Improved the SRP support, to prevent attackers guessing the

available usernames by brute force. The g,n values sent are now
obtained by the password conf file. (they were static ones)

2 files changed, 14 insertions, 2 deletions

diff --git a/src/cli.c b/src/cli.c
index 98a9fd6f12..f6f5f00997 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -58,7 +58,7 @@ int crlf;
 int quiet = 0;
 extern int xml;
 
-char *srp_passwd;
+char *srp_passwd = NULL;
 char *srp_username;
 char *pgp_keyfile;
 char *pgp_certfile;
diff --git a/src/tests.c b/src/tests.c
index 7d16393126..8b3e590a28 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -32,6 +32,7 @@ extern gnutls_anon_client_credentials anon_cred;
 extern gnutls_certificate_credentials xcred;
 
 extern int more_info;
+static int srp = 0;
 
 extern int tls1_ok;
 extern int ssl3_ok;
@@ -62,6 +63,11 @@ int ret, alert;
 			GERR(ret);
 		}
 
+		if (srp) {
+			if (ret == GNUTLS_E_DECRYPTION_FAILED)
+				return SUCCEED; /* SRP was detected */
+		}
+
 		if (ret < 0) return FAILED;
 
 		gnutls_session_get_data(session, NULL, &session_data_size);
@@ -152,6 +158,8 @@ static void ADD_PROTOCOL(gnutls_session session, int protocol) {
 
 
 int test_srp( gnutls_session session) {
+int ret;
+
 		ADD_ALL_CIPHERS(session);
 		ADD_ALL_COMP(session);
 		ADD_ALL_CERTTYPES(session);
@@ -159,10 +167,14 @@ int test_srp( gnutls_session session) {
 		ADD_ALL_MACS(session);
 
 		ADD_KX(session, GNUTLS_KX_SRP);
+		srp = 1;
 
 		gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
 
-		return do_handshake( session);
+		ret = do_handshake( session);
+		srp = 0;
+		
+		return ret;
 }
 
 int test_export( gnutls_session session) {