This patch allows one to specify a maximum number of bits
for the CGA and RSA key size. RFC specifies that an implementation
may optionnaly honor this setting (5.1.3). This is particularly
useful on embedded systems where both the entropy and the processing
power are limited.

Index: sendd-0.2/sendd/config.c
===================================================================
diff -urN sendd-0.2/sendd/config.c sendd-0.2.new/sendd/config.c
--- sendd-0.2/sendd/config.c	2008-04-18 16:21:46.000000000 +0200
+++ sendd-0.2.new/sendd/config.c	2008-09-09 15:41:11.000000000 +0200
@@ -82,6 +82,7 @@
 	SND_CFS(snd_cga_params, NULL, 1),
 	SND_CFIB(snd_full_secure, 1, 0),
 	SND_CFII(snd_min_key_bits, 1024, "bits", 0),
+	SND_CFII(snd_max_key_bits, 2048, "bits", 0),
 	SND_CFII(snd_nonce_cache_gc_intvl, 2, "seconds", 0),
 	SND_CFII(snd_pfx_cache_gc_intvl, 40, "seconds", 0),
 	SND_CFS(snd_pkixip_conf, NULL, 0),
Index: sendd-0.2/sendd/sig_rfc3971.c
===================================================================
diff -urN sendd-0.2/sendd/sig_rfc3971.c sendd-0.2.new/sendd/sig_rfc3971.c
--- sendd-0.2/sendd/sig_rfc3971.c	2008-04-18 16:21:46.000000000 +0200
+++ sendd-0.2.new/sendd/sig_rfc3971.c	2008-09-10 11:14:35.000000000 +0200
@@ -147,7 +147,7 @@
 	EVP_MD_CTX ctx[1];
 	EVP_PKEY *pub;
 	int rv = -1;
-	int i, real_slen, min_bits;
+	int i, real_slen, min_bits, max_bits;
 	DEFINE_TIMESTAMP_VARS();
 
 	DBG_HEXDUMP(&dbg_cryptox, "key: ", key, klen);
@@ -164,6 +164,12 @@
 		    "minimum: %d)", EVP_PKEY_bits(pub), min_bits);
 		return (-1);
 	}
+	max_bits = snd_conf_get_int(snd_max_key_bits);
+	if (EVP_PKEY_bits(pub) > max_bits) {
+		DBG(&dbg_snd, "Peer key too strong: %d bits (configured "
+		    "maximum: %d)", EVP_PKEY_bits(pub), max_bits);
+		return (-1);
+	}
 
 	real_slen = EVP_PKEY_size(pub);
 	if (real_slen < slen) {
Index: sendd-0.2/sendd/snd_config.h
===================================================================
diff -urN sendd-0.2/sendd/snd_config.h sendd-0.2.new/sendd/snd_config.h
--- sendd-0.2/sendd/snd_config.h	2008-04-18 16:21:46.000000000 +0200
+++ sendd-0.2.new/sendd/snd_config.h	2008-09-09 15:09:45.000000000 +0200
@@ -42,6 +42,7 @@
 	snd_cga_params,
 	snd_full_secure,
 	snd_min_key_bits,
+	snd_max_key_bits,
 	snd_nonce_cache_gc_intvl,
 	snd_pfx_cache_gc_intvl,
 	snd_pkixip_conf,