Make dropbearkey only generate 1024 bit keys
--HG--
extra : convert_revision : 8a7db1e2fdc5636abb338adb636babc32f465739
diff --git a/CHANGES b/CHANGES
index 7239fbd..27aa5cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -21,6 +21,10 @@
- Add -K <keepalive_time> argument, ensuring that data is transmitted
over the connection at least every N seconds.
+- dropbearkey will no longer generate DSS keys of sizes other than 1024
+ bits, as required by the DSS specification. (Other sizes are still
+ accepted for use to provide backwards compatibility).
+
0.49 - Fri 23 February 2007
- Security: dbclient previously would prompt to confirm a
diff --git a/dropbearkey.c b/dropbearkey.c
index 2433381..aff809f 100644
--- a/dropbearkey.c
+++ b/dropbearkey.c
@@ -75,6 +75,7 @@
#endif
"-f filename Use filename for the secret key\n"
"-s bits Key size in bits, should be a multiple of 8 (optional)\n"
+ " (DSS has a fixed size of 1024 bits)\n"
"-y Just print the publickey and fingerprint for the\n private key in <filename>.\n"
#ifdef DEBUG_TRACE
"-v verbose\n"
@@ -187,8 +188,11 @@
fprintf(stderr, "Bits must be an integer\n");
exit(EXIT_FAILURE);
}
-
- if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
+
+ if (keytype == DROPBEAR_SIGNKEY_DSS && bits != 1024) {
+ fprintf(stderr, "DSS keys have a fixed size of 1024 bits\n");
+ exit(EXIT_FAILURE);
+ } else if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
fprintf(stderr, "Bits must satisfy 512 <= bits <= 4096, and be a"
" multiple of 8\n");
exit(EXIT_FAILURE);
