safe_renegotiation_t sr;
bool ssl3_record_version;
bool server_precedence;
- bool allow_weak_keys;
bool allow_wrong_pms;
/* Whether stateless compression will be used */
bool stateless_compression;
#define ENABLE_COMPAT(x) \
(x)->allow_large_records = 1; \
(x)->allow_wrong_pms = 1; \
- (x)->allow_weak_keys = 1; \
(x)->level = GNUTLS_SEC_PARAM_VERY_WEAK
/* DH and RSA parameters types.
* some x509 certificate parsing functions.
*/
-/* Check if the number of bits of the key in the certificate
- * is unacceptable.
- */
-inline static int
-check_bits(gnutls_session_t session, gnutls_x509_crt_t crt,
- unsigned int max_bits)
-{
- int ret, pk;
- unsigned int bits;
-
- ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
- if (ret < 0) {
- gnutls_assert();
- return ret;
- }
- pk = ret;
-
- if (bits > max_bits && max_bits > 0) {
- gnutls_assert();
- return GNUTLS_E_CONSTRAINT_ERROR;
- }
-
- if (gnutls_pk_bits_to_sec_param(pk, bits) ==
- GNUTLS_SEC_PARAM_INSECURE) {
- gnutls_assert();
- _gnutls_audit_log(session,
- "The security level of the certificate (%s: %u) is weak\n",
- gnutls_pk_get_name(pk), bits);
- if (session->internals.priorities.allow_weak_keys == 0)
- return
- gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
- }
-
- return 0;
-}
-
/* three days */
#define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
#ifdef ENABLE_OCSP
CLEAR_CERTS;
return ret;
}
-
- ret =
- check_bits(session, peer_certificate_list[i],
- cred->verify_bits);
- if (ret < 0) {
- gnutls_assert();
- CLEAR_CERTS;
- return ret;
- }
-
}
/* Use the OCSP extension if any */