From 0d12410eaa8cef99d1a3e3472749c54a1f163b9d Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 13 Jan 2016 19:29:15 +0100
Subject: [PATCH] keys: warn when loaded key is shorter than 80 bits

Consider 80 bits as the absolute minimum for a secure symmetric key.  If
a loaded key is shorter, send a warning to the system log to encourage
the admin to replace it with a longer key.
---
 keys.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/keys.c b/keys.c
index 4e1df6a..0fc9d4e 100644
--- a/keys.c
+++ b/keys.c
@@ -39,6 +39,8 @@
 #include "local.h"
 #include "logging.h"
 
+/* Consider 80 bits as the absolute minimum for a secure key */
+#define MIN_SECURE_KEY_LENGTH 10
 
 typedef struct {
   uint32_t id;
@@ -196,6 +198,9 @@ KEY_Reload(void)
       continue;
     }
 
+    if (key.len < MIN_SECURE_KEY_LENGTH)
+      LOG(LOGS_WARN, LOGF_Keys, "Key %"PRIu32" is too short", key_id);
+
     key.id = key_id;
     key.val = MallocArray(char, key.len);
     memcpy(key.val, keyval, key.len);