summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS6
-rw-r--r--THANKS1
-rw-r--r--lib/auth_srp.c8
-rw-r--r--lib/gnutls_int.h5
-rw-r--r--lib/gnutls_srp.c21
5 files changed, 37 insertions, 4 deletions
diff --git a/NEWS b/NEWS
index 108f7697fc..85efc4cab1 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@ See the end for copying conditions.
* Version 2.5.8 (unreleased)
+** libgnutls: New function to set minimum acceptable SRP bits.
+The function is gnutls_srp_set_prime_bits. Tiny patch by Kevin Quick
+<quick@sparq.org> in <https://savannah.gnu.org/support/index.php?106454>.
+
** Indent code.
** API and ABI modifications:
-No changes since last version.
+gnutls_srp_set_prime_bits: ADDED
* Version 2.5.7 (released 2008-09-16)
diff --git a/THANKS b/THANKS
index 11401b7ac5..03d9b945d6 100644
--- a/THANKS
+++ b/THANKS
@@ -87,6 +87,7 @@ Tomas Mraz <tmraz@redhat.com>
Matthias Koenig <mkoenig@suse.de>
Christian Grothoff <christian@grothoff.org>
James Westby <jw+debian@jameswestby.net>
+Kevin Quick <quick@sparq.org>
----------------------------------------------------------------------
Copying and distribution of this file, with or without modification,
diff --git a/lib/auth_srp.c b/lib/auth_srp.c
index 1a57a7a9a0..37fab7b221 100644
--- a/lib/auth_srp.c
+++ b/lib/auth_srp.c
@@ -595,12 +595,14 @@ check_g_n (const opaque * g, size_t n_g, const opaque * n, size_t n_n)
* Otherwise only the included parameters must be used.
*/
static int
-group_check_g_n (bigint_t g, bigint_t n)
+group_check_g_n (gnutls_session_t session, bigint_t g, bigint_t n)
{
bigint_t q = NULL, two = NULL, w = NULL;
int ret;
- if (_gnutls_mpi_get_nbits (n) < 2048)
+ if (_gnutls_mpi_get_nbits (n) < (session->internals.srp_prime_bits
+ ? session->internals.srp_prime_bits
+ : 2048))
{
gnutls_assert ();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
@@ -814,7 +816,7 @@ _gnutls_proc_srp_server_kx (gnutls_session_t session, opaque * data,
if ((ret = check_g_n (data_g, _n_g, data_n, _n_n)) < 0)
{
_gnutls_x509_log ("Checking the SRP group parameters.\n");
- if ((ret = group_check_g_n (G, N)) < 0)
+ if ((ret = group_check_g_n (session, G, N)) < 0)
{
gnutls_assert ();
return ret;
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index f0efbb9404..824b5fbdb6 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -640,6 +640,11 @@ typedef struct
/* Callback to extract TLS Finished message. */
gnutls_finished_callback_func finished_func;
+ /* minimum bits to allow for SRP
+ * use gnutls_srp_set_prime_bits() to adjust it.
+ */
+ uint16_t srp_prime_bits;
+
/* If you add anything here, check _gnutls_handshake_internal_state_clear().
*/
} internals_st;
diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c
index 2c0c9293ab..65564c0dd3 100644
--- a/lib/gnutls_srp.c
+++ b/lib/gnutls_srp.c
@@ -725,4 +725,25 @@ gnutls_srp_verifier (const char *username, const char *password,
return 0;
}
+/**
+ * gnutls_srp_set_prime_bits - set the minimum bits for a SRP ciphersuite
+ * @session: is a #gnutls_session_t structure.
+ * @bits: is the number of bits
+ *
+ * This function sets the minimum accepted number of bits, for use in
+ * an SRP key exchange. If zero, the default 2048 bits will be used.
+ *
+ * In the client side it sets the minimum accepted number of bits. If
+ * a server sends a prime with less bits than that
+ * %GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER will be returned by the
+ * handshake.
+ *
+ * Since: 2.6.0
+ **/
+void
+gnutls_srp_set_prime_bits (gnutls_session_t session, unsigned int bits)
+{
+ session->internals.srp_prime_bits = bits;
+}
+
#endif /* ENABLE_SRP */