]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
The simple bit size check in certificates is now replaced by the verification profiles.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 15 Jan 2014 09:39:25 +0000 (10:39 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 15 Jan 2014 09:39:28 +0000 (10:39 +0100)
lib/gnutls_int.h
lib/gnutls_x509.c

index 9a1ade6d2970743fc5410664f1b8328283f7c434..dde91b1dc0026e9b254cbb698f823a3be246177c 100644 (file)
@@ -650,7 +650,6 @@ struct gnutls_priority_st {
        safe_renegotiation_t sr;
        bool ssl3_record_version;
        bool server_precedence;
-       bool allow_weak_keys;
        bool allow_wrong_pms;
        /* Whether stateless compression will be used */
        bool stateless_compression;
@@ -672,7 +671,6 @@ struct gnutls_priority_st {
 #define ENABLE_COMPAT(x) \
               (x)->allow_large_records = 1; \
               (x)->allow_wrong_pms = 1; \
-              (x)->allow_weak_keys = 1; \
               (x)->level = GNUTLS_SEC_PARAM_VERY_WEAK
 
 /* DH and RSA parameters types.
index 381d97e3b8a8cee9bb140899152163a0d9d5b04d..518ab18d087ea96a07065855b97a441c1a61e787 100644 (file)
  * some x509 certificate parsing functions.
  */
 
-/* Check if the number of bits of the key in the certificate
- * is unacceptable.
-  */
-inline static int
-check_bits(gnutls_session_t session, gnutls_x509_crt_t crt,
-          unsigned int max_bits)
-{
-       int ret, pk;
-       unsigned int bits;
-
-       ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
-       if (ret < 0) {
-               gnutls_assert();
-               return ret;
-       }
-       pk = ret;
-
-       if (bits > max_bits && max_bits > 0) {
-               gnutls_assert();
-               return GNUTLS_E_CONSTRAINT_ERROR;
-       }
-
-       if (gnutls_pk_bits_to_sec_param(pk, bits) ==
-           GNUTLS_SEC_PARAM_INSECURE) {
-               gnutls_assert();
-               _gnutls_audit_log(session,
-                                 "The security level of the certificate (%s: %u) is weak\n",
-                                 gnutls_pk_get_name(pk), bits);
-               if (session->internals.priorities.allow_weak_keys == 0)
-                       return
-                           gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
-       }
-
-       return 0;
-}
-
 /* three days */
 #define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
 #ifdef ENABLE_OCSP
@@ -287,16 +251,6 @@ _gnutls_x509_cert_verify_peers(gnutls_session_t session,
                        CLEAR_CERTS;
                        return ret;
                }
-
-               ret =
-                   check_bits(session, peer_certificate_list[i],
-                              cred->verify_bits);
-               if (ret < 0) {
-                       gnutls_assert();
-                       CLEAR_CERTS;
-                       return ret;
-               }
-
        }
 
        /* Use the OCSP extension if any */