1 This patch allows one to specify a maximum number of bits
2 for the CGA and RSA key size. RFC specifies that an implementation
3 may optionnaly honor this setting (5.1.3). This is particularly
4 useful on embedded systems where both the entropy and the processing
9 @@ -82,6 +82,7 @@ struct snd_conf snd_confs[] = {
10 SND_CFS(snd_cga_params, NULL, 1),
11 SND_CFIB(snd_full_secure, 1, 0),
12 SND_CFII(snd_min_key_bits, 1024, "bits", 0),
13 + SND_CFII(snd_max_key_bits, 2048, "bits", 0),
14 SND_CFII(snd_nonce_cache_gc_intvl, 2, "seconds", 0),
15 SND_CFII(snd_pfx_cache_gc_intvl, 40, "seconds", 0),
16 SND_CFS(snd_pkixip_conf, NULL, 0),
17 --- a/sendd/sig_rfc3971.c
18 +++ b/sendd/sig_rfc3971.c
19 @@ -147,7 +147,7 @@ ver(struct iovec *iov, int iovlen, uint8
23 - int i, real_slen, min_bits;
24 + int i, real_slen, min_bits, max_bits;
25 DEFINE_TIMESTAMP_VARS();
27 DBG_HEXDUMP(&dbg_cryptox, "key: ", key, klen);
28 @@ -164,6 +164,12 @@ ver(struct iovec *iov, int iovlen, uint8
29 "minimum: %d)", EVP_PKEY_bits(pub), min_bits);
32 + max_bits = snd_conf_get_int(snd_max_key_bits);
33 + if (EVP_PKEY_bits(pub) > max_bits) {
34 + DBG(&dbg_snd, "Peer key too strong: %d bits (configured "
35 + "maximum: %d)", EVP_PKEY_bits(pub), max_bits);
39 real_slen = EVP_PKEY_size(pub);
40 if (real_slen < slen) {
41 --- a/sendd/snd_config.h
42 +++ b/sendd/snd_config.h
43 @@ -42,6 +42,7 @@ enum snd_conf_syms {
48 snd_nonce_cache_gc_intvl,
49 snd_pfx_cache_gc_intvl,