packages/ipv6/send/patches/002-handle_max_bits_conf.patch

This patch allows one to specify a maximum number of bits
for the CGA and RSA key size. RFC specifies that an implementation
may optionnaly honor this setting (5.1.3). This is particularly
useful on embedded systems where both the entropy and the processing
power are limited.

Index: sendd-0.2/sendd/config.c
===================================================================
diff -urN sendd-0.2/sendd/config.c sendd-0.2.new/sendd/config.c
--- sendd-0.2/sendd/config.c	2008-04-18 16:21:46.000000000 +0200
+++ sendd-0.2.new/sendd/config.c	2008-09-09 15:41:11.000000000 +0200
@@ -82,6 +82,7 @@
 	SND_CFS(snd_cga_params, NULL, 1),
 	SND_CFIB(snd_full_secure, 1, 0),
 	SND_CFII(snd_min_key_bits, 1024, "bits", 0),
+	SND_CFII(snd_max_key_bits, 2048, "bits", 0),
 	SND_CFII(snd_nonce_cache_gc_intvl, 2, "seconds", 0),
 	SND_CFII(snd_pfx_cache_gc_intvl, 40, "seconds", 0),
 	SND_CFS(snd_pkixip_conf, NULL, 0),
Index: sendd-0.2/sendd/sig_rfc3971.c
===================================================================
diff -urN sendd-0.2/sendd/sig_rfc3971.c sendd-0.2.new/sendd/sig_rfc3971.c
--- sendd-0.2/sendd/sig_rfc3971.c	2008-04-18 16:21:46.000000000 +0200
+++ sendd-0.2.new/sendd/sig_rfc3971.c	2008-09-10 11:14:35.000000000 +0200
@@ -147,7 +147,7 @@
 	EVP_MD_CTX ctx[1];
 	EVP_PKEY *pub;
 	int rv = -1;
-	int i, real_slen, min_bits;
+	int i, real_slen, min_bits, max_bits;
 	DEFINE_TIMESTAMP_VARS();
 
 	DBG_HEXDUMP(&dbg_cryptox, "key: ", key, klen);
@@ -164,6 +164,12 @@
 		    "minimum: %d)", EVP_PKEY_bits(pub), min_bits);
 		return (-1);
 	}
+	max_bits = snd_conf_get_int(snd_max_key_bits);
+	if (EVP_PKEY_bits(pub) > max_bits) {
+		DBG(&dbg_snd, "Peer key too strong: %d bits (configured "
+		    "maximum: %d)", EVP_PKEY_bits(pub), max_bits);
+		return (-1);
+	}
 
 	real_slen = EVP_PKEY_size(pub);
 	if (real_slen < slen) {
Index: sendd-0.2/sendd/snd_config.h
===================================================================
diff -urN sendd-0.2/sendd/snd_config.h sendd-0.2.new/sendd/snd_config.h
--- sendd-0.2/sendd/snd_config.h	2008-04-18 16:21:46.000000000 +0200
+++ sendd-0.2.new/sendd/snd_config.h	2008-09-09 15:09:45.000000000 +0200
@@ -42,6 +42,7 @@
 	snd_cga_params,
 	snd_full_secure,
 	snd_min_key_bits,
+	snd_max_key_bits,
 	snd_nonce_cache_gc_intvl,
 	snd_pfx_cache_gc_intvl,
 	snd_pkixip_conf,
Add send (rfc3971 implementation) git-svn-id: svn://svn.openwrt.org/openwrt/packages@13020 3c298f89-4303-0410-b956-a3cf2f4a3e73 2008-10-21 17:03:18 +00:00			`This patch allows one to specify a maximum number of bits`
			`for the CGA and RSA key size. RFC specifies that an implementation`
			`may optionnaly honor this setting (5.1.3). This is particularly`
			`useful on embedded systems where both the entropy and the processing`
			`power are limited.`

			`Index: sendd-0.2/sendd/config.c`
			`===================================================================`
			`diff -urN sendd-0.2/sendd/config.c sendd-0.2.new/sendd/config.c`
			`--- sendd-0.2/sendd/config.c 2008-04-18 16:21:46.000000000 +0200`
			`+++ sendd-0.2.new/sendd/config.c 2008-09-09 15:41:11.000000000 +0200`
			`@@ -82,6 +82,7 @@`
			`SND_CFS(snd_cga_params, NULL, 1),`
			`SND_CFIB(snd_full_secure, 1, 0),`
			`SND_CFII(snd_min_key_bits, 1024, "bits", 0),`
			`+ SND_CFII(snd_max_key_bits, 2048, "bits", 0),`
			`SND_CFII(snd_nonce_cache_gc_intvl, 2, "seconds", 0),`
			`SND_CFII(snd_pfx_cache_gc_intvl, 40, "seconds", 0),`
			`SND_CFS(snd_pkixip_conf, NULL, 0),`
			`Index: sendd-0.2/sendd/sig_rfc3971.c`
			`===================================================================`
			`diff -urN sendd-0.2/sendd/sig_rfc3971.c sendd-0.2.new/sendd/sig_rfc3971.c`
			`--- sendd-0.2/sendd/sig_rfc3971.c 2008-04-18 16:21:46.000000000 +0200`
			`+++ sendd-0.2.new/sendd/sig_rfc3971.c 2008-09-10 11:14:35.000000000 +0200`
			`@@ -147,7 +147,7 @@`
			`EVP_MD_CTX ctx[1];`
			`EVP_PKEY *pub;`
			`int rv = -1;`
			`- int i, real_slen, min_bits;`
			`+ int i, real_slen, min_bits, max_bits;`
			`DEFINE_TIMESTAMP_VARS();`

			`DBG_HEXDUMP(&dbg_cryptox, "key: ", key, klen);`
			`@@ -164,6 +164,12 @@`
			`"minimum: %d)", EVP_PKEY_bits(pub), min_bits);`
			`return (-1);`
			`}`
			`+ max_bits = snd_conf_get_int(snd_max_key_bits);`
			`+ if (EVP_PKEY_bits(pub) > max_bits) {`
			`+ DBG(&dbg_snd, "Peer key too strong: %d bits (configured "`
			`+ "maximum: %d)", EVP_PKEY_bits(pub), max_bits);`
			`+ return (-1);`
			`+ }`

			`real_slen = EVP_PKEY_size(pub);`
			`if (real_slen < slen) {`
			`Index: sendd-0.2/sendd/snd_config.h`
			`===================================================================`
			`diff -urN sendd-0.2/sendd/snd_config.h sendd-0.2.new/sendd/snd_config.h`
			`--- sendd-0.2/sendd/snd_config.h 2008-04-18 16:21:46.000000000 +0200`
			`+++ sendd-0.2.new/sendd/snd_config.h 2008-09-09 15:09:45.000000000 +0200`
			`@@ -42,6 +42,7 @@`
			`snd_cga_params,`
			`snd_full_secure,`
			`snd_min_key_bits,`
			`+ snd_max_key_bits,`
			`snd_nonce_cache_gc_intvl,`
			`snd_pfx_cache_gc_intvl,`
			`snd_pkixip_conf,`