From 9cbd3c2b5b03c29c116a14f196db8a32c7135391 Mon Sep 17 00:00:00 2001
From: "Vittorio G (VittGam)" <github@vittgam.net>
Date: Tue, 11 Oct 2016 20:30:41 +0200
Subject: [PATCH] tincctl: Avoid falling back to 1024 bits RSA key generation
 when an invalid key size is specified.

Also warn the user if a key smaller than 2048 bits is being generated.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
---
 src/tincctl.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/tincctl.c b/src/tincctl.c
index 465c9813..1f0246c0 100644
--- a/src/tincctl.c
+++ b/src/tincctl.c
@@ -446,11 +446,13 @@ static bool rsa_keygen(int bits, bool ask) {
 	// Make sure the key size is a multiple of 8 bits.
 	bits &= ~0x7;
 
-	// Force them to be between 1024 and 8192 bits long.
-	if(bits < 1024)
-		bits = 1024;
-	if(bits > 8192)
-		bits = 8192;
+	// Make sure that a valid key size is used.
+	if(bits < 1024 || bits > 8192) {
+		fprintf(stderr, "Invalid key size %d specified! It should be between 1024 and 8192 bits.\n", bits);
+		return false;
+	} else if(bits < 2048) {
+		fprintf(stderr, "WARNING: generating a weak %d bits RSA key! 2048 or more bits are recommended.\n", bits);
+	}
 
 	fprintf(stderr, "Generating %d bits keys:\n", bits);
 
-- 
2.20.1