Blame doc/functions/gnutls_srp_set_server_fake_salt_seed
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@deftypefun {void} {gnutls_srp_set_server_fake_salt_seed} (gnutls_srp_server_credentials_t @var{cred}, const gnutls_datum_t * @var{seed}, unsigned int @var{salt_length})
|
|
Packit Service |
4684c1 |
@var{cred}: is a @code{gnutls_srp_server_credentials_t} type
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@var{seed}: is the seed data, only needs to be valid until the function
|
|
Packit Service |
4684c1 |
returns; size of the seed must be greater than zero
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@var{salt_length}: is the length of the generated fake salts
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This function sets the seed that is used to generate salts for
|
|
Packit Service |
4684c1 |
invalid (non-existent) usernames.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
In order to prevent attackers from guessing valid usernames,
|
|
Packit Service |
4684c1 |
when a user does not exist gnutls generates a salt and a verifier
|
|
Packit Service |
4684c1 |
and proceeds with the protocol as usual.
|
|
Packit Service |
4684c1 |
The authentication will ultimately fail, but the client cannot tell
|
|
Packit Service |
4684c1 |
whether the username is valid (exists) or invalid.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
If an attacker learns the seed, given a salt (which is part of the
|
|
Packit Service |
4684c1 |
handshake) which was generated when the seed was in use, it can tell
|
|
Packit Service |
4684c1 |
whether or not the authentication failed because of an unknown username.
|
|
Packit Service |
4684c1 |
This seed cannot be used to reveal application data or passwords.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@code{salt_length} should represent the salt length your application uses.
|
|
Packit Service |
4684c1 |
Generating fake salts longer than 20 bytes is not supported.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
By default the seed is a random value, different each time a
|
|
Packit Service |
4684c1 |
@code{gnutls_srp_server_credentials_t} is allocated and fake salts are
|
|
Packit Service |
4684c1 |
16 bytes long.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@strong{Since:} 3.3.0
|
|
Packit Service |
4684c1 |
@end deftypefun
|