1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

Warn about short RSA/DSA keys in PuTTYgen.

It's only a warning; Windows PuTTYgen puts it up as a message box, and
will still generate the key if you click yes, and Unix PuTTYgen just
prints the warning and gets on with generation anyway. But it might
help encourage people to move away from 1024-bit keys, if they're
still using them.
This commit is contained in:
Simon Tatham 2016-04-02 08:00:37 +01:00
parent b0b5d5fbe6
commit 57477cb7ca
2 changed files with 21 additions and 2 deletions

View File

@ -223,6 +223,8 @@ static char *readpassphrase(const char *filename)
return line; return line;
} }
#define DEFAULT_RSADSA_BITS 2048
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
char *infile = NULL; char *infile = NULL;
@ -500,7 +502,7 @@ int main(int argc, char **argv)
bits = 256; bits = 256;
break; break;
default: default:
bits = 2048; bits = DEFAULT_RSADSA_BITS;
break; break;
} }
} }
@ -520,6 +522,11 @@ int main(int argc, char **argv)
fprintf(stderr, "puttygen: cannot generate %s keys shorter than" fprintf(stderr, "puttygen: cannot generate %s keys shorter than"
" 256 bits\n", (keytype == DSA ? "DSA" : "RSA")); " 256 bits\n", (keytype == DSA ? "DSA" : "RSA"));
errs = TRUE; errs = TRUE;
} else if (bits < DEFAULT_RSADSA_BITS) {
fprintf(stderr, "puttygen: warning: %s keys shorter than"
" %d bits are probably not secure\n",
(keytype == DSA ? "DSA" : "RSA"), DEFAULT_RSADSA_BITS);
/* but this is just a warning, so proceed anyway */
} }
} }

View File

@ -1115,6 +1115,7 @@ static INT_PTR CALLBACK MainDlgProc(HWND hwnd, UINT msg,
} else if (IsDlgButtonChecked(hwnd, IDC_KEYSSH2ED25519)) { } else if (IsDlgButtonChecked(hwnd, IDC_KEYSSH2ED25519)) {
state->keytype = ED25519; state->keytype = ED25519;
} }
if ((state->keytype == RSA || state->keytype == DSA) && if ((state->keytype == RSA || state->keytype == DSA) &&
state->key_bits < 256) { state->key_bits < 256) {
char *message = dupprintf char *message = dupprintf
@ -1128,7 +1129,18 @@ static INT_PTR CALLBACK MainDlgProc(HWND hwnd, UINT msg,
break; break;
state->key_bits = DEFAULT_KEY_BITS; state->key_bits = DEFAULT_KEY_BITS;
SetDlgItemInt(hwnd, IDC_BITS, DEFAULT_KEY_BITS, FALSE); SetDlgItemInt(hwnd, IDC_BITS, DEFAULT_KEY_BITS, FALSE);
} } else if ((state->keytype == RSA || state->keytype == DSA) &&
state->key_bits < DEFAULT_KEY_BITS) {
char *message = dupprintf
("Keys shorter than %d bits are not recommended. "
"Really generate this key?", DEFAULT_KEY_BITS);
int ret = MessageBox(hwnd, message, "PuTTYgen Warning",
MB_ICONWARNING | MB_OKCANCEL);
sfree(message);
if (ret != IDOK)
break;
}
ui_set_state(hwnd, state, 1); ui_set_state(hwnd, state, 1);
SetDlgItemText(hwnd, IDC_GENERATING, entropy_msg); SetDlgItemText(hwnd, IDC_GENERATING, entropy_msg);
state->key_exists = FALSE; state->key_exists = FALSE;