process Requested Attributes"));
&mybot->public_key,
&mybot->private_key)) {
/* The keys don't exist. Let's generate us a key pair then! There's
- nice ready routine for that too. Let's do 2048 bit RSA key pair. */
+ nice ready routine for that too. Let's do 4096 bit RSA key pair. */
fprintf(stdout, "MyBot: Key pair does not exist, generating it.\n");
- if (!silc_create_key_pair("rsa", 2048, "mybot.pub", "mybot.prv", NULL, "",
+ if (!silc_create_key_pair("rsa", 4096, "mybot.pub", "mybot.prv", NULL, "",
&mybot->public_key,
&mybot->private_key, FALSE)) {
perror("Could not generated key pair");
SilcHash hash,
const void *id, SilcIdType type)
{
- unsigned char auth_data[2048 + 1];
+ unsigned char auth_data[65536 + 1];
SilcUInt32 auth_len;
unsigned char *tmp;
SilcUInt32 tmp_len;
Author: Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 1997 - 2007 Pekka Riikonen
+ Copyright (C) 1997 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
SilcHash hash)
{
SilcBuffer buffer, sign;
- unsigned char auth_data[2048 + 1];
+ unsigned char auth_data[65536 + 1];
SilcUInt32 auth_len;
unsigned char *pk = NULL;
SilcUInt32 pk_len = 0;
SilcMessagePayload message;
SilcBuffer buf;
const char *msg = "FOOBAR MESSAGE";
- unsigned char *data, tmp[1023], *tmp2;
+ unsigned char *data, tmp[8192], *tmp2;
SilcUInt32 data_len;
SilcUInt16 flags;
int i, n;
if (!silc_load_key_pair("pubkey.pub", "privkey.prv", "",
&public_key, &private_key)) {
SILC_LOG_DEBUG(("Create keypair"));
- if (!silc_create_key_pair("rsa", 2048, "pubkey.pub", "privkey.prv",
+ if (!silc_create_key_pair("rsa", 4096, "pubkey.pub", "privkey.prv",
NULL, "", &public_key, &private_key, FALSE))
goto err;
}
*
* EXAMPLE
*
- * // Generate RSA key pair with 2048 bit key length
- * silc_pkcs_silc_generate_key("rsa", 2048, ident_string, rng,
+ * // Generate RSA key pair with 4096 bit key length
+ * silc_pkcs_silc_generate_key("rsa", 4096, ident_string, rng,
* &public_key, &private_key);
*
***/
Author: Pekka Riikonen <priikone@silcnet.org>
- Copyright (C) 2003 - 2007 Pekka Riikonen
+ Copyright (C) 2003 - 2014 Pekka Riikonen
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
RsaPublicKey *key = public_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
- unsigned char padded[2048 + 1];
+ unsigned char padded[65536 + 1];
SilcUInt32 len = (key->bits + 7) / 8;
if (sizeof(padded) < len)
RsaPrivateKey *key = private_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
- unsigned char *padded, unpadded[2048 + 1];
+ unsigned char *padded, unpadded[65536 + 1];
SilcUInt32 padded_len;
if (dst_size < (key->bits + 7) / 8)
SilcHash hash)
{
RsaPrivateKey *key = private_key;
- unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
+ unsigned char padded[65536 + 1], hashr[SILC_HASH_MAXLEN];
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
SilcBufferStruct di;
RsaPrivateKey *key = private_key;
SilcMPInt mp_tmp;
SilcMPInt mp_dst;
- unsigned char padded[2048 + 1], hashr[SILC_HASH_MAXLEN];
+ unsigned char padded[65536 + 1], hashr[SILC_HASH_MAXLEN];
SilcUInt32 len = (key->bits + 7) / 8;
SILC_LOG_DEBUG(("Sign"));
SilcBool ret = FALSE;
SilcMPInt mp_tmp2;
SilcMPInt mp_dst;
- unsigned char *verify, unpadded[2048 + 1], hashr[SILC_HASH_MAXLEN];
+ unsigned char *verify, unpadded[65536 + 1], hashr[SILC_HASH_MAXLEN];
SilcUInt32 verify_len, len = (key->bits + 7) / 8;
SILC_LOG_DEBUG(("Verify signature"));
/* Tests API in silcpkcs.h */
#include "silc.h"
-int key_len = 2048;
+int key_len = 4096;
const unsigned char p[] = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
int p_len = 32;
SilcPublicKeyIdentifier ident;
SilcPrivateKey privkey;
SilcBuffer buf;
- unsigned char d[4096], d2[4096];
+ unsigned char d[8192], d2[8192];
SilcUInt32 dlen, d2len;
SilcHash sha1;
if (!silc_load_key_pair("test.pub", "test.prv", "",
&info->public_key,
&info->private_key)) {
- if (!silc_create_key_pair("rsa", 2048, "test.pub", "test.prv", NULL, "",
+ if (!silc_create_key_pair("rsa", 4096, "test.pub", "test.prv", NULL, "",
&info->public_key,
&info->private_key, FALSE)) {
goto err;
/* Fixed and public Diffie Hellman Groups defined by the SKE
protocol. These are equivalent to the OAKLEY Key Determination
- protocol groups (taken from RFC 2412). */
+ protocol groups. */
const struct SilcSKEDiffieHellmanGroupDefStruct silc_ske_groups[] =
{
- /* 1024 bits modulus (Mandatory group) */
- { 1, "diffie-hellman-group1",
+ /* 1536 bits modulus (Optional group) (RFC 3526). */
+ { 2, "diffie-hellman-group2",
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
- "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
- "FFFFFFFFFFFFFFFF",
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF",
"7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
"948127044533E63A0105DF531D89CD9128A5043CC71A026E"
"F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
"F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
- "F71C35FDAD44CFD2D74F9208BE258FF324943328F67329C0"
- "FFFFFFFFFFFFFFFF",
+ "F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9E"
+ "E1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AF"
+ "C1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36"
+ "B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF",
"2" },
- /* 1536 bits modulus (Optional group) */
- { 2, "diffie-hellman-group2",
+ /* 1024 bits modulus (Mandatory group) (RFC 2412). */
+ { 1, "diffie-hellman-group1",
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
- "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
- "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
- "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
- "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF",
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381"
+ "FFFFFFFFFFFFFFFF",
"7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
"948127044533E63A0105DF531D89CD9128A5043CC71A026E"
"F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
"F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
- "F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9E"
- "E1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AF"
- "C1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36"
- "B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF",
+ "F71C35FDAD44CFD2D74F9208BE258FF324943328F67329C0"
+ "FFFFFFFFFFFFFFFF",
"2" },
{ 0, NULL, NULL, NULL }
/* Compute signature data if we are doing mutual authentication */
if (ske->private_key && ske->prop->flags & SILC_SKE_SP_FLAG_MUTUAL) {
- unsigned char hash[SILC_HASH_MAXLEN], sign[2048 + 1];
+ unsigned char hash[SILC_HASH_MAXLEN], sign[65536 + 1];
SilcUInt32 hash_len, sign_len;
SILC_LOG_DEBUG(("We are doing mutual authentication"));
SilcSKE ske = fsm_context;
SilcSKEStatus status;
SilcBuffer payload_buf;
- unsigned char hash[SILC_HASH_MAXLEN], sign[2048 + 1], *pk;
+ unsigned char hash[SILC_HASH_MAXLEN], sign[65536 + 1], *pk;
SilcUInt32 hash_len, sign_len, pk_len;
SILC_LOG_DEBUG(("Start"));
projects / silc.git / commitdiff