From: Nikos Mavrogiannopoulos Date: Wed, 18 Jan 2012 21:34:44 +0000 (+0100) Subject: Added new security level "legacy" for 96-bit security. X-Git-Tag: gnutls_3_0_13~256 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=83d00bb4a06e25deb948600ee17c57ee5ec079ae;p=thirdparty%2Fgnutls.git Added new security level "legacy" for 96-bit security. --- diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 733dda1073..c9d8e8e95d 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1235,18 +1235,18 @@ authentication. @headitem Security bits @tab RSA, DH and SRP parameter size @tab ECC key size @tab Security parameter @tab Description -@item 64 -@tab 816 -@tab 128 -@tab @code{WEAK} -@tab Very short term protection against small organizations - @item 80 @tab 1248 @tab 160 @tab @code{LOW} @tab Very short term protection against agencies +@item 96 +@tab 1776 +@tab 192 +@tab @code{LEGACY} +@tab Legacy standard level + @item 112 @tab 2432 @tab 224 diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index 48e90a01fa..5bfd646145 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -39,8 +39,8 @@ typedef struct } gnutls_sec_params_entry; static const gnutls_sec_params_entry sec_params[] = { - {"Weak", GNUTLS_SEC_PARAM_WEAK, 64, 816, 1024, 128, 128}, {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160}, + {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192}, {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224}, {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256}, {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 256, 15424, 3072, 512, 512}, @@ -161,7 +161,7 @@ gnutls_sec_param_get_name (gnutls_sec_param_t param) gnutls_sec_param_t gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo, unsigned int bits) { - gnutls_sec_param_t ret = GNUTLS_SEC_PARAM_WEAK; + gnutls_sec_param_t ret = GNUTLS_SEC_PARAM_LOW; if (bits == 0) return GNUTLS_SEC_PARAM_UNKNOWN; diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index f3dfed064f..537b88a753 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -652,25 +652,27 @@ typedef enum GNUTLS_ECC_CURVE_SECP192R1, } gnutls_ecc_curve_t; +#define GNUTLS_SEC_PARAM_WEAK GNUTLS_SEC_PARAM_LOW + /** * gnutls_sec_param_t: * @GNUTLS_SEC_PARAM_UNKNOWN: Cannot be known - * @GNUTLS_SEC_PARAM_WEAK: 50 or less bits of security - * @GNUTLS_SEC_PARAM_LOW: 80 bits of security + * @GNUTLS_SEC_PARAM_LOW: 80 or less bits of security + * @GNUTLS_SEC_PARAM_LEGACY: 96 bits of security * @GNUTLS_SEC_PARAM_NORMAL: 112 bits of security * @GNUTLS_SEC_PARAM_HIGH: 128 bits of security * @GNUTLS_SEC_PARAM_ULTRA: 192 bits of security * - * Enumeration of security parameters for passive attacks + * Enumeration of security parameters for passive attacks. */ typedef enum { GNUTLS_SEC_PARAM_UNKNOWN, - GNUTLS_SEC_PARAM_WEAK, - GNUTLS_SEC_PARAM_LOW, - GNUTLS_SEC_PARAM_NORMAL, - GNUTLS_SEC_PARAM_HIGH, - GNUTLS_SEC_PARAM_ULTRA + GNUTLS_SEC_PARAM_LOW = 1, + GNUTLS_SEC_PARAM_LEGACY = 2, + GNUTLS_SEC_PARAM_NORMAL = 3, + GNUTLS_SEC_PARAM_HIGH = 4, + GNUTLS_SEC_PARAM_ULTRA = 5, } gnutls_sec_param_t; /** diff --git a/tests/slow/keygen.c b/tests/slow/keygen.c index b4dd02de88..583a3a71ca 100644 --- a/tests/slow/keygen.c +++ b/tests/slow/keygen.c @@ -35,7 +35,7 @@ #define MAX_TRIES 2 -static int sec_param[MAX_TRIES] = {GNUTLS_SEC_PARAM_WEAK, GNUTLS_SEC_PARAM_NORMAL}; +static int sec_param[MAX_TRIES] = {GNUTLS_SEC_PARAM_LOW, GNUTLS_SEC_PARAM_NORMAL}; static void tls_log_func (int level, const char *str)