From: Nikos Mavrogiannopoulos Date: Mon, 17 Sep 2012 18:19:42 +0000 (+0200) Subject: Increased security levels by adding insecure. X-Git-Tag: gnutls_3_1_2~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a21d08f3a571871d3dfaca40e12dd8a4aed6b69c;p=thirdparty%2Fgnutls.git Increased security levels by adding insecure. --- diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index fabd34ed2b..2c88ba0f2b 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -39,8 +39,9 @@ typedef struct } gnutls_sec_params_entry; static const gnutls_sec_params_entry sec_params[] = { - {"Weak", GNUTLS_SEC_PARAM_WEAK, 0, 0, 0, 0, 0}, - {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160}, + {"Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0}, + {"Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1024, 160, 160}, + {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1248, 2048, 160, 160}, {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192}, {"Normal", GNUTLS_SEC_PARAM_NORMAL, 112, 2432, 3072, 224, 224}, {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3248, 3072, 256, 256}, diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 7ddd6269c3..ac9426d337 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -73,7 +73,7 @@ check_bits (gnutls_session_t session, gnutls_x509_crt_t crt, unsigned int max_bi return GNUTLS_E_CONSTRAINT_ERROR; } - if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_WEAK) + if (gnutls_pk_bits_to_sec_param(pk, bits) == GNUTLS_SEC_PARAM_INSECURE) { gnutls_assert(); _gnutls_audit_log(session, "The security level of the certificate (%s: %u) is weak\n", gnutls_pk_get_name(pk), bits); diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index c0e5c8e287..b1685cd80a 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -664,7 +664,8 @@ typedef enum /** * gnutls_sec_param_t: - * @GNUTLS_SEC_PARAM_WEAK: security level known to be weak + * @GNUTLS_SEC_PARAM_INSECURE: Less than 72 bits of security + * @GNUTLS_SEC_PARAM_WEAK: 72 bits of security * @GNUTLS_SEC_PARAM_UNKNOWN: Cannot be known * @GNUTLS_SEC_PARAM_LOW: 80 bits of security * @GNUTLS_SEC_PARAM_LEGACY: 96 bits of security @@ -676,6 +677,7 @@ typedef enum */ typedef enum { + GNUTLS_SEC_PARAM_INSECURE = -20, GNUTLS_SEC_PARAM_WEAK = -10, GNUTLS_SEC_PARAM_UNKNOWN = 0, GNUTLS_SEC_PARAM_LOW = 1,