From: Nikos Mavrogiannopoulos Date: Wed, 15 Jan 2014 09:39:25 +0000 (+0100) Subject: The simple bit size check in certificates is now replaced by the verification profiles. X-Git-Tag: gnutls_3_3_0pre0~326 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cfb5902f936dff185d5d3eb3460fc95456a82b6c;p=thirdparty%2Fgnutls.git The simple bit size check in certificates is now replaced by the verification profiles. --- diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 9a1ade6d29..dde91b1dc0 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -650,7 +650,6 @@ struct gnutls_priority_st { safe_renegotiation_t sr; bool ssl3_record_version; bool server_precedence; - bool allow_weak_keys; bool allow_wrong_pms; /* Whether stateless compression will be used */ bool stateless_compression; @@ -672,7 +671,6 @@ struct gnutls_priority_st { #define ENABLE_COMPAT(x) \ (x)->allow_large_records = 1; \ (x)->allow_wrong_pms = 1; \ - (x)->allow_weak_keys = 1; \ (x)->level = GNUTLS_SEC_PARAM_VERY_WEAK /* DH and RSA parameters types. diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 381d97e3b8..518ab18d08 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -52,42 +52,6 @@ * some x509 certificate parsing functions. */ -/* Check if the number of bits of the key in the certificate - * is unacceptable. - */ -inline static int -check_bits(gnutls_session_t session, gnutls_x509_crt_t crt, - unsigned int max_bits) -{ - int ret, pk; - unsigned int bits; - - ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits); - if (ret < 0) { - gnutls_assert(); - return ret; - } - pk = ret; - - if (bits > max_bits && max_bits > 0) { - gnutls_assert(); - return GNUTLS_E_CONSTRAINT_ERROR; - } - - if (gnutls_pk_bits_to_sec_param(pk, bits) == - GNUTLS_SEC_PARAM_INSECURE) { - gnutls_assert(); - _gnutls_audit_log(session, - "The security level of the certificate (%s: %u) is weak\n", - gnutls_pk_get_name(pk), bits); - if (session->internals.priorities.allow_weak_keys == 0) - return - gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR); - } - - return 0; -} - /* three days */ #define MAX_OCSP_VALIDITY_SECS (3*60*60*24) #ifdef ENABLE_OCSP @@ -287,16 +251,6 @@ _gnutls_x509_cert_verify_peers(gnutls_session_t session, CLEAR_CERTS; return ret; } - - ret = - check_bits(session, peer_certificate_list[i], - cred->verify_bits); - if (ret < 0) { - gnutls_assert(); - CLEAR_CERTS; - return ret; - } - } /* Use the OCSP extension if any */