diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml
--- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml 2017-03-14 11:53:11.000000000 -0400
+++ libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml 2017-04-21 10:31:57.902023584 -0400
@@ -89,12 +89,12 @@
<para> The output format looks like this (with long numbers trimmed down for clarity):
<literallayout remap='.nf'>
- # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
+ # RSA 3744 bits road.toad.com Mon Apr 17 22:20:35 2017
# for signatures only, UNSAFE FOR ENCRYPTION
- #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/
- #ckaid=7ddad7f1d5842e...043c499babf0a
- Modulus: 0xcc2a86fcf440...cf1011abb82d1
- PublicExponent: 0x03
+ #ckaid=a953473e6014dd4e08eb051e4679dc39be160fea
+ #pubkey=0sBAEAA...sKbTzwE=
+ Modulus: 0xb84ae7d...b0a6d3cf01
+ PublicExponent: 0x010001
</literallayout> <!-- .fi -->
The first (comment) line, indicating the nature and date of the key, and
diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c libreswan-3.20/programs/rsasigkey/rsasigkey.c
--- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c 2017-03-14 11:53:11.000000000 -0400
+++ libreswan-3.20/programs/rsasigkey/rsasigkey.c 2017-04-21 10:31:57.902023584 -0400
@@ -5,7 +5,7 @@
* Copyright (C) 2003-2008 Michael C Richardson <mcr@xelerance.com>
* Copyright (C) 2003-2009 Paul Wouters <paul@xelerance.com>
* Copyright (C) 2009 Avesh Agarwal <avagarwa@redhat.com>
- * Copyright (C) 2012-2015 Paul Wouters <paul@libreswan.org>
+ * Copyright (C) 2012-2017 Paul Wouters <paul@libreswan.org>
* Copyright (C) 2016 Andrew Cagney <cagney@gnu.org>
* Copyright (C) 2016 Tuomo Soini <tis@foobar.fi>
*
@@ -18,6 +18,8 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * NOTE: This should probably be rewritten to use NSS RSA_NewKey()
*/
#include <sys/types.h>
@@ -76,8 +78,8 @@
#define DEFAULT_SEED_BITS 60 /* 480 bits of random seed */
-#define E 3 /* standard public exponent */
-/* #define F4 65537 */ /* possible future public exponent, Fermat's 4th number */
+/* No longer use E=3 to comply to FIPS 186-4, section B.3.1 */
+#define F4 65537
char usage[] =
"rsasigkey [--verbose] [--seeddev <device>] [--nssdir <dir>]\n"
@@ -111,17 +113,15 @@
/*
* bundle - bundle e and n into an RFC2537-format chunk_t
*/
-static char *base64_bundle(int e, chunk_t modulus)
+static char *base64_bundle(int f4, chunk_t modulus)
{
/*
- * Pack the single-byte exponent into a byte array.
+ * Pack the exponent into a byte array.
*/
- assert(e <= 255);
- u_char exponent_byte = e;
- chunk_t exponent = {
- .ptr = &exponent_byte,
- .len = 1,
- };
+ chunk_t exponent;
+ u_int32_t f4_bytes = (u_int32_t)f4;
+
+ clonetochunk(exponent, &f4_bytes, sizeof(u_int32_t), "exponent");
/*
* Create the resource record.
@@ -134,6 +134,7 @@
exit(1);
}
+ freeanychunk(exponent);
return bundle;
}
@@ -293,7 +294,7 @@
*/
void rsasigkey(int nbits, int seedbits, const struct lsw_conf_options *oco)
{
- PK11RSAGenParams rsaparams = { nbits, (long) E };
+ PK11RSAGenParams rsaparams = { nbits, (long) F4 };
PK11SlotInfo *slot = NULL;
SECKEYPrivateKey *privkey = NULL;
SECKEYPublicKey *pubkey = NULL;
@@ -373,7 +374,7 @@
/* RFC2537/RFC3110-ish format */
{
- char *bundle = base64_bundle(E, public_modulus);
+ char *bundle = base64_bundle(F4, public_modulus);
printf("\t#pubkey=%s\n", bundle);
pfree(bundle);
}