diff options
| author | Simon Josefsson <simon@josefsson.org> | 2007-12-01 10:48:00 +0100 |
|---|---|---|
| committer | Simon Josefsson <simon@josefsson.org> | 2007-12-01 10:48:00 +0100 |
| commit | b3eaa51ad4c047ce075973d323fe629392a00435 (patch) | |
| tree | 2908c93630863f07131c067b353f71ed8fc094d1 | |
| parent | 80c1c4aafe50c56f724ed7c561f51511edfe3c92 (diff) | |
| parent | b6e4b1ff3f7ef8a8d26f2e89c0bc50d2fc9d23f4 (diff) | |
| download | gnutls-b3eaa51ad4c047ce075973d323fe629392a00435.tar.gz | |
Merge branch 'master' of ssh://jas@git.sv.gnu.org/srv/git/gnutls
| -rw-r--r-- | configure.in | 2 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 39 | ||||
| -rw-r--r-- | lib/x509/dsa.c | 7 | ||||
| -rw-r--r-- | src/certtool.c | 9 |
4 files changed, 46 insertions, 11 deletions
diff --git a/configure.in b/configure.in index 9def41ac1b..52870e6cbb 100644 --- a/configure.in +++ b/configure.in @@ -46,7 +46,7 @@ AC_SUBST(SOVERSION) dnl for opencdk needs also change in the test GNUTLS_OPENCDK_VERSION=0.6.5 -GNUTLS_GCRYPT_VERSION=1:1.3.0 +GNUTLS_GCRYPT_VERSION=1:1.2.4 GNUTLS_LIBTASN1_VERSION=0.3.4 AC_DEFINE_UNQUOTED(GNUTLS_GCRYPT_VERSION, "$GNUTLS_GCRYPT_VERSION", [version of gcrypt]) AC_DEFINE_UNQUOTED(GNUTLS_LIBTASN1_VERSION, "$GNUTLS_LIBTASN1_VERSION", [version of libtasn1]) diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 4403f12ae3..23b14650a5 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -284,9 +284,11 @@ static const int cipher_priority_performance[] = { static const int cipher_priority_normal[] = { GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_AES_256_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_AES_256_CBC, +#ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_256_CBC, #endif GNUTLS_CIPHER_3DES_CBC, @@ -295,7 +297,19 @@ static const int cipher_priority_normal[] = { 0 }; -static const int cipher_priority_secure[] = { +static const int cipher_priority_secure128[] = { + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + + +static const int cipher_priority_secure256[] = { GNUTLS_CIPHER_AES_256_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_256_CBC, @@ -439,11 +453,14 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) * all the "secure" ciphersuites are enabled, limited to 128 bit * ciphers and sorted by terms of speed performance. * - * "NORMAL" option enables all "secure" ciphersuites and prefer 128 - * bit ciphers over 256 bit bit ciphers, sorted by security margin. + * "NORMAL" option enables all "secure" ciphersuites. The 256-bit ciphers + * are included as a fallback only. The ciphers are sorted by security margin. * - * "SECURE" flag enables all "secure" ciphersuites and prefer 256 bit - * ciphers over 128 bit ciphers, sorted by security margin. + * "SECURE128" flag enables all "secure" ciphersuites with ciphers up to + * 128 bits, sorted by security margin. + * + * "SECURE256" flag enables all "secure" ciphersuites including the 256 bit + * ciphers, sorted by security margin. * * "EXPORT" all the ciphersuites are enabled, including the * low-security 40 bit ciphers. @@ -533,9 +550,15 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, _set_priority (&(*priority_cache)->kx, kx_priority_secure); _set_priority (&(*priority_cache)->mac, mac_priority_secure); } - else if (strcasecmp (broken_list[i], "SECURE") == 0) + else if (strcasecmp (broken_list[i], "SECURE256") == 0 || strcasecmp (broken_list[i], "SECURE") == 0) + { + _set_priority (&(*priority_cache)->cipher, cipher_priority_secure256); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); + } + else if (strcasecmp (broken_list[i], "SECURE128") == 0) { - _set_priority (&(*priority_cache)->cipher, cipher_priority_secure); + _set_priority (&(*priority_cache)->cipher, cipher_priority_secure128); _set_priority (&(*priority_cache)->kx, kx_priority_secure); _set_priority (&(*priority_cache)->mac, mac_priority_secure); } diff --git a/lib/x509/dsa.c b/lib/x509/dsa.c index 51485695e9..69ed4684c2 100644 --- a/lib/x509/dsa.c +++ b/lib/x509/dsa.c @@ -39,6 +39,13 @@ _gnutls_dsa_generate_params (mpi_t * resarr, int *resarr_len, int bits) int ret; gcry_sexp_t parms, key, list; + /* FIXME: Remove me once we depend on 1.3.1 */ + if (bits > 1024 && gcry_check_version("1.3.1")==NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + if (bits < 512) { gnutls_assert (); diff --git a/src/certtool.c b/src/certtool.c index d58ff291ad..057ea20535 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -32,7 +32,7 @@ #include <gnutls/pkcs12.h> #include <unistd.h> #include <certtool-cfg.h> - +#include <gcrypt.h> #include <errno.h> /* Gnulib portability files. */ @@ -123,7 +123,12 @@ generate_private_key_int (void) int ret, key_type; if (info.dsa) - key_type = GNUTLS_PK_DSA; + { + key_type = GNUTLS_PK_DSA; + /* FIXME: Remove me once we depend on 1.3.x */ + if (info.bits > 1024 && gcry_check_version("1.3.1")==NULL) + info.bits = 1024; + } else key_type = GNUTLS_PK_RSA; |