From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 13 Jan 2016 18:29:15 +0000 (+0100)
Subject: keys: warn when loaded key is shorter than 80 bits
X-Git-Tag: 2.3-pre1~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d12410eaa8cef99d1a3e3472749c54a1f163b9d;p=thirdparty%2Fchrony.git

keys: warn when loaded key is shorter than 80 bits

Consider 80 bits as the absolute minimum for a secure symmetric key.  If
a loaded key is shorter, send a warning to the system log to encourage
the admin to replace it with a longer key.
---

diff --git a/keys.c b/keys.c
index 4e1df6a5..0fc9d4eb 100644
--- a/keys.c
+++ b/keys.c
@@ -39,6 +39,8 @@
 #include "local.h"
 #include "logging.h"
 
+/* Consider 80 bits as the absolute minimum for a secure key */
+#define MIN_SECURE_KEY_LENGTH 10
 
 typedef struct {
   uint32_t id;
@@ -196,6 +198,9 @@ KEY_Reload(void)
       continue;
     }
 
+    if (key.len < MIN_SECURE_KEY_LENGTH)
+      LOG(LOGS_WARN, LOGF_Keys, "Key %"PRIu32" is too short", key_id);
+
     key.id = key_id;
     key.val = MallocArray(char, key.len);
     memcpy(key.val, keyval, key.len);