diff --git a/include/libssh/pki.h b/include/libssh/pki.h index 717fd543..39a5a16d 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -45,6 +45,7 @@ #define MAX_PUBKEY_SIZE 0x100000 /* 1M */ #define MAX_PRIVKEY_SIZE 0x400000 /* 4M */ +#define RSA_MIN_KEY_SIZE 768 #define SSH_KEY_FLAG_EMPTY 0x0 #define SSH_KEY_FLAG_PUBLIC 0x0001 diff --git a/src/options.c b/src/options.c index 4c65a89d..e0f505c4 100644 --- a/src/options.c +++ b/src/options.c @@ -31,13 +31,14 @@ #else #include #endif -#include +#include "libssh/config_parser.h" +#include "libssh/misc.h" +#include "libssh/options.h" +#include "libssh/pki.h" #include "libssh/pki_priv.h" #include "libssh/priv.h" #include "libssh/session.h" -#include "libssh/misc.h" -#include "libssh/options.h" -#include "libssh/config_parser.h" +#include #ifdef WITH_SERVER #include "libssh/server.h" #include "libssh/bind.h" @@ -1288,11 +1289,13 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type, /* (*x == 0) is allowed as it is used to revert to default */ - if (*x > 0 && *x < 768) { - ssh_set_error(session, SSH_REQUEST_DENIED, + if (*x > 0 && *x < RSA_MIN_KEY_SIZE) { + ssh_set_error(session, + SSH_REQUEST_DENIED, "The provided value (%d) for minimal RSA key " - "size is too small. Use at least 768 bits.", - *x); + "size is too small. Use at least %d bits.", + *x, + RSA_MIN_KEY_SIZE); return -1; } session->opts.rsa_min_size = *x; @@ -2590,12 +2593,13 @@ ssh_bind_options_set(ssh_bind sshbind, /* (*x == 0) is allowed as it is used to revert to default */ - if (*x > 0 && *x < 768) { + if (*x > 0 && *x < RSA_MIN_KEY_SIZE) { ssh_set_error(sshbind, SSH_REQUEST_DENIED, "The provided value (%d) for minimal RSA key " - "size is too small. Use at least 768 bits.", - *x); + "size is too small. Use at least %d bits.", + *x, + RSA_MIN_KEY_SIZE); return -1; } sshbind->rsa_min_size = *x; diff --git a/src/pki.c b/src/pki.c index e0fa4d57..1fb8885c 100644 --- a/src/pki.c +++ b/src/pki.c @@ -447,7 +447,7 @@ bool ssh_key_size_allowed_rsa(int min_size, ssh_key key) { int key_size = ssh_key_size(key); - if (min_size < 768) { + if (min_size < RSA_MIN_KEY_SIZE) { if (ssh_fips_mode()) { min_size = 2048; } else { diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c index d9104598..0b8e047e 100644 --- a/tests/unittests/torture_options.c +++ b/tests/unittests/torture_options.c @@ -8,13 +8,14 @@ #endif #include -#include #include "torture.h" #include "torture_key.h" -#include +#include #include -#include #include +#include +#include +#include #ifdef WITH_SERVER #include #define LIBSSH_CUSTOM_BIND_CONFIG_FILE "my_bind_config" @@ -1997,7 +1998,7 @@ static void torture_options_set_verbosity (void **state) static void torture_options_set_rsa_min_size(void **state) { ssh_session session = *state; - int min_allowed = 768, key_size, rc; + int min_allowed = RSA_MIN_KEY_SIZE, key_size, rc; /* Check that passing NULL leads to failure */ rc = ssh_options_set(session, SSH_OPTIONS_RSA_MIN_SIZE, NULL); @@ -2422,7 +2423,7 @@ static void torture_bind_options_set_rsa_min_size(void **state) { struct bind_st *test_state = NULL; ssh_bind bind = NULL; - int rc, min_allowed = 768, key_size; + int rc, min_allowed = RSA_MIN_KEY_SIZE, key_size; assert_non_null(state); test_state = *((struct bind_st **)state);