diff options
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | THANKS | 1 | ||||
| -rw-r--r-- | lib/auth_srp.c | 8 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 5 | ||||
| -rw-r--r-- | lib/gnutls_srp.c | 21 |
5 files changed, 37 insertions, 4 deletions
@@ -5,10 +5,14 @@ See the end for copying conditions. * Version 2.5.8 (unreleased) +** libgnutls: New function to set minimum acceptable SRP bits. +The function is gnutls_srp_set_prime_bits. Tiny patch by Kevin Quick +<quick@sparq.org> in <https://savannah.gnu.org/support/index.php?106454>. + ** Indent code. ** API and ABI modifications: -No changes since last version. +gnutls_srp_set_prime_bits: ADDED * Version 2.5.7 (released 2008-09-16) @@ -87,6 +87,7 @@ Tomas Mraz <tmraz@redhat.com> Matthias Koenig <mkoenig@suse.de> Christian Grothoff <christian@grothoff.org> James Westby <jw+debian@jameswestby.net> +Kevin Quick <quick@sparq.org> ---------------------------------------------------------------------- Copying and distribution of this file, with or without modification, diff --git a/lib/auth_srp.c b/lib/auth_srp.c index 1a57a7a9a0..37fab7b221 100644 --- a/lib/auth_srp.c +++ b/lib/auth_srp.c @@ -595,12 +595,14 @@ check_g_n (const opaque * g, size_t n_g, const opaque * n, size_t n_n) * Otherwise only the included parameters must be used. */ static int -group_check_g_n (bigint_t g, bigint_t n) +group_check_g_n (gnutls_session_t session, bigint_t g, bigint_t n) { bigint_t q = NULL, two = NULL, w = NULL; int ret; - if (_gnutls_mpi_get_nbits (n) < 2048) + if (_gnutls_mpi_get_nbits (n) < (session->internals.srp_prime_bits + ? session->internals.srp_prime_bits + : 2048)) { gnutls_assert (); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; @@ -814,7 +816,7 @@ _gnutls_proc_srp_server_kx (gnutls_session_t session, opaque * data, if ((ret = check_g_n (data_g, _n_g, data_n, _n_n)) < 0) { _gnutls_x509_log ("Checking the SRP group parameters.\n"); - if ((ret = group_check_g_n (G, N)) < 0) + if ((ret = group_check_g_n (session, G, N)) < 0) { gnutls_assert (); return ret; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index f0efbb9404..824b5fbdb6 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -640,6 +640,11 @@ typedef struct /* Callback to extract TLS Finished message. */ gnutls_finished_callback_func finished_func; + /* minimum bits to allow for SRP + * use gnutls_srp_set_prime_bits() to adjust it. + */ + uint16_t srp_prime_bits; + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ } internals_st; diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c index 2c0c9293ab..65564c0dd3 100644 --- a/lib/gnutls_srp.c +++ b/lib/gnutls_srp.c @@ -725,4 +725,25 @@ gnutls_srp_verifier (const char *username, const char *password, return 0; } +/** + * gnutls_srp_set_prime_bits - set the minimum bits for a SRP ciphersuite + * @session: is a #gnutls_session_t structure. + * @bits: is the number of bits + * + * This function sets the minimum accepted number of bits, for use in + * an SRP key exchange. If zero, the default 2048 bits will be used. + * + * In the client side it sets the minimum accepted number of bits. If + * a server sends a prime with less bits than that + * %GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER will be returned by the + * handshake. + * + * Since: 2.6.0 + **/ +void +gnutls_srp_set_prime_bits (gnutls_session_t session, unsigned int bits) +{ + session->internals.srp_prime_bits = bits; +} + #endif /* ENABLE_SRP */ |