keys: warn when loaded key is shorter than 80 bits

Consider 80 bits as the absolute minimum for a secure symmetric key.  If
a loaded key is shorter, send a warning to the system log to encourage
the admin to replace it with a longer key.

diff --git a/keys.c b/keys.c
index 4e1df6a500af03d045de7c892bb25cd00a1fa3ee..0fc9d4eb0de21d94820d2ab28ceb2ffeb9da3f82 100644 (file)
--- a/keys.c
+++ b/keys.c
@@ -39,6 +39,8 @@
 #include "local.h"
 #include "logging.h"
 
+/* Consider 80 bits as the absolute minimum for a secure key */
+#define MIN_SECURE_KEY_LENGTH 10
 
 typedef struct {
   uint32_t id;
@@ -196,6 +198,9 @@ KEY_Reload(void)
       continue;
     }
 
+    if (key.len < MIN_SECURE_KEY_LENGTH)
+      LOG(LOGS_WARN, LOGF_Keys, "Key %"PRIu32" is too short", key_id);
+
     key.id = key_id;
     key.val = MallocArray(char, key.len);
     memcpy(key.val, keyval, key.len);