===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.201
retrieving revision 1.204
diff -u -r1.201 -r1.204
--- src/usr.bin/ssh/ssh-keygen.c	2010/08/31 12:33:38	1.201
+++ src/usr.bin/ssh/ssh-keygen.c	2010/10/28 11:22:09	1.204
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.201 2010/08/31 12:33:38 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.204 2010/10/28 11:22:09 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,7 +49,7 @@
 /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
 #define DEFAULT_BITS		2048
 #define DEFAULT_BITS_DSA	1024
-#define DEFAULT_BITS_ECDSA	521
+#define DEFAULT_BITS_ECDSA	256
 u_int32_t bits = 0;
 
 /*
@@ -545,8 +545,7 @@
 		*k = key_new(KEY_UNSPEC);
 		(*k)->type = KEY_ECDSA;
 		(*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey);
-		(*k)->ecdsa_nid = key_ecdsa_group_to_nid(
-		    EC_KEY_get0_group((*k)->ecdsa));
+		(*k)->ecdsa_nid = key_ecdsa_key_to_nid((*k)->ecdsa);
 		break;
 	default:
 		fatal("%s: unsupported pubkey type %d", __func__,
@@ -1812,7 +1811,7 @@
 	    "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
 		switch (opt) {
 		case 'b':
-			bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
+			bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr);
 			if (errstr)
 				fatal("Bits has bad value %s (%s)",
 					optarg, errstr);
@@ -2112,6 +2111,8 @@
 	}
 	if (type == KEY_DSA && bits != 1024)
 		fatal("DSA keys must be 1024 bits");
+	else if (type != KEY_ECDSA && bits < 768)
+		fatal("Key must at least be 768 bits");
 	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1)
 		fatal("Invalid ECDSA key length - valid lengths are "
 		    "256, 384 or 521 bits");