diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-05-05 11:58:25 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-05-05 11:58:53 +0200 |
commit | 9f498c4e077ceabafe44f186005ca52ead6930bd (patch) | |
tree | 8f99cf2f2aedfeeec218b790ed51787dd52c6500 | |
parent | 2fb949f70919a4824a8ab20c4b649721e95b2613 (diff) | |
download | gnutls-9f498c4e077ceabafe44f186005ca52ead6930bd.tar.gz |
Added the 'very weak' certificate verification profile.
This profile corresponds to a 64-bit security level (e.g., RSA
parameters of 768 bits).
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | doc/cha-gtls-app.texi | 6 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 6 | ||||
-rw-r--r-- | lib/includes/gnutls/x509.h | 3 | ||||
-rw-r--r-- | lib/priority_options.gperf | 1 | ||||
-rw-r--r-- | lib/x509/verify.c | 1 |
6 files changed, 21 insertions, 1 deletions
@@ -5,6 +5,9 @@ See the end for copying conditions. * Version 3.3.2 (unreleased) +** libgnutls: Added the 'very weak' certificate verification profile +that corresponds to 64-bit security level. + ** libgnutls: Corrected file descriptor leak on random generator initialization. @@ -29,7 +32,7 @@ entry that matches the certificate. Patch by simon [at] arlott.org. ** certtool: Allow exporting a CRL on DER format. ** API and ABI modifications: -No changes since last version. +GNUTLS_PROFILE_VERY_WEAK: Added * Version 3.3.1 (released 2014-04-19) diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 8bd58d54c2..94bcf0d797 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1207,6 +1207,12 @@ authentication. @tab @code{INSECURE} @tab Considered to be insecure +@item 64 +@tab 768 +@tab 128 +@tab @code{VERY WEAK} +@tab Short term protection against individuals + @item 72 @tab 1008 @tab 160 diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 877ee906a4..769eed1fe8 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c) { c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS; } +static void enable_profile_very_weak(gnutls_priority_t c) +{ + c->additional_verify_flags &= 0x00ffffff; + c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK); + c->level = GNUTLS_SEC_PARAM_VERY_WEAK; +} static void enable_profile_low(gnutls_priority_t c) { c->additional_verify_flags &= 0x00ffffff; diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index b4b24b9da9..cad804e575 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags { /** * gnutls_certificate_verification_profiles_t: + * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that + * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits) * @GNUTLS_PROFILE_LOW: A verification profile that * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits) * @GNUTLS_PROFILE_LEGACY: A verification profile that @@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags { * Enumeration of different certificate verification profiles. */ typedef enum gnutls_certificate_verification_profiles_t { + GNUTLS_PROFILE_VERY_WEAK = 1, GNUTLS_PROFILE_LOW = 2, GNUTLS_PROFILE_LEGACY = 4, GNUTLS_PROFILE_MEDIUM = 5, diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index fd081c5083..79f3f7d211 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation DISABLE_WILDCARDS, disable_wildcards SERVER_PRECEDENCE, enable_server_precedence +PROFILE_VERY_WEAK, enable_profile_very_weak PROFILE_LOW, enable_profile_low PROFILE_LEGACY, enable_profile_legacy PROFILE_MEDIUM, enable_profile_medium diff --git a/lib/x509/verify.c b/lib/x509/verify.c index d9b7fb794a..037cd8e960 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -433,6 +433,7 @@ int hash; return gnutls_assert_val(0); switch (profile) { + CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK); CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW); CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY); CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM); |