]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added the 'very weak' certificate verification profile.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 5 May 2014 09:58:25 +0000 (11:58 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 5 May 2014 09:58:53 +0000 (11:58 +0200)
This profile corresponds to a 64-bit security level (e.g., RSA
parameters of 768 bits).

NEWS
doc/cha-gtls-app.texi
lib/gnutls_priority.c
lib/includes/gnutls/x509.h
lib/priority_options.gperf
lib/x509/verify.c

diff --git a/NEWS b/NEWS
index 7ae1d9a2bf3d5090f7c9d4ee3c4f95c8294d39fa..8f63f5957c761a8c93ee7772d857f758622fa987 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
 
 * Version 3.3.2 (unreleased)
 
+** libgnutls: Added the 'very weak' certificate verification profile
+that corresponds to 64-bit security level.
+
 ** libgnutls: Corrected file descriptor leak on random generator
 initialization.
 
@@ -29,7 +32,7 @@ entry that matches the certificate. Patch by simon [at] arlott.org.
 ** certtool: Allow exporting a CRL on DER format.
 
 ** API and ABI modifications:
-No changes since last version.
+GNUTLS_PROFILE_VERY_WEAK: Added
 
 
 * Version 3.3.1 (released 2014-04-19)
index 8bd58d54c2225d379255a7ed9e76ee4fad8e91d8..94bcf0d797b1f33a790c7dcc32e11157325585bb 100644 (file)
@@ -1207,6 +1207,12 @@ authentication.
 @tab @code{INSECURE}
 @tab Considered to be insecure
 
+@item 64
+@tab 768
+@tab 128
+@tab @code{VERY WEAK}
+@tab Short term protection against individuals
+
 @item 72
 @tab 1008
 @tab 160
index 877ee906a4f22e0e38af2fa929100a517de29ebd..769eed1fe8ce19784cdb4c53b352c53355426512 100644 (file)
@@ -790,6 +790,12 @@ static void disable_wildcards(gnutls_priority_t c)
 {
        c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS;
 }
+static void enable_profile_very_weak(gnutls_priority_t c)
+{
+       c->additional_verify_flags &= 0x00ffffff;
+       c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_VERY_WEAK);
+       c->level = GNUTLS_SEC_PARAM_VERY_WEAK;
+}
 static void enable_profile_low(gnutls_priority_t c)
 {
        c->additional_verify_flags &= 0x00ffffff;
index b4b24b9da92e19fa73ca40887a86cb256e47cf59..cad804e575df90197c2cef2b9531a25c7fc162c0 100644 (file)
@@ -816,6 +816,8 @@ typedef enum gnutls_certificate_verify_flags {
 
 /**
  * gnutls_certificate_verification_profiles_t:
+ * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
+ *  corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
  * @GNUTLS_PROFILE_LOW: A verification profile that
  *  corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits)
  * @GNUTLS_PROFILE_LEGACY: A verification profile that
@@ -834,6 +836,7 @@ typedef enum gnutls_certificate_verify_flags {
  * Enumeration of different certificate verification profiles.
  */
 typedef enum gnutls_certificate_verification_profiles_t {
+       GNUTLS_PROFILE_VERY_WEAK = 1,
        GNUTLS_PROFILE_LOW = 2,
        GNUTLS_PROFILE_LEGACY = 4,
        GNUTLS_PROFILE_MEDIUM = 5,
index fd081c5083915bd921540192d90d18519974ff6b..79f3f7d211afee3d66a0da7101ec7337ef7861db 100644 (file)
@@ -21,6 +21,7 @@ PARTIAL_RENEGOTIATION, enable_partial_safe_renegotiation
 DISABLE_SAFE_RENEGOTIATION, disable_safe_renegotiation
 DISABLE_WILDCARDS, disable_wildcards
 SERVER_PRECEDENCE, enable_server_precedence
+PROFILE_VERY_WEAK, enable_profile_very_weak
 PROFILE_LOW, enable_profile_low
 PROFILE_LEGACY, enable_profile_legacy
 PROFILE_MEDIUM, enable_profile_medium
index d9b7fb794a0ca50e1b557d0809222bcf53f9637b..037cd8e96093543b2c4dca30a3d55ac4682ca339 100644 (file)
@@ -433,6 +433,7 @@ int hash;
                return gnutls_assert_val(0);
 
        switch (profile) {
+               CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK);
                CASE_SEC_PARAM(GNUTLS_PROFILE_LOW, GNUTLS_SEC_PARAM_LOW);
                CASE_SEC_PARAM(GNUTLS_PROFILE_LEGACY, GNUTLS_SEC_PARAM_LEGACY);
                CASE_SEC_PARAM(GNUTLS_PROFILE_MEDIUM, GNUTLS_SEC_PARAM_MEDIUM);