51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
This patch allows one to specify a maximum number of bits
|
|
for the CGA and RSA key size. RFC specifies that an implementation
|
|
may optionnaly honor this setting (5.1.3). This is particularly
|
|
useful on embedded systems where both the entropy and the processing
|
|
power are limited.
|
|
|
|
--- a/sendd/config.c
|
|
+++ b/sendd/config.c
|
|
@@ -82,6 +82,7 @@ struct snd_conf snd_confs[] = {
|
|
SND_CFS(snd_cga_params, NULL, 1),
|
|
SND_CFIB(snd_full_secure, 1, 0),
|
|
SND_CFII(snd_min_key_bits, 1024, "bits", 0),
|
|
+ SND_CFII(snd_max_key_bits, 2048, "bits", 0),
|
|
SND_CFII(snd_nonce_cache_gc_intvl, 2, "seconds", 0),
|
|
SND_CFII(snd_pfx_cache_gc_intvl, 40, "seconds", 0),
|
|
SND_CFS(snd_pkixip_conf, NULL, 0),
|
|
--- a/sendd/sig_rfc3971.c
|
|
+++ b/sendd/sig_rfc3971.c
|
|
@@ -147,7 +147,7 @@ ver(struct iovec *iov, int iovlen, uint8
|
|
EVP_MD_CTX ctx[1];
|
|
EVP_PKEY *pub;
|
|
int rv = -1;
|
|
- int i, real_slen, min_bits;
|
|
+ int i, real_slen, min_bits, max_bits;
|
|
DEFINE_TIMESTAMP_VARS();
|
|
|
|
DBG_HEXDUMP(&dbg_cryptox, "key: ", key, klen);
|
|
@@ -164,6 +164,12 @@ ver(struct iovec *iov, int iovlen, uint8
|
|
"minimum: %d)", EVP_PKEY_bits(pub), min_bits);
|
|
return (-1);
|
|
}
|
|
+ max_bits = snd_conf_get_int(snd_max_key_bits);
|
|
+ if (EVP_PKEY_bits(pub) > max_bits) {
|
|
+ DBG(&dbg_snd, "Peer key too strong: %d bits (configured "
|
|
+ "maximum: %d)", EVP_PKEY_bits(pub), max_bits);
|
|
+ return (-1);
|
|
+ }
|
|
|
|
real_slen = EVP_PKEY_size(pub);
|
|
if (real_slen < slen) {
|
|
--- a/sendd/snd_config.h
|
|
+++ b/sendd/snd_config.h
|
|
@@ -42,6 +42,7 @@ enum snd_conf_syms {
|
|
snd_cga_params,
|
|
snd_full_secure,
|
|
snd_min_key_bits,
|
|
+ snd_max_key_bits,
|
|
snd_nonce_cache_gc_intvl,
|
|
snd_pfx_cache_gc_intvl,
|
|
snd_pkixip_conf,
|