[gnutls-devel] [PATCH] Correct audit log: gnutls_dh_set_prime_bits(s, 0) falls back to security level
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Nov 1 01:15:30 CET 2013
Currently, when invoking gnutls_dh_set_prime_bits(s, 0), the audit log
claims "Note that the security level of the Diffie-Hellman key
exchange has been lowered to 0 bits and this may allow decryption of
the session data". This is incorrect, since setting dh_prime_bits to
0 actually makes GnuTLS rely on the default security level requested.
This patch corrects the audit log.
---
lib/gnutls_ui.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 26335c8..eb855ab 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -102,7 +102,8 @@ int gnutls_random_art (gnutls_random_art_t type,
void
gnutls_dh_set_prime_bits (gnutls_session_t session, unsigned int bits)
{
- if (bits <= 512) _gnutls_audit_log(session, "Note that the security level of the Diffie-Hellman key exchange has been lowered to %u bits and this may allow decryption of the session data\n", bits);
+ if (bits == 0) _gnutls_audit_log(session, "Ignoring request to set required bits for Diffie-Hellman key exchange to 0; using security level from the priority string to determine DH bit requirement\n");
+ else if (bits <= 512) _gnutls_audit_log(session, "Note that the security level of the Diffie-Hellman key exchange has been lowered to %u bits and this may allow decryption of the session data\n", bits);
session->internals.priorities.dh_prime_bits = bits;
}
--
1.8.4.rc3
More information about the Gnutls-devel
mailing list