]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Increased security levels by adding insecure.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 17 Sep 2012 18:19:42 +0000 (20:19 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Mon, 17 Sep 2012 18:19:42 +0000 (20:19 +0200)
lib/algorithms/secparams.c
lib/gnutls_x509.c
lib/includes/gnutls/gnutls.h.in

index fabd34ed2b9c21d42e596fb68e222ceff8cfb43f..2c88ba0f2baa210cd10349fd04f3ffb749bfa47d 100644 (file)
@@ -39,8 +39,9 @@ typedef struct
 } gnutls_sec_params_entry;
 
 static const gnutls_sec_params_entry sec_params[] = {
-  {"Weak", GNUTLS_SEC_PARAM_WEAK, 0, 0, 0, 0, 0},
-  {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160},
+  {"Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0},
+  {"Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1024, 160, 160},
+  {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160}, 
   {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192},
   {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224},
   {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256},
index 7ddd6269c312ebb3d083833cb922c254072489e8..ac9426d3376377b306cf14b04189faa472ac1aa9 100644 (file)
@@ -73,7 +73,7 @@ check_bits (gnutls_session_t session, gnutls_x509_crt_t crt, unsigned int max_bi
       return GNUTLS_E_CONSTRAINT_ERROR;
     }
 
-  if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_WEAK)
+  if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_INSECURE)
     {
       gnutls_assert();
       _gnutls_audit_log(session, "The security level of the certificate (%s: %u) is weak\n", gnutls_pk_get_name(pk), bits);
index c0e5c8e2877fdd1200a473c0a3837647053f7aae..b1685cd80a9fbeb9adc83c161ff3e58cd4cc55c5 100644 (file)
@@ -664,7 +664,8 @@ typedef enum
 
 /**
  * gnutls_sec_param_t:
- * @GNUTLS_SEC_PARAM_WEAK: security level known to be weak
+ * @GNUTLS_SEC_PARAM_INSECURE: Less than 72 bits of security
+ * @GNUTLS_SEC_PARAM_WEAK: 72 bits of security
  * @GNUTLS_SEC_PARAM_UNKNOWN: Cannot be known
  * @GNUTLS_SEC_PARAM_LOW: 80 bits of security
  * @GNUTLS_SEC_PARAM_LEGACY: 96 bits of security
@@ -676,6 +677,7 @@ typedef enum
  */
   typedef enum
   {
+    GNUTLS_SEC_PARAM_INSECURE = -20,
     GNUTLS_SEC_PARAM_WEAK = -10,
     GNUTLS_SEC_PARAM_UNKNOWN = 0,
     GNUTLS_SEC_PARAM_LOW = 1,